Re: Confirmation for subscribe ietf-pkix
Christopher Stacy <CStacy@pilgrim.com> Fri, 30 April 1999 23:48 UTC
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA15099 for <pkix-archive@odin.ietf.org>; Fri, 30 Apr 1999 19:48:24 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA08459 for ietf-pkix-bks; Fri, 30 Apr 1999 15:31:05 -0700 (PDT)
Received: from I1.pilgrim.com (i1.pilgrim.com [206.3.211.10]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA08454; Fri, 30 Apr 1999 15:31:04 -0700 (PDT)
Received: from BONK.pilgrim.com (bonk [206.3.211.31]) by I1.pilgrim.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id SAA20357; Fri, 30 Apr 1999 18:33:21 -0400
Date: Fri, 30 Apr 1999 18:33:21 -0400
Message-Id: <199904302233.SAA20357@I1.pilgrim.com>
From: Christopher Stacy <CStacy@pilgrim.com>
To: phoffman@imc.org
CC: ietf-pkix@imc.org
In-reply-to: <4.2.0.37.19990430090315.01b23820@mail.imc.org> (message from Paul Hoffman / IMC on Fri, 30 Apr 1999 09:05:57 -0700)
Subject: Re: Confirmation for subscribe ietf-pkix
Sender: owner-ietf-pkix@imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> On Fri, 30 Apr 1999 09:05:57 -0700, Paul Hoffman / IMC ("Paul") writes: Paul> At 11:53 AM 4/30/99 -0400, Christopher Stacy wrote: >> Looks kinda like a Majordomo bug, to me. Paul> No, it is a bug in the human who sent in the request. :-) You added the Paul> name of the mailing list to the end of your "subscribe" request, even Paul> though the instructions do not say you should do that. Actually, my initial message was out of the blue without instructions, and I didn't even know I was talking to majordomo. I just sent to the Internet de-facto standard address for requesting subscription changes. My philosophy is that if there's going to a program processing mail, it ought to be smart enough to figure out something like that. >> (Not yet being subscribed to this list, I didn't even know it was doing that.) Paul> You are now subscribed. Thanks! Chris Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA08459 for ietf-pkix-bks; Fri, 30 Apr 1999 15:31:05 -0700 (PDT) Received: from I1.pilgrim.com (i1.pilgrim.com [206.3.211.10]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA08454; Fri, 30 Apr 1999 15:31:04 -0700 (PDT) Received: from BONK.pilgrim.com (bonk [206.3.211.31]) by I1.pilgrim.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id SAA20357; Fri, 30 Apr 1999 18:33:21 -0400 Date: Fri, 30 Apr 1999 18:33:21 -0400 Message-Id: <199904302233.SAA20357@I1.pilgrim.com> From: Christopher Stacy <CStacy@pilgrim.com> To: phoffman@imc.org CC: ietf-pkix@imc.org In-reply-to: <4.2.0.37.19990430090315.01b23820@mail.imc.org> (message from Paul Hoffman / IMC on Fri, 30 Apr 1999 09:05:57 -0700) Subject: Re: Confirmation for subscribe ietf-pkix Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> On Fri, 30 Apr 1999 09:05:57 -0700, Paul Hoffman / IMC ("Paul") writes: Paul> At 11:53 AM 4/30/99 -0400, Christopher Stacy wrote: >> Looks kinda like a Majordomo bug, to me. Paul> No, it is a bug in the human who sent in the request. :-) You added the Paul> name of the mailing list to the end of your "subscribe" request, even Paul> though the instructions do not say you should do that. Actually, my initial message was out of the blue without instructions, and I didn't even know I was talking to majordomo. I just sent to the Internet de-facto standard address for requesting subscription changes. My philosophy is that if there's going to a program processing mail, it ought to be smart enough to figure out something like that. >> (Not yet being subscribed to this list, I didn't even know it was doing that.) Paul> You are now subscribed. Thanks! Chris Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA07075 for ietf-pkix-bks; Fri, 30 Apr 1999 12:11:01 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id MAA07071 for <ietf-pkix@imc.org>; Fri, 30 Apr 1999 12:10:59 -0700 (PDT) Received: id OAB26636; Fri, 30 Apr 1999 14:53:42 -0400 Received: by gateway id <J96LB4B2>; Fri, 30 Apr 1999 14:56:00 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B113C6DD@sothmxs06> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'pki-twg@nist.gov'" <pki-twg@nist.gov>, "'Blake Greenlee'" <blake.greenlee@greenlee.com> Subject: Summary from April X.509 meeting Date: Fri, 30 Apr 1999 12:41:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> As you know, the meeting that resolved ballot comments on the PDAM to X.509 was held a couple of weeks ago. I'm still making the final revisions to the text, based on meeting participant feedback to my drafts. The final text that will be sent out for FPDAM (Final Proposed Draft Amendment) will be available mid - late next week. In an effort to improve the flow of communication between the X.509 group and other groups interested in that work, I'm sending this as an INFORMAL summary of some of the changes to the PDAM resulting from that meeting. Because the document is still under review by attendees it is possible that the end result may differ slightly from the way I've recorded here, but I think these are fairly representative (editorial and other minor changes excluded). Also, at the end I'll provide a summary of the defect reports currently against X.509. I'm hoping to have the formal defect reports and the formal Draft Technical Corrigenda (DTC) for all of these also available within a week. You will notice that some of these defect reports are very old and resolutions were agreed two years ago. However, some have not yet been formally balloted as DTCs yet. ISO ballots on the FPDAM and on all DTCs for outstanding defect reports are expected to be conducted over the summer months and resolution of those ballots is expected to occur in October. When the documents have been completed and are available on a server, I'll post a notice indicating where they can be found. ------------------------------------------------------ FPDAM major changes: 1. X.509 will be re-titled "Public-Key and Attribute Certificate Frameworks". It will be re-structured into 4 major sections: i) General Introduction ii) Public-key certificate framework iii) Attribute certificate framework iv) Directory use of public-key and attribute certificate frameworks. Annex B will be deleted. 2. CRLs - Clarified a number of issues relevant to 97 delta CRLs: - cert placed on hold and subsequently released (both on deltas) - nothing need be carried forward to new base - cert revoked on delta and expires prior to issuance of new base - revocation gets carried forward to new base - base crl pointed to be delta crl must be complete for given scope (ie can be a full and complete CRL, distribution pt CRL etc) New enhancements in the area of delta CRLs - can issue delta CRLs for a base that was not published as a CRL complete for scope ('virtual' complete for scope CRL would be locally constructed from published CRLs) - can identify base crl by its update time and/or crl number - new 'stream identifier' extension to enable unique identification of a CRL among all CRLs issued by a particular issuer General CRL handling - Annex M updated to align with new agreements and new extensions including: - if basicConstraints extension is absent in a v3 cert it is an end-entity cert (previously was type unknown) - no special case situation for ca or key compromise reason codes - relying party checks crls for reason codes of interest - dependent on policy - Clarified text to state that revocation may be done directly by the authority that issued the certs, indirectly by an authorized entity, or not at all. Also clarified that CRLs are one mechanism but others are possible (however they are outside the scope of 509) (You'll find most of these changes reflected in the crlScope extension and its description, revised description of deltaCRLIndicator extension, new clause 12.6.4, revised annex M and new annex O) 3. The syntax for privilegePolicy will not be standardized. Rather privilegepolicy can be identified by an OID. The syntax from the PDAM and corresponding SPIF syntax will both be included in an information annex (Annex N) as examples only. 4. New certificate extensions defined (some of these are for privilege management others are related to public-key certs in the 'traditional' sense): - delegator attribute identifier - CRL stream identifier - indirect issuer - user notice - SOA identifier - base update time - acceptable cert policies 5. New object class defined: - CP CPS 6. New attributes defined: - attribute descriptor certificate - certification practice statement - certificate policy 7. New matching rules defined: - owner issuer match - authority ID match - indirect issuer match - delegator attribute id match - owner attribute id match - basic att constraints match - attribute name constraints match - time spec match - attribute descriptor match - acceptable cert policies match - SOA id match 8. Assigned an oid to the special value "any policy" to be used in certs issued from one CA to another CA. 9. Raised an issue regarding duplicate names and how to handle this problem (mapping internal to external names raised in the issue to help generate input) 10. Attribute certificate syntax - for v2 attribute certs owner and issuer changed from CHOICE to SEQUENCE and constructs moved from inline to separate constructs. Although in most cases a claimant will present both their attribute cert and their public key cert that authenticates them, for those cases where both are not provided, this change allows an attribute cert to point to a public-key cert but also include general names that could help a verifier find the public key cert in a repository. 11. Delegation path validation text re-written to accommodate new extensions and provide a more comprehensive description of the role the extensions play in the path validation. --------------------------------------------------------- Defect reports - for ALL of these, resolutions have been agreed (either at previous meetings or at this one) and will be documented as DTCs for ballot shortly, or have already completed and are formally approved: (DR ## is the Defect Report number, TC means completed ballot and formally approved, DTC means approved for ballot). I'm only listing those against the 97 edition DR 169 permutable property for PKCS DTC 2 DR 183 public key usage TC 1 DR 184 certification path Rejected - no change DR 185 forward & reverse certificates DTC 4 DR 200 crl dp & full crls DTC 3 DR 201 issuing dist pt DTC 3 DR 204 crl and expired revoked cert DTC 5 DR 207 algorithm object class DTC 6 DR 212 crl matching rules DTC 3 DR 213 crl matching rules DTC 3 DR 214 use of term 'canonical' DTC 6 DR 216 certificate assertion Rejected - no change DR 218 certificate policy match DTC 3 DR 219 absence of basic constraints DTC 3 DR 220 crl version number DTC 3 DR 222 policy mapping DTC 7 On DR 219 and 220, I know these are of particular interest to PKIX. I haven't written the formal documents yet, but to summarize: DR 219 - the resolution agreed for ballot is that for a version 3 certificate, if the certificate does not contain a basicConstraints extension, the certificate is to be considered an end-entity certificate. We decided that the goal can be achieved with this resolution and that we won't unnecessarily force the 'fattening' of ALL v3 certs by mandating the extension always be present (we see that as the role of profiles). DR 220 - In the list of notes following the ASN.1 in clause 11.2, note 3 will be modified so that rather than mandating that the version component "shall" be absent if a CRL contains no critical extensions, the version component "may" be absent.... Apologies for the length of this message, but I hope the information is helpful to people who did not attend the 509 meeting when reviewing its output. Also, I've most certainly forgotten some other technical changes that were made so if something isn't listed here it isn't that I don't think it was important, but that the memory is fading........ Sharon Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA05638 for ietf-pkix-bks; Fri, 30 Apr 1999 09:06:56 -0700 (PDT) Received: from aum (ip11.proper.com [165.227.249.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA05634 for <ietf-pkix@imc.org>; Fri, 30 Apr 1999 09:06:55 -0700 (PDT) Message-Id: <4.2.0.37.19990430090315.01b23820@mail.imc.org> X-Sender: phoffman@mail.imc.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 30 Apr 1999 09:05:57 -0700 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: Confirmation for subscribe ietf-pkix In-Reply-To: <199904301553.LAA17188@I1.pilgrim.com> References: < <418B8B7ACE69D111879B00805F6F281D01D7E0FB@exccup-25006.mis.tandem.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 11:53 AM 4/30/99 -0400, Christopher Stacy wrote: >Looks kinda like a Majordomo bug, to me. No, it is a bug in the human who sent in the request. :-) You added the name of the mailing list to the end of your "subscribe" request, even though the instructions do not say you should do that. >(Not yet being subscribed to this list, I didn't even know it was doing that.) You are now subscribed. >Presumably this will get the attention of the list maintainer, though! Yes, sending administrative messages that are read by all 1107 members of the mailing list will get my attention. --Paul Hoffman, Director --Internet Mail Consortium Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA05499 for ietf-pkix-bks; Fri, 30 Apr 1999 08:51:07 -0700 (PDT) Received: from I1.pilgrim.com (i1.pilgrim.com [206.3.211.10]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA05489; Fri, 30 Apr 1999 08:51:05 -0700 (PDT) Received: from BONK.pilgrim.com (bonk [206.3.211.31]) by I1.pilgrim.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id LAA17188; Fri, 30 Apr 1999 11:53:20 -0400 Date: Fri, 30 Apr 1999 11:53:20 -0400 Message-Id: <199904301553.LAA17188@I1.pilgrim.com> From: Christopher Stacy <CStacy@pilgrim.com> To: david.kurn@compaq.com CC: Majordomo@imc.org, CStacy@pilgrim.com, ietf-pkix@imc.org In-reply-to: <418B8B7ACE69D111879B00805F6F281D01D7E0FB@exccup-25006.mis.tandem.com> (david.kurn@compaq.com) Subject: Re: Confirmation for subscribe ietf-pkix Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Looks kinda like a Majordomo bug, to me. (Not yet being subscribed to this list, I didn't even know it was doing that.) Presumably this will get the attention of the list maintainer, though! Sorry for the spam. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA05099 for ietf-pkix-bks; Fri, 30 Apr 1999 08:09:36 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA05095 for <ietf-pkix@imc.org>; Fri, 30 Apr 1999 08:09:35 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00820; Fri, 30 Apr 1999 11:10:46 -0400 (EDT) Message-Id: <199904301510.LAA00820@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ac509prof-00.txt Date: Fri, 30 Apr 1999 11:10:45 -0400 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : An Internet AttributeCertificate Profile for Authorization Author(s) : R. Housley, S. Farrell Filename : draft-ietf-pkix-ac509prof-00.txt Pages : 31 Date : 29-Apr-99 Authorization support is required for various Internet protocols, for example, TLS, CMS and their consumers, and others. The X.509 AttributeCertificate provides a structure that can form the basis for such services ([X.509], [XPDAM]). This specification defines two profiles (basic and proxiable) for the use of X.509 AttributeCertificates to provide such authorization services. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ac509prof-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ac509prof-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19990429162924.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ac509prof-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ac509prof-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19990429162924.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA04973 for ietf-pkix-bks; Fri, 30 Apr 1999 07:58:40 -0700 (PDT) Received: from Tandem.com (suntan.tandem.com [192.216.221.8]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA04969; Fri, 30 Apr 1999 07:58:39 -0700 (PDT) Received: from exccup-conn01.mis.tandem.com (exccup-conn01.mis.tandem.com [130.252.226.231]) by Tandem.com (8.9.3/2.0.1) with ESMTP id IAA29768; Fri, 30 Apr 1999 08:00:23 -0700 (PDT) Received: by exccup-conn01.mis.tandem.com with Internet Mail Service (5.5.2559.0) id <JS2VRP10>; Fri, 30 Apr 1999 08:00:23 -0700 Message-ID: <418B8B7ACE69D111879B00805F6F281D01D7E0FB@exccup-25006.mis.tandem.com> From: "Kurn, David" <david.kurn@compaq.com> To: "'Majordomo@imc.org'" <Majordomo@imc.org>, cstacy@pilgrim.com, ietf-pkix@imc.org Subject: RE: Confirmation for subscribe ietf-pkix Date: Fri, 30 Apr 1999 08:00:22 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2559.0) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> WHat is this? And why is this message sent to the entire list? HELP And what does it mean to send "the followoing commands"? As a subject? In the body of the message? Via what protocol? Not a very clear set of directions. D Kurn -----Original Message----- From: Majordomo@imc.org [mailto:Majordomo@imc.org] Sent: Friday, April 30, 1999 7:20 AM To: cstacy@pilgrim.com; ietf-pkix@imc.org Subject: Confirmation for subscribe ietf-pkix -- Someone (possibly you) has requested that your email address be added to or deleted from the mailing list "ietf-pkix@imc.org". If you really want this action to be taken, please send the following commands (exactly as shown) back to "Majordomo@imc.org": auth df987f1a subscribe ietf-pkix cstacy@pilgrim.com ietf-pkix@imc.org Make *very* sure that all goes on one line; your mail client might try hard to break the line in two. If you do not want to this action taken, just ignore this message and no action will be taken. If you have any questions about the policy of the list owner, please contact "ietf-pkix-approval@imc.org". Thanks! Majordomo@imc.org Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA04730 for ietf-pkix-bks; Fri, 30 Apr 1999 07:19:51 -0700 (PDT) Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA04723; Fri, 30 Apr 1999 07:19:48 -0700 (PDT) Date: Fri, 30 Apr 1999 07:19:48 -0700 (PDT) Message-Id: <199904301419.HAA04723@mail.proper.com> To: cstacy@pilgrim.com, ietf-pkix@imc.org From: Majordomo@imc.org Subject: Confirmation for subscribe ietf-pkix Reply-To: Majordomo@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -- Someone (possibly you) has requested that your email address be added to or deleted from the mailing list "ietf-pkix@imc.org". If you really want this action to be taken, please send the following commands (exactly as shown) back to "Majordomo@imc.org": auth df987f1a subscribe ietf-pkix cstacy@pilgrim.com ietf-pkix@imc.org Make *very* sure that all goes on one line; your mail client might try hard to break the line in two. If you do not want to this action taken, just ignore this message and no action will be taken. If you have any questions about the policy of the list owner, please contact "ietf-pkix-approval@imc.org". Thanks! Majordomo@imc.org Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA21963 for ietf-pkix-bks; Thu, 29 Apr 1999 09:39:59 -0700 (PDT) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA21957 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 09:39:57 -0700 (PDT) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.5) id JAA28396; Thu, 29 Apr 1999 09:37:02 -0700 (PDT) Received: from newman.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id JAA11100; Thu, 29 Apr 1999 09:41:04 -0700 (PDT) Received: by newman.verisign.com with Internet Mail Service (5.5.2448.0) id <J6LWYJRR>; Thu, 29 Apr 1999 09:41:05 -0700 Message-ID: <23E9E6DBBF4DD21190BC006008B0213E41EE30@newman.verisign.com> From: Michael Myers <MMyers@verisign.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Stephen Kent <kent@po1.bbn.com> Cc: ietf-pkix@imc.org Subject: RE: OSCP BIG BANG Date: Thu, 29 Apr 1999 09:41:04 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id JAA21958 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, I understand Steve is on vacation this week. But I do wish to clarify -08 against your request. You are restating a request for a requirement that we discussed during the original last call. Namely, a mandated relocation of AIA information from the subject certificate to the CA certificate. We debated this issue on the list during the original last call with the resolution that the text remains as written. In constrast, Steve asked for additional clarity and precision regarding an existing requirement; this we responded to. We are not in the mode at this very late stage of introducing new requirements or reopening issues which were previously resolved. That work has been done. My thanks to all who provided their time and energy to the effort. Mike > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Wednesday, April 28, 1999 6:45 AM > To: Stephen Kent > Cc: ietf-pkix@imc.org > Subject: OSCP BIG BANG > > > The original title was "Re: WG Last call, redux". > > Steve, > > Thanks for giving the hint for the change. :-) > > In the previous text, as it will be explained in detail, we > were somewhat > inconsistent having a SHALL followed by a MAY. > > The new text is proposing to keep the SHALL and change the > MAY into a MUST. > I am basically proposing to change the SHALL into a SHOULD > and keep the MAY. > > Both solutions are consistent. :-) > > It seems now the Pandora box is re-opened :-) and we have a > chance to fix the > issue. > > First, let me duplicate the section from the version 08 so > that people may save > time, if they wish to follow this thread. > > In version -08 > > 4. Functional Requirements > > 4.1 Certificate Content > > In order to convey to OCSP clients a well-known point of > information access, > CAs SHALL provide the capability to include the > AuthorityInfoAccess extension > (defined in [RFC 2459], section 4.2.2.1) in certificates that > can be checked > using OCSP. Alternatively, the accessLocation for the OCSP > provider may be > configured locally at the OCSP client. > > CAs that support an OCSP service, either hosted locally or > provided by an > Authorized Responder, MUST provide for the inclusion of a value for a > uniformResourceIndicator (URI) accessLocation and the OID > value id-ad-ocsp for > the accessMethod in the AccessDescription SEQUENCE. > > The value of the accessLocation field in the subject > certificate defines the > transport (e.g. HTTP) used to access the OCSP responder and > may contain other > transport dependent information (e.g. a URL). > > > In version 07 we had: > > > 4. Functional Requirements > > 4.1 Certificate Content > > In order to convey to OCSP clients a well-known point of > information access, > CAs SHALL provide the capability to include the > AuthorityInfoAccess extension > (defined in [PKIX1], section 4.2.2.1) in certificates that > can be checked using > OCSP. Alternatively, the accessLocation for the OCSP provider may be > configured locally at the OCSP client. > > CAs that support an OCSP service, either hosted locally or > provided by an > Authorized Responder, MAY provide a value for a > uniformResourceIndicator (URI) accessLocation and the OID > value id-ad-ocsp for > the accessMethod in the AccessDescription SEQUENCE. > > The value of the accessLocation field in the subject > certificate defines the > transport (e.g. HTTP) used to access the OCSP responder and > may contain other > transport dependent information (e.g. a URL). > > (...) > > The « MAY » in the second paragraph has been changed into a « MUST ». > > Leaving the text out for a moment, let us consider the > following scenario: > > A CA is started up with a CRL scheme. After one year of > operation, the CA > wishes to offer an *additional* service available for *all* > the certificates, > i.e. an On-line Certificate Status (OCS) Service. > > For doing so, there is one single option: to revoke all the current > certificates and re-issue new certificates with the > appropriate extension. > > This is a BIG BANG situation. :-( > > The consequences are quite important, among them, the size of > the CRLs is going > to increase dramatically (there is no reason to stop that service). > > The concern is that a smooth transition cannot occur. What > can we do ? Is there > a panacea to this problem ? > > Let us now take a closer look at the text. The last sentence > of the fist > paragraph from 4.1 says: « Alternatively, the accessLocation > for the OCSP > provider *may* be configured locally at the OCSP client. ». > If this is the > case, then the extension is not used. If someone wanted to > deploy a system by > configuring locally the system, CAs would nevertheless be > mandated to support > the extension. :-( > > This is one argument for having SHALL changed into SHOULD, > i.e. « In order to > convey to OCSP clients a well-known point of information > access, CAs SHOULD > provide the capability to include the AuthorityInfoAccess extension » > > When the local configuration is NOT used, let us now attempt > to solve the BIG > BANG issue, and let us take a look at the text from RFC 2459. > > « 4.2.2.1 Authority Information Access > > The authority information access extension indicates how to access CA > information and services for the issuer of the certificate in > which the > extension appears. Information and services may include > on-line validation > services and CA policy data. (The location of CRLs is not > specified in this > extension; that information is provided by the cRLDistributionPoints > extension.) This extension may be included in subject or CA > certificates, and > it MUST be non-critical. » > > The text allows the extension to be placed in CA certificate. > To my knowledge, > a self-signed certificate is also a CA certificate. So it is > possible to have > that extension is a self-signed certificate. The advantage is > two folds: > > 1) the content of a self-signed certificate may change > without affecting the > content of the leaf certificates or of the cross-certificates. > > 2) since the extension is not in a leaf certificate, then it > makes leaf > certificates smaller (remember low-fat leaf certificates ?) > > We have defined in CMP a protocol to allow a certificate > rollover for trust > points, so we know how to handle the renewal of a self-signed > certificate. > > Now, I still guess that some people would like the current > text when a CA is > started from the very beginning with an OCS service or when > that service is > gradually offered to renewed certificates. So I would now > propose some text > that handles all the three cases. Here is the new proposal > for a text to fit > under 4.1. > > > « 4.1 Certificate Content > > In order to convey to OCSP clients a well-known point of > information access, > CAs SHOULD provide the capability to include the > AuthorityInfoAccess extension > (defined in [RFC2459], section 4.2.2.1) either in every > certificate that can be > checked using OCSP or in a self-signed certificate. > Alternatively, the > accessLocation for the OCSP provider may be configured > locally at the OCSP > client. > > CAs that support an OCSP service, either hosted locally or > provided by an > Authorized Responder, MAY provide for the inclusion of a value for a > uniformResourceIndicator (URI) accessLocation and the OID > value id-ad-ocsp for > the accessMethod in the AccessDescription SEQUENCE. > > The value of the accessLocation field in the subject > certificate defines the > transport (e.g. HTTP) used to access the OCSP responder and > may contain other > transport dependent information (e.g. a URL). » > > > Note: the other major change around this topic is in section 5.2.2.2 > Authorized Responders: > > > In version 08 we have: > > (...) > > 5.2.2.2 Authorized Responders > > The key that signs a certificate's status information need > not be the > same key that signed the certificate. It is necessary however to > ensure that the entity signing this information is authorized to do > so. Therefore, a certificate's issuer MUST either sign the OCSP > responses itself or it MUST explicitly designate this authority to > another entity. OCSP signing delegation SHALL be designated by the > inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate > extension included in the OCSP response signer's certificate. This > certificate MUST be issued directly by the CA that issued the > certificate in question. > > > id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} > > Systems or applications that rely on OCSP responses MUST be capable > of detecting and enforcing use of the id-ad-ocspSigning value as > described above. They MAY provide a means of locally > configuring one > or more OCSP signing authorities, and specifying the set of CAs for > which each signing authority is trusted. They MUST reject the > response if the certificate required to validate the > signature on the > response fails to meet at least one of the following criteria: > > 1. Matches a local configuration of OCSP signing authority for the > certificate in question; or > > 2. Is the certificate of the CA that issued the certificate in > question; or > > 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage > extension and is issued by the CA that issued the certificate in > question." > > Additional acceptance or rejection criteria may apply to either the > response itself or to the certificate used to validate the > signature > on the response. > > > While in version -07 we have: > > 5.2.2.2 Authorized Responders > > The key that signs a certificate's status information need > not be the > same key that signed the certificate. A certificate's issuer MAY > explicitly delegate OCSP signing authority by issuing a certificate > including an extendedKeyUsage extension in the OCSP signer's > certificate containing the value id-kp-OCSPSigning. > > id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} > > > Denis > > > > Several folks pointed out that I made the re-opening of > last call into a > > treasure hunt! Sorry 'bout that. I am away from the > office and not easily > > able to provide a diff, but I can describe the goal for the > changes, which > > resulted in both editorial and sunstantive modifications to > the text. > > > > The concern I raised with the OCSP authors was that it was > not clear what > > the hard and fast requirements were for CAs and clients > with regard to > > supporting three different ways that OCSP can be "enabled." > I felt it > > important to ensure that CAs and clients that claim > comformance would > > provide a set of confuguration controls that would allow > interoperability, > > if properly configured. So, the resvied text tries to make > this perfectly > > clear. The final form of the requirements, with some abstraction, is > > sumarized below: > > > > - an OCSP-compliant CA SHALL be capable of issuing > OCSP responses > > that are signed ditrectly by the CA, and MUST be able to > designate an OCSP > > responder by issuing an appropriately marked certificate > directly to the > > responder. the choice or direct vs. delegated OCSP > responses is a local, > > administrative option. the CA also SHALL be capable of > putting the AIA > > extension into certs when it is the intent that these certs > will be checked > > via OCSP, and MUST be capable of populating this extension > with the OID > > specifying OCSP access method and a URI for such access. > (This last part > > was changed from a MAy to a MUST, which seems reasonable to > ensure the goal > > cited above.) > > > > - an OCSP-compliant client MUST be able to accept > OCSP responses > > via three different means: responses signed by the CA that > issued the cert > > in question, responses signed by a responder directly > designated by that > > CA, or via a locally designated responder. It is a local > administrative > > choice as to which of these options if enabled. If local > designation is > > enabled, vendors have choices as to how fancy it gets, > e.g., how many OCSP > > responders are specified, how one knows which ones are authorized to > > provide status for which sets of certs, etc. > > > > Steve > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA19717 for ietf-pkix-bks; Thu, 29 Apr 1999 05:15:44 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA19713 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 05:15:42 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA12120; Thu, 29 Apr 1999 08:16:47 -0400 (EDT) Message-Id: <199904291216.IAA12120@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ocsp-08.txt Date: Thu, 29 Apr 1999 08:16:46 -0400 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP Author(s) : C. Adams, M. Myers, A. Malpani, R. Ankney, S. Galperin Filename : draft-ietf-pkix-ocsp-08.txt Pages : 21 Date : 26-Apr-99 This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. An overview of the protocol is provided in section 3. Functional requirements are specified in section 4. Details of the protocol are in section 5. We cover security issues with the protocol in section 6. Appendix A defines OCSP over HTTP, appendix B accumulates ASN.1 syntactic elements and appendix C specifies the mime types for the messages. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ocsp-08.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ocsp-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ocsp-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19990428124314.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ocsp-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ocsp-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19990428124314.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA19319 for ietf-pkix-bks; Thu, 29 Apr 1999 04:13:44 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA19315 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 04:13:42 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id NAA04258; Thu, 29 Apr 1999 13:15:13 +0200 Message-Id: <3.0.32.19990429131514.00a223f0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 29 Apr 1999 13:15:14 +0200 To: pgut001@cs.auckland.ac.nz, ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: Re: Closure of the QC biometric issue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id EAA19316 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thanks Peter, I have also got a note from Magnus Nyström, RSA labs, pointing this out. He proposed that this part should be changed into: TypeOfBiometricData ::= CHOICE { predefinedBiometricType PredefinedBiometricType, biometricDataOid OBJECT IDENTIFIER } PredefinedBiometricType ::= INTEGER { picture(0),handwritten-signature(1)} (picture|handwritten-signature,...) Is that OK to you? /Stefan At 10:48 AM 4/29/99, Peter Gutmann wrote: >>PLEASE REVIEW THE FOLLOWING ASN.1 STRUCTURE AND COMMENT IN CASE OF ERRORS: >>-------------------------------------------------------------------------- >>[...] >> >>TypeOfBiometricData ::== CHOICE { >> predefinedBiometricType [0] INTEGER, >> biometricDataOid [1] OBJECT IDENTIFIER } > >Not really an error but a style and ease-of-use issue: the tags are already >distinct so there's no need to tag these items, which also means you don't hide >ASN.1 type information behind opaque implicit tags. > >Peter. > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA18967 for ietf-pkix-bks; Thu, 29 Apr 1999 03:21:08 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA18963 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 03:21:07 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id MAA03711; Thu, 29 Apr 1999 12:22:41 +0200 Message-Id: <3.0.32.19990429122243.00aee100@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 29 Apr 1999 12:22:43 +0200 To: Peter Sylvester <Peter.Sylvester@edelweb.fr>, ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: Re: Closure of the QC biometric issue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id DAA18964 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, At 11:21 AM 4/28/99 +0200, Peter Sylvester wrote: > >----- Begin Included Message ----- > >>From owner-ietf-pkix@imc.org Wed Apr 28 11:05:38 1999 >Date: Wed, 28 Apr 1999 08:59:57 +0200 >> -Source data format information has NOT been included by several reasons. >> If the sourceDataURI are used then this information is already covered. If >> sourceDataURI is NOT included then the source data issue have to be handled >> outside of the certificate anyway, thus making a source data declaration in >> the certificate of dubious value. >> >> -SourceDataUri has been included (as OPTIONAL) since it can be shown that >> some PKI:s could benefit from this value without causing troubles for other >> PKI:s. >> >How do you calculate the hash of source data starting from an SourceDataUri? >Do you take the data, a bitmap, the mime encapsulated data? Do you include the >mime type in the hash? Are there other attributes, creation date of the document, >etc. Yes, this is typically something that we have to adress in the text (not written yet). If you have a text proposal, I would be very happy to receive it. My opinion is that the hash should be calculated on the actual data. E.g. If you have a JPEG image you calculate the hash on the file content, but not on the filename etc. I'm not sure how to put this in writing so I welcome suggestions on suitable text wordings. /Stefan > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA18903 for ietf-pkix-bks; Thu, 29 Apr 1999 03:12:15 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA18898 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 03:12:13 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id MAA03619 for <ietf-pkix@imc.org>; Thu, 29 Apr 1999 12:13:43 +0200 Message-Id: <3.0.32.19990429121344.00aea4b0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 29 Apr 1999 12:13:45 +0200 To: ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: Minor typing error in RFC 2459 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id DAA18899 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> In RFC 2459, Appendix C (Page 116), there is a minor typing error in the following text: "The character string type UTF8String will be introduced in the 1998 version of ASN.1. UTF8String is a universal type and has been assigned tag number 12. The content of UTF8String was defined by RFC 2044 and updated in RFC 2279, "UTF-8, a transformation Format of ISP 10646." ISO is expected to formally add UTF8String to the list of choices for DirectoryString in 1998 as well." It should be "ISO 10646", not "ISP 10646" /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA00231 for ietf-pkix-bks; Wed, 28 Apr 1999 15:56:10 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA00219 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 15:55:22 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <JYG8RNB8>; Thu, 29 Apr 1999 08:56:28 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE99B@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Moshe Litvin'" <moshe@cale.checkpoint.com>, Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> Cc: ietf-pkix@imc.org Subject: RE: SEIS: Re: Certificates, Directories, and Distinguished Names Date: Thu, 29 Apr 1999 08:56:25 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moshe, I understand your comment and commercially we deal with that - but with ASN.1 and encoding schemes - if the implementation is not robust or has good exit strategies then protocol/syntax decoding of unknown inputs can cause serious fails. For instance I think a good test of an LDAP server is to log in without name or password, construct an entry in the client say of 10megabytes and then just add it to the server (create the entry).. in some cases the protocol processing code, the ASN.1 decode or the object processors (even before you get to access control checks, etc ) in the server will explode. My point is though that it sometime easier to implement a full range of attributes, specifically naming and string attribute types, than to have exits which may fail or if they get called - just means that that the attributes have to be implemented anyway. regards alan > -----Original Message----- > From: Moshe Litvin > Sent: Tuesday, April 27, 1999 6:29 PM > To: Alan Lloyd > Cc: ietf-pkix@imc.org > Subject: Re: SEIS: Re: Certificates, Directories, and > Distinguished Names > > > > Alan Lloyd wrote: > > <snip> > > > > > Let me highlight some issues with 2459. > > <snip> > > > 3. Section 4.1.2.4 -last para page 19 - " The Telexstring > and > > Universal string ... Certificate Users SHOULD" .. this magic word > > "Should".. > > There is no sure way of knowing what encoding is being rxd > by an > > implementation and if they do not decode strings correctly the > > implementations will fail or crash. If building a commercial robust > PKIX > > implementation - one would expect a profile - if there are known > uses of > > the scheme out there, to say all recieving certificate using systems > > must support this. ie a profile must dictate robustness to current > > implementations - not leave an implementor with a guess and bugs. > > > > I disagree. Security software should always check its inputs carefully > (assuming it may be hostile). No need to for special treatment here in > regards for crashes. > > regards, > > Moshe > << File: Card for Moshe Litvin >> Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA00102 for ietf-pkix-bks; Wed, 28 Apr 1999 15:47:04 -0700 (PDT) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA29997 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 15:47:01 -0700 (PDT) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id KAA31016; Thu, 29 Apr 1999 10:48:28 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92533970822447>; Thu, 29 Apr 1999 10:48:28 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, stefan@accurata.se Subject: Re: Closure of the QC biometric issue Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Thu, 29 Apr 1999 10:48:28 (NZST) Message-ID: <92533970822447@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >PLEASE REVIEW THE FOLLOWING ASN.1 STRUCTURE AND COMMENT IN CASE OF ERRORS: >-------------------------------------------------------------------------- >[...] > >TypeOfBiometricData ::== CHOICE { > predefinedBiometricType [0] INTEGER, > biometricDataOid [1] OBJECT IDENTIFIER } Not really an error but a style and ease-of-use issue: the tags are already distinct so there's no need to tag these items, which also means you don't hide ASN.1 type information behind opaque implicit tags. Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA25159 for ietf-pkix-bks; Wed, 28 Apr 1999 06:43:11 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA25154 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 06:43:07 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id PAA41022; Wed, 28 Apr 1999 15:43:54 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id PAA25290; Wed, 28 Apr 1999 15:43:54 +0200 (DFT) Message-ID: <372710DE.CA2D55DB@bull.net> Date: Wed, 28 Apr 1999 15:45:02 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Stephen Kent <kent@po1.bbn.com> CC: ietf-pkix@imc.org Subject: OSCP BIG BANG References: <v04020a15b34509844f3d@[128.33.238.34]> <v04020a25b34641c27a7f@[128.33.238.34]> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The original title was "Re: WG Last call, redux". Steve, Thanks for giving the hint for the change. :-) In the previous text, as it will be explained in detail, we were somewhat inconsistent having a SHALL followed by a MAY. The new text is proposing to keep the SHALL and change the MAY into a MUST. I am basically proposing to change the SHALL into a SHOULD and keep the MAY. Both solutions are consistent. :-) It seems now the Pandora box is re-opened :-) and we have a chance to fix the issue. First, let me duplicate the section from the version 08 so that people may save time, if they wish to follow this thread. In version -08 4. Functional Requirements 4.1 Certificate Content In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the AuthorityInfoAccess extension (defined in [RFC 2459], section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client. CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MUST provide for the inclusion of a value for a uniformResourceIndicator (URI) accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE. The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL). In version 07 we had: 4. Functional Requirements 4.1 Certificate Content In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the AuthorityInfoAccess extension (defined in [PKIX1], section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client. CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MAY provide a value for a uniformResourceIndicator (URI) accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE. The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL). (...) The « MAY » in the second paragraph has been changed into a « MUST ». Leaving the text out for a moment, let us consider the following scenario: A CA is started up with a CRL scheme. After one year of operation, the CA wishes to offer an *additional* service available for *all* the certificates, i.e. an On-line Certificate Status (OCS) Service. For doing so, there is one single option: to revoke all the current certificates and re-issue new certificates with the appropriate extension. This is a BIG BANG situation. :-( The consequences are quite important, among them, the size of the CRLs is going to increase dramatically (there is no reason to stop that service). The concern is that a smooth transition cannot occur. What can we do ? Is there a panacea to this problem ? Let us now take a closer look at the text. The last sentence of the fist paragraph from 4.1 says: « Alternatively, the accessLocation for the OCSP provider *may* be configured locally at the OCSP client. ». If this is the case, then the extension is not used. If someone wanted to deploy a system by configuring locally the system, CAs would nevertheless be mandated to support the extension. :-( This is one argument for having SHALL changed into SHOULD, i.e. « In order to convey to OCSP clients a well-known point of information access, CAs SHOULD provide the capability to include the AuthorityInfoAccess extension » When the local configuration is NOT used, let us now attempt to solve the BIG BANG issue, and let us take a look at the text from RFC 2459. « 4.2.2.1 Authority Information Access The authority information access extension indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in subject or CA certificates, and it MUST be non-critical. » The text allows the extension to be placed in CA certificate. To my knowledge, a self-signed certificate is also a CA certificate. So it is possible to have that extension is a self-signed certificate. The advantage is two folds: 1) the content of a self-signed certificate may change without affecting the content of the leaf certificates or of the cross-certificates. 2) since the extension is not in a leaf certificate, then it makes leaf certificates smaller (remember low-fat leaf certificates ?) We have defined in CMP a protocol to allow a certificate rollover for trust points, so we know how to handle the renewal of a self-signed certificate. Now, I still guess that some people would like the current text when a CA is started from the very beginning with an OCS service or when that service is gradually offered to renewed certificates. So I would now propose some text that handles all the three cases. Here is the new proposal for a text to fit under 4.1. « 4.1 Certificate Content In order to convey to OCSP clients a well-known point of information access, CAs SHOULD provide the capability to include the AuthorityInfoAccess extension (defined in [RFC2459], section 4.2.2.1) either in every certificate that can be checked using OCSP or in a self-signed certificate. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client. CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MAY provide for the inclusion of a value for a uniformResourceIndicator (URI) accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE. The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL). » Note: the other major change around this topic is in section 5.2.2.2 Authorized Responders: In version 08 we have: (...) 5.2.2.2 Authorized Responders The key that signs a certificate's status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MUST either sign the OCSP responses itself or it MUST explicitly designate this authority to another entity. OCSP signing delegation SHALL be designated by the inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate extension included in the OCSP response signer's certificate. This certificate MUST be issued directly by the CA that issued the certificate in question. id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing use of the id-ad-ocspSigning value as described above. They MAY provide a means of locally configuring one or more OCSP signing authorities, and specifying the set of CAs for which each signing authority is trusted. They MUST reject the response if the certificate required to validate the signature on the response fails to meet at least one of the following criteria: 1. Matches a local configuration of OCSP signing authority for the certificate in question; or 2. Is the certificate of the CA that issued the certificate in question; or 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage extension and is issued by the CA that issued the certificate in question." Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. While in version -07 we have: 5.2.2.2 Authorized Responders The key that signs a certificate's status information need not be the same key that signed the certificate. A certificate's issuer MAY explicitly delegate OCSP signing authority by issuing a certificate including an extendedKeyUsage extension in the OCSP signer's certificate containing the value id-kp-OCSPSigning. id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} Denis > Several folks pointed out that I made the re-opening of last call into a > treasure hunt! Sorry 'bout that. I am away from the office and not easily > able to provide a diff, but I can describe the goal for the changes, which > resulted in both editorial and sunstantive modifications to the text. > > The concern I raised with the OCSP authors was that it was not clear what > the hard and fast requirements were for CAs and clients with regard to > supporting three different ways that OCSP can be "enabled." I felt it > important to ensure that CAs and clients that claim comformance would > provide a set of confuguration controls that would allow interoperability, > if properly configured. So, the resvied text tries to make this perfectly > clear. The final form of the requirements, with some abstraction, is > sumarized below: > > - an OCSP-compliant CA SHALL be capable of issuing OCSP responses > that are signed ditrectly by the CA, and MUST be able to designate an OCSP > responder by issuing an appropriately marked certificate directly to the > responder. the choice or direct vs. delegated OCSP responses is a local, > administrative option. the CA also SHALL be capable of putting the AIA > extension into certs when it is the intent that these certs will be checked > via OCSP, and MUST be capable of populating this extension with the OID > specifying OCSP access method and a URI for such access. (This last part > was changed from a MAy to a MUST, which seems reasonable to ensure the goal > cited above.) > > - an OCSP-compliant client MUST be able to accept OCSP responses > via three different means: responses signed by the CA that issued the cert > in question, responses signed by a responder directly designated by that > CA, or via a locally designated responder. It is a local administrative > choice as to which of these options if enabled. If local designation is > enabled, vendors have choices as to how fancy it gets, e.g., how many OCSP > responders are specified, how one knows which ones are authorized to > provide status for which sets of certs, etc. > > Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA20858 for ietf-pkix-bks; Wed, 28 Apr 1999 02:19:39 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA20854 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 02:19:37 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id LAA04553 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 11:21:08 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Wed, 28 Apr 1999 11:21:08 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id LAA01124 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 11:21:07 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id LAA10071 for ietf-pkix@imc.org; Wed, 28 Apr 1999 11:21:07 +0200 Date: Wed, 28 Apr 1999 11:21:07 +0200 Message-Id: <199904280921.LAA10071@emeriau.edelweb.fr> To: ietf-pkix@imc.org Subject: Re: Closure of the QC biometric issue Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> ----- Begin Included Message ----- >From owner-ietf-pkix@imc.org Wed Apr 28 11:05:38 1999 >Date: Wed, 28 Apr 1999 08:59:57 +0200 > -Source data format information has NOT been included by several reasons. > If the sourceDataURI are used then this information is already covered. If > sourceDataURI is NOT included then the source data issue have to be handled > outside of the certificate anyway, thus making a source data declaration in > the certificate of dubious value. > > -SourceDataUri has been included (as OPTIONAL) since it can be shown that > some PKI:s could benefit from this value without causing troubles for other > PKI:s. > How do you calculate the hash of source data starting from an SourceDataUri? Do you take the data, a bitmap, the mime encapsulated data? Do you include the mime type in the hash? Are there other attributes, creation date of the document, etc. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA19610 for ietf-pkix-bks; Wed, 28 Apr 1999 00:24:21 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA19604 for <ietf-pkix@imc.org>; Wed, 28 Apr 1999 00:24:18 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id IAA14322; Wed, 28 Apr 1999 08:58:49 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id IAA28240; Wed, 28 Apr 1999 08:58:48 +0200 (DFT) Message-ID: <3726B1EC.EE1FFAE6@bull.net> Date: Wed, 28 Apr 1999 08:59:57 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Stefan Santesson <stefan@accurata.se> CC: ietf-pkix@imc.org Subject: Re: Closure of the QC biometric issue References: <3.0.32.19990426110843.00a1a1e0@mail.accurata.se> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephan, I can live with it. :-) Denis > All, > > I've tried my best to interpret the consensus, as far possible, regarding > inclusion of biometric data in Qualified Certificates. > > The final (I hope) solution to this issue are definition of a new optional > extension with the structure below. > > I know that this is not what everybody would like, but I hope that > everybody can live with this as an acceptable solution, at this stage of > evolution. > Some final comments follow in the end. > > PLEASE REVIEW THE FOLLOWING ASN.1 STRUCTURE AND COMMENT IN CASE OF ERRORS: > -------------------------------------------------------------------------- > > Extension ::= SEQUENCE { > extnId OBJECT IDENTIFIER, > critical BOOLEAN DEFAULT FALSE, > extnValue OCTET STRING } > > biometric EXTENSION ::= { > SYNTAX BiometricSyntax > IDENTIFIED BY id-qext-biometric } > > id-qext-biometric OBJECT IDENTIFIER ::= {id-qext xx} > > BiometricSyntax ::= SEQUENCE OF BiometricData > > BiometricData ::= SEQUENCE { > typeOfBiometricData TypeOfBiometricData, > hashAlgorithm AlgorithmIdentifier, > biometricDataHash OCTET STRING, > sourceDataUri IA5String OPTIONAL } > > TypeOfBiometricData ::== CHOICE { > predefinedBiometricType [0] INTEGER, > biometricDataOid [1] OBJECT IDENTIFIER } > > with the following predefinedBiometricType defined: > 0 picture > 1 image of handwritten signature > > Minor comments: > > -Fingerprint has not been included due to the fact that fingerprint > templates are used in machine verification, using a verification algorithm, > while biometrics in this extension are aimed for human recognition. > -Source data format information has NOT been included by several reasons. > If the sourceDataURI are used then this information is already covered. If > sourceDataURI is NOT included then the source data issue have to be handled > outside of the certificate anyway, thus making a source data declaration in > the certificate of dubious value. > > -SourceDataUri has been included (as OPTIONAL) since it can be shown that > some PKI:s could benefit from this value without causing troubles for other > PKI:s. > > -No storage of the source data itself has been included since this is not > the way we want certificates to be used (according to consensus). The > source data are never needed for security reasons, only for convenience, > and we don't want to encourage overloading the certificate with data for > convenience. Especially not when there are other ways to solve the same > problem (such as using the sourceDataURI) > > If there are no serious objections to this (which has not already been > discussed), I would like to bury this issue and move on. > > /Stefan > ------------------------------------------------------------------- > Stefan Santesson <stefan@accurata.se> > Accurata Systemsäkerhet AB http://www.accurata.se > Slagthuset Tel. +46-40 108588 > 211 20 Malmö Fax. +46-40 150790 > Sweden Mobile +46-70 5247799 > > PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 > ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA27548 for ietf-pkix-bks; Tue, 27 Apr 1999 08:58:25 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA27544 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 08:58:23 -0700 (PDT) Received: from xedia.com by relay7.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgmtr25630; Tue, 27 Apr 1999 11:58:39 -0400 (EDT) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA20032; Tue, 27 Apr 99 11:58:19 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id LAA22849; Tue, 27 Apr 1999 11:58:37 -0400 Date: Tue, 27 Apr 1999 11:58:37 -0400 Message-Id: <199904271558.LAA22849@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: moshe@cale.checkpoint.com Cc: ietf-pkix@imc.org Subject: Re: SEIS: Re: Certificates, Directories, and Distinguished Names References: <D1A949D4508DD1119C8100400533BEDC0BE98F@DSG1> <37257563.DE9D20EF@cale.checkpoint.com> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Moshe" == Moshe Litvin <moshe@cale.checkpoint.com> writes: Moshe> I disagree. Security software should always check its inputs Moshe> carefully (assuming it may be hostile). No need to for special Moshe> treatment here in regards for crashes. I'd go further. ALL protocol code must be implemented in that way. If there is any bit pattern that I can send to a box that causes that box to break (crash, or otherwise malfunction in a way that doesn't straighten itself out after I stop harrassing it) then that implementation is defective. Full stop. No excuses accepted. I suppose there is no harm in mentioning that general principle in a few places, but it shouldn't be described as specific to security protocols, let alone PKIX profiles. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA22006 for ietf-pkix-bks; Tue, 27 Apr 1999 06:20:56 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA22002 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 06:20:54 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id PAA17666 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 15:22:14 +0200 Message-Id: <3.0.32.19990427152215.00af9670@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 27 Apr 1999 15:22:15 +0200 To: "ietf-pkix@imc.org" <ietf-pkix@imc.org> From: Stefan Santesson <stefan@accurata.se> Subject: EU Electronic signature directive - Latest version available Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id GAA22003 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> All, Since the process concerning the EU directive on electronic signatures has finally come to (almost) closure, I have finally got my hands on the latest electronic version of the draft directive, with a permission to publish it on the QC-Website. So you are all welcome to download the directive, and pass it on to others, from: http://www.accurata.se/QC/ Look under "Related information" /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA11061 for ietf-pkix-bks; Tue, 27 Apr 1999 01:30:45 -0700 (PDT) Received: from cale.checkpoint.com (ns.checkpoint.com [199.203.73.197]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA11056 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 01:30:40 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id LAA20733; Tue, 27 Apr 1999 11:34:42 +0300 (IDT) Message-ID: <37257563.DE9D20EF@cale.checkpoint.com> Date: Tue, 27 Apr 1999 11:29:23 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> CC: ietf-pkix@imc.org Subject: Re: SEIS: Re: Certificates, Directories, and Distinguished Names References: <D1A949D4508DD1119C8100400533BEDC0BE98F@DSG1> Content-Type: multipart/mixed; boundary="------------8B247012F499DBCE9D29A26B" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------8B247012F499DBCE9D29A26B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Alan Lloyd wrote: <snip> > > Let me highlight some issues with 2459. <snip> > 3. Section 4.1.2.4 -last para page 19 - " The Telexstring and > Universal string ... Certificate Users SHOULD" .. this magic word > "Should".. > There is no sure way of knowing what encoding is being rxd by an > implementation and if they do not decode strings correctly the > implementations will fail or crash. If building a commercial robust PKIX > implementation - one would expect a profile - if there are known uses of > the scheme out there, to say all recieving certificate using systems > must support this. ie a profile must dictate robustness to current > implementations - not leave an implementor with a guess and bugs. > I disagree. Security software should always check its inputs carefully (assuming it may be hostile). No need to for special treatment here in regards for crashes. regards, Moshe --------------8B247012F499DBCE9D29A26B Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------8B247012F499DBCE9D29A26B-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA09511 for ietf-pkix-bks; Tue, 27 Apr 1999 00:59:43 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA09505 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 00:59:41 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id KAA07861 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 10:01:07 +0200 Received: from HYDRA ([195.198.186.71]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id KAA52785; Tue, 27 Apr 1999 10:01:06 +0200 Received: by HYDRA with Microsoft Mail id <01BE9094.CD8D6D70@HYDRA>; Tue, 27 Apr 1999 10:00:39 +0200 Message-ID: <01BE9094.CD8D6D70@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'Stefan Santesson'" <stefan@accurata.se> Subject: RE: Closure of the QC biometric issue Date: Tue, 27 Apr 1999 10:00:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, Thanx for a prompt response but my two questions regarding the access to the bio-data-template-server are still unanswered. Anders >Certainly, >1) URI are defined by RFC 2396. >2) The source data is authenticated by the signed hash of the bio data, >held in the new certificate extension. >>Congratulations Stefan! >>But before you cast it in stone, could you for us morons who do not fully >>understand the implicit infrastructure that the QC-editors apparently work >>with, explain a little bit on how "sourceDataUri" is to be used? E.g. WHO >>fetches the bio-data? Authenticated by WHAT? > >>Anders >>http://www.mobilephones-tng.com/papers/idcards.html Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA05682 for ietf-pkix-bks; Tue, 27 Apr 1999 00:03:28 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA05678 for <ietf-pkix@imc.org>; Tue, 27 Apr 1999 00:03:26 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id JAA13613; Tue, 27 Apr 1999 09:04:51 +0200 Message-Id: <3.0.32.19990427090453.00a3ba00@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 27 Apr 1999 09:04:53 +0200 To: Anders Rundgren <anders.rundgren@jaybis.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org> From: Stefan Santesson <stefan@accurata.se> Subject: RE: Closure of the QC biometric issue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id AAA05679 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Certainly, 1) URI are defined by RFC 2396. 2) The source data is authenticated by the signed hash of the bio data, held in the new certificate extension. /Stefan At 05:32 PM 4/26/99 +0200, Anders Rundgren wrote: >Congratulations Stefan! >But before you cast it in stone, could you for us morons who do not fully understand the implicit infrastructure that the QC-editors apparently work with, explain a little bit on how "sourceDataUri" is to be used? E.g. WHO fetches the bio-data? Authenticated by WHAT? > >Anders >http://www.mobilephones-tng.com/papers/idcards.html > > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA29680 for ietf-pkix-bks; Mon, 26 Apr 1999 08:32:14 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA29671 for <ietf-pkix@imc.org>; Mon, 26 Apr 1999 08:32:05 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id RAA31638 for <ietf-pkix@imc.org>; Mon, 26 Apr 1999 17:33:22 +0200 Received: from HYDRA ([195.198.186.71]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id RAA41443; Mon, 26 Apr 1999 17:33:17 +0200 Received: by HYDRA with Microsoft Mail id <01BE900A.D2B91450@HYDRA>; Mon, 26 Apr 1999 17:32:57 +0200 Message-ID: <01BE900A.D2B91450@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'Stefan Santesson'" <stefan@accurata.se> Cc: =?iso-8859-1?Q?=27Petra_Gl=F6ckner=27?= <Petra.Gloeckner@darmstadt.gmd.de> Subject: RE: Closure of the QC biometric issue Date: Mon, 26 Apr 1999 17:32:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id IAA29677 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Congratulations Stefan! But before you cast it in stone, could you for us morons who do not fully understand the implicit infrastructure that the QC-editors apparently work with, explain a little bit on how "sourceDataUri" is to be used? E.g. WHO fetches the bio-data? Authenticated by WHAT? Anders http://www.mobilephones-tng.com/papers/idcards.html Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA27706 for ietf-pkix-bks; Mon, 26 Apr 1999 04:53:30 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA27702 for <ietf-pkix@imc.org>; Mon, 26 Apr 1999 04:53:29 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id NAA06527; Mon, 26 Apr 1999 13:54:50 +0200 Message-Id: <3.0.32.19990426135451.00ac8100@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 26 Apr 1999 13:54:52 +0200 To: Alfred Arsenault <awa1@home.com>, ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: Comments on QC-parts of PKIX roadmap. Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id EAA27703 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Al, You asked me in Minneapolis to check the new roadmap concerning the QC parts. Well, I seam to have missed it's appearance on the list so here are my comments a little bit late. The following text is not quite right (from 3.6.1): "Certain organizations, such as countries, have recently mandated certain restrictions on certificates (such as that the subject of a certificate must be a natural person, or that the country of citizenship and/or country of residence of the subject must be included in the certificate). A certificate which meets these restrictions is deemed a "qualified certificate." In December 1998, PKIX adopted as a work item the development of a refinement of [RFC2459] that further profiles PKIX certificates into qualified certificates. This work is reflected in [QC]." In fact I would say that this is wrong. I don't know of any country making such statements. I would put it more like this: "Certain countries are in a process of updating their legal frameworks in order to regulate and incorporate recognition of signatures in electronic form. Many of these frameworks introduce certain basic requirements on certificates, often termed Qualified Certificates, supporting these types of "legal" signatures. Partly as a result of this there is a need for a specific certificate profile providing standardized support for certain related issues such as a common structure for expressing unambiguous identities of certified subjects (unmistakable identity). In December 1998, PKIX adopted as a work item the development of a refinement of [RFC2459] that further profiles PKIX certificates into qualified certificates. This work is reflected in [QC]." Please feel free to edit this as you like. /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA24294 for ietf-pkix-bks; Mon, 26 Apr 1999 02:07:24 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA24290 for <ietf-pkix@imc.org>; Mon, 26 Apr 1999 02:07:22 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id LAA04781 for <ietf-pkix@imc.org>; Mon, 26 Apr 1999 11:08:42 +0200 Message-Id: <3.0.32.19990426110843.00a1a1e0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 26 Apr 1999 11:08:43 +0200 To: <ietf-pkix@imc.org> From: Stefan Santesson <stefan@accurata.se> Subject: Closure of the QC biometric issue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id CAA24291 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> All, I've tried my best to interpret the consensus, as far possible, regarding inclusion of biometric data in Qualified Certificates. The final (I hope) solution to this issue are definition of a new optional extension with the structure below. I know that this is not what everybody would like, but I hope that everybody can live with this as an acceptable solution, at this stage of evolution. Some final comments follow in the end. PLEASE REVIEW THE FOLLOWING ASN.1 STRUCTURE AND COMMENT IN CASE OF ERRORS: -------------------------------------------------------------------------- Extension ::= SEQUENCE { extnId OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING } biometric EXTENSION ::= { SYNTAX BiometricSyntax IDENTIFIED BY id-qext-biometric } id-qext-biometric OBJECT IDENTIFIER ::= {id-qext xx} BiometricSyntax ::= SEQUENCE OF BiometricData BiometricData ::= SEQUENCE { typeOfBiometricData TypeOfBiometricData, hashAlgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING, sourceDataUri IA5String OPTIONAL } TypeOfBiometricData ::== CHOICE { predefinedBiometricType [0] INTEGER, biometricDataOid [1] OBJECT IDENTIFIER } with the following predefinedBiometricType defined: 0 picture 1 image of handwritten signature Minor comments: -Fingerprint has not been included due to the fact that fingerprint templates are used in machine verification, using a verification algorithm, while biometrics in this extension are aimed for human recognition. -Source data format information has NOT been included by several reasons. If the sourceDataURI are used then this information is already covered. If sourceDataURI is NOT included then the source data issue have to be handled outside of the certificate anyway, thus making a source data declaration in the certificate of dubious value. -SourceDataUri has been included (as OPTIONAL) since it can be shown that some PKI:s could benefit from this value without causing troubles for other PKI:s. -No storage of the source data itself has been included since this is not the way we want certificates to be used (according to consensus). The source data are never needed for security reasons, only for convenience, and we don't want to encourage overloading the certificate with data for convenience. Especially not when there are other ways to solve the same problem (such as using the sourceDataURI) If there are no serious objections to this (which has not already been discussed), I would like to bury this issue and move on. /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA22529 for ietf-pkix-bks; Sun, 25 Apr 1999 21:08:00 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA22524 for <ietf-pkix@imc.org>; Sun, 25 Apr 1999 21:07:54 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <J4BWJT50>; Mon, 26 Apr 1999 14:08:56 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE98F@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: SEIS: Re: Certificates, Directories, and Distinguished Names Date: Mon, 26 Apr 1999 14:08:53 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> snip > > > > If this is the approach to logical debate - that is also used to > >debate technology issues , then one can see why these lists have > >difficulty. > > Yes, this is a logical approach to debate. Sorry if my choice of > terms was > confusing, but I fear the real problem is deeper. > Yes it is. It is the general issue that 2459 is a massive amount of paper which repeats much of X.509 and at the same time in some (important) places confuses its implementation - specifically as the text relates to CA management policies and certificate using system validation. Yes I am very well aware that standards do not cover all things or are correct. Thats why standards evolve and get bug fixes - and then get profiled. Profiles on the other hand should not be tutorial or vague or in error. As it is these documents that people will commit implementation to. And in the case of X.509 and security - that wont be cheap. Let me highlight some issues with 2459. 1. Section 2 second para - last sentence - what does that mean? 2. Section 2 should also state that where certificate using systems (signer and relying party) need to validate information without a shared directory service, then the means and protocols by which they perform this sharing is a local matter and outside the scope of this profile. ie this situation does create ambiguity. 3. Section 4.1.2.4 -last para page 19 - " The Telexstring and Universal string ... Certificate Users SHOULD" .. this magic word "Should".. There is no sure way of knowing what encoding is being rxd by an implementation and if they do not decode strings correctly the implementations will fail or crash. If building a commercial robust PKIX implementation - one would expect a profile - if there are known uses of the scheme out there, to say all recieving certificate using systems must support this. ie a profile must dictate robustness to current implementations - not leave an implementor with a guess and bugs. 4. Section 4.1.2.4 para "standard sets of (naming) attributes ... same as above. 5. Section 4.1.2.4 (not a good section) Name comparison rules. X.500 relaxes name comparison on different syntaxes/normalisation to permit directory searching as the author of the info may use a different syntax when storing to that from a user who is searching. ie X.500 provides relaxation (approximate matching, etc) to provide Search utility. I find it odd that certficate validation proposed by PKIX - in which a cert cryptographically binds names to key material permits name relaxation in the validation process?. In fact why verify a certificate signature - if the means one finds its issuer with a relaxed name form.? Isnt this weak and open to threats. IMHO the DN of the Issuer MUST be the CA - Case exact match. This name form relaxation text is repeated in subsequent sections. 6. Section 4.2.1.1 Authority Key Id (and Subject Key Id) The text mandates the use of this extension by ALL PKIX certficates. However the ASN.1 seems to permit the choice of Issuer and SN and or with Key Id . In the case of Key Id one SHOULD use one of the two Key Id methods proposed (as well as a third option as "sequence of numbers" ) It is unclear if Issuer and SN are compatible in developing paths with the other methods, that the distinction between 160 bit sha and the other is by saying by length - (20 bytes or 8 bytes) but if a sequence of integers is used and its 8 or 20 bytes long (an Octet String) - what happens? I would have thought that fwd and reverse certificate path management/determination is a critical piece of engineering - but the text is not very clear about use for implicit interoperability. 7. Section 4.2.5.1 Cert Policies The CPS pointer - a health warning should be provided in that the CSP is not cryptographically bound to the certificate and can be changed without referring to the certificate issuer. A small matter .. The User notice. "is intended for display to a relying party." although this may have some utility - is it informative, interactive, affect validation or provided before or after path validation. 8. Section 4.2.1.7 Subject Alt Names I have difficulty with this thing - simply because of what is the trust mechanism. If there is no Subject in the cert and Subject Alt Name is used and is critical , then it is up to the certficate using system to verify the subject. For instance if the "message" to be verified / originator authentication is via "IP", and the IP form is used in the subject alt name, then the certificate using system Must validate the source IP address, ditto X.400, ditto smtp. If implementations do not do this - all they are doing is verifying a certficate path from something that cannot verify when it has been deemed by the certficate issuer to be critical. (see also name constraints). Part of the PKIX profile should highlight interfaces and mechanisms when using certs with cert fields described in this way. Otherwise interoperability and trust will not be achieved. 9. Section 4.2.1.8 Issuer Alt name - same as above - whats the validation process - ie when reading certs for path validation from the CA (eg via smtp or IP ) do I check its originating details are as defined in the issuer alt name. 10. Section 4.2.1.10 Basic Constraints - already discussed and text offered - should cover certificate using system usage. ie an EE cert cannot be used for cert signature verification. 11. Section 4.2.1.11 Naming Constraints - Text is unclear if this extension is mandated in PKIX CA certificates or as X.509 says it can only be used in CA certs. If it is mandated and critical this will add a lot of complexity to client/user/certficate using systems. re name types, alt names and name relaxation (if used).. 12. Section 5.2.1. CRL Auth key Id I would like to see text that helps the implementor understand there may a different between the Certificate signing key and the CRL signing key and that the certs used to verify the CRL may have a different auth key Id to that of the CA cert signing and that the management of these must be maintained in the cert path validation. In closing, a profile should assist where it can the operational implementation of a function. Specifically the thrust of the profile is to get consistent trusted validation paths going. The issues raised above affect interfaces, interpretation and choices. regards alan. > Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA20489 for ietf-pkix-bks; Sat, 24 Apr 1999 01:19:22 -0700 (PDT) Received: from web103.yahoomail.com (web103.yahoomail.com [205.180.60.68]) by mail.proper.com (8.8.8/8.8.5) with SMTP id BAA20485 for <ietf-pkix@imc.org>; Sat, 24 Apr 1999 01:19:20 -0700 (PDT) Message-ID: <19990424082104.3318.rocketmail@web103.yahoomail.com> Received: from [12.72.55.119] by web103.yahoomail.com; Sat, 24 Apr 1999 01:21:04 PDT Date: Sat, 24 Apr 1999 01:21:04 -0700 (PDT) From: sankar ramamoorthi <sanka2g@yahoo.com> Subject: subj.alt.name and uniqueness To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi, A question on subj.alt.name. RFC 2459 states that 'If the only subject identity included in the certificate is an alternative name form (e.g., an electonic mail address), then the subject distinguished name shall be empty (an empty sequence), and the subjectAltName must be present. If the subject field contains an empty sequence, the subjectAltName extension shall be marked critical'. In the above case can I assume the subjectAltName will have the same uniqueness characterstic described for subject names? In general what are uniqueness guarantees for subjectAltNames? My motivation for this question comes from IPsec usage of subjectAltNames to store identies of IPsec devices. Thanks, -- sankar ramamoorthi -- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA17960 for ietf-pkix-bks; Fri, 23 Apr 1999 18:36:43 -0700 (PDT) Received: from mail.rdc1.md.home.com (imail@ha1.rdc1.md.home.com [24.2.2.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA17956 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 18:36:41 -0700 (PDT) Received: from home.com ([24.4.133.54]) by mail.rdc1.md.home.com (InterMail v4.00.03 201-229-104) with ESMTP id <19990424013752.FQWF29499.mail.rdc1.md.home.com@home.com> for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 18:37:52 -0700 Message-ID: <37212074.FF2AC522@home.com> Date: Fri, 23 Apr 1999 21:37:56 -0400 From: Alfred Arsenault <awa1@home.com> Organization: @Home Network X-Mailer: Mozilla 4.5 [en]C-AtHome0405 (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Some term ambiguous on PKIX Roadmap Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> <snip> For key management keys that are generated by the requester, the CA can send the user the requested public key, along with the CA's own private key, to encrypt some piece of data, and send it to the requester to be decrypted. <snip> What CA's own private key above context means? CA's private key is so meaningless to send to a new requester? Can I interpret it as somewhat like a session key? And encrypt the session key with the requester's public key.. If the requester really have a corresponding private key, he can get the session key. Is my interpretation right? <snip> ________________________________ Yes, your interpretation is right. The paragraph in the Roadmap is in error; it should say something like For key management keys that are generated by the requester, the CA can use the requested public key to encrypt some piece of data, and send it to the requester to be decrypted. ___________________________ Depending on which encryption algorithm you're using, the encryption might involve both the requested key, and the CA's private key; the decryption would thus involve both the private key that matches the requested public, and the CA's public. Unfortunately, we didn't say that very well. It will be fixed in the next draft. Al Arsenault --- These are my opinions, and do not necessarily represent those of my employer or of any other organization with which I have a relationship. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA13984 for ietf-pkix-bks; Fri, 23 Apr 1999 11:35:23 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA13979 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 11:35:22 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 23 Apr 1999 12:33:39 -0600 Message-Id: <s72068a3.008@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Fri, 23 Apr 1999 12:33:32 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <jimsch@exchange.microsoft.com>, <ietf-pkix@imc.org> Subject: RE: New CMC Draft available - Confirmation Message Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id LAA13980 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Yes. Although revoking a certificate that the client has already started to use is awkward, it is at least fail safe. If someone receives a document that can't be validated they will go back to the user and complain, and the matter will be resolved quickly. But the other way around risks having a certificate published that was issued to the wrong person, or that the client doesn't accept because of the contents, etc. One way to make this a little more graceful is to use the pending state, where the certificate is not published until it is accepted, and can not be used to validate the certificate the client has already received until the notice of acceptance has been received, e.g., in the form of a secret PIN sent out of band to that user to indicate acceptance. This PIN can also be used to prove that the user actually saw and read the notice of certificate issuance. Regards, Bob >>> "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com> 04/23/99 10:02AM >>> Let me make sure that I understand what you are saying: It is better for both the CA and the client, for a CA to revoke a certificate that the CA has not received positive conformation of acceptance (even if the client thinks it has accepted it and started to use it) than it is for a CA to not revoke a certificate that a client has rejected. Remember that for signing certificates the client can start using the cert immeadiately and does not need to wait for it to be published in the DS. jim -----Original Message----- From: Bob Jueneman [mailto:BJUENEMAN@novell.com] Sent: Friday, April 16, 1999 3:38 PM To: Jim Schaad (Exchange); 'walter@deh.de' ; IETF-PKIX (E-mail) Subject: RE: New CMC Draft available - Confirmation Message Jim, I have to agree with Juergan. The client shouldn't have to check for revocation if (s)he disagrees with the certificate, even though it might be prudent to do so. But if the client does accept the certificate and the CA thinks it hasn't, that is at least fail safe. If the CA ends up calling the client, screaming "What do you mean you are rejecting the certificate -- do you want to keep on working here?!", then at least the problem will end up getting resolved. But if the client thinks it rejected the certificate and the CA goes ahead and publishes it anyway, very real and perhaps substantial damages could occur - it might be someone else's public key, it might disclose private information, or it might contain a Reliance Limit that is higher than the client wishes to accept., etc. Positive acknowledgment of acceptance by the Subscriber is a firm requirement. Bob >>> "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> 04/13/99 01:01PM >>> Juergen, The problem that I have with this approach is that there is no way of knowing what the delay is going to be on the acceptance showing up on at the CA. (Nor do all transport mechinisms guantee delivery.) Thus a client can think it did accept a certificate and the CA can reach an opposite conclusion. If the client asks for revocation, it can later check to make sure that this operation occured. jim -----Original Message----- From: Juergen Walter [mailto:walter@deh.de] Sent: Tuesday, April 13, 1999 1:32 AM To: Jim Schaad (Exchange); IETF-PKIX (E-mail) Subject: Re: New CMC Draft available - Confirmation Message Jim, [snip] > > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't know > of any reason for the oppositite to be required in a general protocal. That > is the client must positively accept a certificate. > When I remember right e. g. ABA Guidelines requires that an EE explicitly confirms an issued certificate. This may be not a protocol requirement in pure PKI implementations. But I know environments where a certificate receipt is at least an operational requirement. I think that an appropriate message (optional) would be an improvement. When the rejection (i. e. sending of revocation request) stays away we have no explicite confirmation of the certificate (may be a legal issue). The time-frame of such stay away process may cause complicated validation issues. I prefer a message that indicates the fact whether an EE accept his certificate or not. This may replace the revocation request on the one hand and the pure revocation request on the other hand. Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA13864 for ietf-pkix-bks; Fri, 23 Apr 1999 11:25:29 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA13860 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 11:25:28 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 23 Apr 1999 12:26:03 -0600 Message-Id: <s72066db.072@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Fri, 23 Apr 1999 12:25:53 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: Re: Delta CRL processing Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id LAA13861 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Paul, I agree. >Similarly, the only statements about a CA that can be normative are >those that are externally observable. If a CA publishes a CRL, that >is observable. If it generates one that it doesn't publish, that's an >internal algorithm and illustrative only. > >With that in mind, if X.509 *requires* a CA to "issue" a CRL under >some conditions, there are two possible conclusions: > >1. The term "issue" describes externally visible behavior, i.e., it is >synonymous with "publish", or > >2. The term "issue" describes internal behavior, is not meant as >"publish" and the standard is in error in that it appears to require >something that isn't observable. > > paul Since it is clear from the final paragraph of that section that the CA is not required to _publish_ the issued the CRL, the standard is over-reaching by specifying something that isn't visible. I would suggest submitting a defect report to X.509 to remove the entire section having to do with "issuing" a certificate that isn't published and isn't needed. Simultaneously, we can clean up the language of RFC 2459 in a similar fashion.. Bob Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA12688 for ietf-pkix-bks; Fri, 23 Apr 1999 09:14:17 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA12684 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 09:14:15 -0700 (PDT) Received: from [128.33.238.34] (TC048.BBN.COM [128.33.238.48]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA13000 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 12:15:18 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a25b34641c27a7f@[128.33.238.34]> In-Reply-To: <4.2.0.33.19990422121716.023a0be0@mail.imc.org> References: <v04020a15b34509844f3d@[128.33.238.34]> Date: Fri, 23 Apr 1999 12:15:12 -0400 To: ietf-pkix@imc.org From: Stephen Kent <kent@po1.bbn.com> Subject: Re: WG Last call, redux Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Several folks pointed out that I made the re-opening of last call into a treasure hunt! Sorry 'bout that. I am away from the office and not easily able to provide a diff, but I can describe the goal for the changes, which resulted in both editorial and sunstantive modifications to the text. The concern I raised with the OCSP authors was that it was not clear what the hard and fast requirements were for CAs and clients with regard to supporting three different ways that OCSP can be "enabled." I felt it important to ensure that CAs and clients that claim comformance would provide a set of confuguration controls that would allow interoperability, if properly configured. So, the resvied text tries to make this perfectly clear. The final form of the requirements, with some abstraction, is sumarized below: - an OCSP-compliant CA SHALL be capable of issuing OCSP responses that are signed ditrectly by the CA, and MUST be able to designate an OCSP responder by issuing an appropriately marked certificate directly to the responder. the choice or direct vs. delegated OCSP responses is a local, administrative option. the CA also SHALL be capable of putting the AIA extension into certs when it is the intent that these certs will be checked via OCSP, and MUST be capable of populating this extension with the OID specifying OCSP access method and a URI for such access. (This last part was changed from a MAy to a MUST, which seems reasonable to ensure the goal cited above.) - an OCSP-compliant client MUST be able to accept OCSP responses via three different means: responses signed by the CA that issued the cert in question, responses signed by a responder directly designated by that CA, or via a locally designated responder. It is a local administrative choice as to which of these options if enabled. If local designation is enabled, vendors have choices as to how fancy it gets, e.g., how many OCSP responders are specified, how one knows which ones are authorized to provide status for which sets of certs, etc. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA12550 for ietf-pkix-bks; Fri, 23 Apr 1999 09:01:47 -0700 (PDT) Received: from dfssl.exchange.microsoft.com (dfssl.exchange.microsoft.com [131.107.88.59]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA12546 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 09:01:46 -0700 (PDT) Received: by dfssl with Internet Mail Service (5.5.2580.0) id <25TF0BFT>; Fri, 23 Apr 1999 09:02:34 -0700 Message-ID: <2FBF98FC7852CF11912A0000000000010ECB5E93@DINO> From: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> To: "'Bob Jueneman'" <BJUENEMAN@novell.com>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: RE: New CMC Draft available - Confirmation Message Date: Fri, 23 Apr 1999 09:02:33 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2580.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Let me make sure that I understand what you are saying: It is better for both the CA and the client, for a CA to revoke a certificate that the CA has not received positive conformation of acceptance (even if the client thinks it has accepted it and started to use it) than it is for a CA to not revoke a certificate that a client has rejected. Remember that for signing certificates the client can start using the cert immeadiately and does not need to wait for it to be published in the DS. jim -----Original Message----- From: Bob Jueneman [mailto:BJUENEMAN@novell.com] Sent: Friday, April 16, 1999 3:38 PM To: Jim Schaad (Exchange); 'walter@deh.de' ; IETF-PKIX (E-mail) Subject: RE: New CMC Draft available - Confirmation Message Jim, I have to agree with Juergan. The client shouldn't have to check for revocation if (s)he disagrees with the certificate, even though it might be prudent to do so. But if the client does accept the certificate and the CA thinks it hasn't, that is at least fail safe. If the CA ends up calling the client, screaming "What do you mean you are rejecting the certificate -- do you want to keep on working here?!", then at least the problem will end up getting resolved. But if the client thinks it rejected the certificate and the CA goes ahead and publishes it anyway, very real and perhaps substantial damages could occur - it might be someone else's public key, it might disclose private information, or it might contain a Reliance Limit that is higher than the client wishes to accept., etc. Positive acknowledgment of acceptance by the Subscriber is a firm requirement. Bob >>> "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> 04/13/99 01:01PM >>> Juergen, The problem that I have with this approach is that there is no way of knowing what the delay is going to be on the acceptance showing up on at the CA. (Nor do all transport mechinisms guantee delivery.) Thus a client can think it did accept a certificate and the CA can reach an opposite conclusion. If the client asks for revocation, it can later check to make sure that this operation occured. jim -----Original Message----- From: Juergen Walter [mailto:walter@deh.de] Sent: Tuesday, April 13, 1999 1:32 AM To: Jim Schaad (Exchange); IETF-PKIX (E-mail) Subject: Re: New CMC Draft available - Confirmation Message Jim, [snip] > > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't know > of any reason for the oppositite to be required in a general protocal. That > is the client must positively accept a certificate. > When I remember right e. g. ABA Guidelines requires that an EE explicitly confirms an issued certificate. This may be not a protocol requirement in pure PKI implementations. But I know environments where a certificate receipt is at least an operational requirement. I think that an appropriate message (optional) would be an improvement. When the rejection (i. e. sending of revocation request) stays away we have no explicite confirmation of the certificate (may be a legal issue). The time-frame of such stay away process may cause complicated validation issues. I prefer a message that indicates the fact whether an EE accept his certificate or not. This may replace the revocation request on the one hand and the pure revocation request on the other hand. Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11859 for ietf-pkix-bks; Fri, 23 Apr 1999 07:58:37 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11855 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 07:58:36 -0700 (PDT) Received: from xedia.com by relay4.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgmet01549; Fri, 23 Apr 1999 10:56:21 -0400 (EDT) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA02059; Fri, 23 Apr 99 10:55:53 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id KAA15233; Fri, 23 Apr 1999 10:56:08 -0400 Date: Fri, 23 Apr 1999 10:56:08 -0400 Message-Id: <199904231456.KAA15233@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: BJUENEMAN@novell.com Cc: ietf-pkix@imc.org Subject: Re: Delta CRL processing References: <s71f515b.015@prv-mail20.provo.novell.com> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Bob" == Bob Jueneman <BJUENEMAN@novell.com> writes: Bob> I must be dense, Russ. The text you attached seems to agree Bob> precisely with what Sharon said, and was exactly what I was Bob> requesting as well. Bob> Sharon used the term "publish", not "issue", and the last Bob> paragraph certainly seems to be quite explicit in allowing that Bob> option, by differentiating between issuing and publishing. Bob> Why do you disagree? What am I missing? Bob> Bob >>>> Russ Housley <housley@spyrus.com> 04/22/99 01:38PM >>> >> In a private message, Sharon Boeyen points out: >> >> "As of the 1997 edition of X.509 a CA is NOT required to publish a >> full CRL." > I disagree with Sharon. X.509-1997 says: " ... It is the > decision of a CA as to whether to provide delta-CRLs. However, a > delta-CRL shall not be issued without a corresponding complete > CRL being issued at the same time." I have attached the entire > section on delta-CRLs from X.509-1997 at the end of this > message. I think it would be a good idea to apply the normal "black box rule of protocol specification" to this issue. In protocol specs, the only parts that can be normative are those that describe externally visible behavior. If anything is said about internal algorithms, that is only for illustrative purposes. Similarly, the only statements about a CA that can be normative are those that are externally observable. If a CA publishes a CRL, that is observable. If it generates one that it doesn't publish, that's an internal algorithm and illustrative only. With that in mind, if X.509 *requires* a CA to "issue" a CRL under some conditions, there are two possible conclusions: 1. The term "issue" describes externally visible behavior, i.e., it is synonymous with "publish", or 2. The term "issue" describes internal behavior, is not meant as "publish" and the standard is in error in that it appears to require something that isn't observable. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA11136 for ietf-pkix-bks; Fri, 23 Apr 1999 06:46:22 -0700 (PDT) Received: from stax05.cubis.de (proxy.cubis.de [194.112.101.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA11118; Fri, 23 Apr 1999 06:45:37 -0700 (PDT) Received: from secunet.de (huehnlein.cubis.de [10.0.129.33]) by stax05.cubis.de (8.7.5/8.7.3) with ESMTP id PAA02374; Fri, 23 Apr 1999 15:04:16 +0200 (MET DST) Message-ID: <37207D2C.B78F8881@secunet.de> Date: Fri, 23 Apr 1999 15:01:16 +0100 From: "Detlef =?iso-8859-1?Q?H=FChnlein?=" <huehnlein@secunet.de> Organization: Secunet GmbH - The Trust Company X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "cqre@secunet.de" <cqre@secunet.de> Subject: Final Call for Papers - CQRE [Secure] networking Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id GAB11119 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hallo! Please accept my sincere appologies, if you receive this Final Call for Papers multiple times. The mail is just to remind you that there are only !!! THREE !!! more weeks until the deadline for submission of extended abstracts on May 14th, 1999. Recent news: * best paper award at CQRE * publication of proceedings in Springer's LNCS * first invited speakers: - Stephen Kent (GTE) - Bruce Schneier (Counterpane) - Helena Handschuh (Gemplus/ENST) Best regards Detlef Huehnlein *************************************************************** Final Call for Papers CQRE [Secure] Congress & Exhibition Duesseldorf, Germany, Nov. 30 - Dec. 2 1999 --------------------------------------------------------------- provides a new international forum covering most aspects of information security with a special focus to the role of information security in the context of rapidly evolving economic processes. --------------------------------------------------------------- Deadline for submission of extended abstracts: May 14, 1999 CQRE - website: http://www.cqre.net (under construction) CfP - at: http://www.secunet.de/forum/cqre.html mailing-list: send mailto:cqre@secunet.de (where the subject is "subscribe" without paranthesis) *************************************************************** The "CQRE [Secure] networking" provides a new international forum giving a close-up view on information security in the context of rapidly evolving economic processes. The unprecedented reliance on computer technology transformed the previous technical side-issue "information security" to a management problem requiring decisions of strategic importance. Hence, the targeted audience represents decision makers from government, industry, commercial, and academic communities. If you are developing solutions to problems relating to the protection of your country´s information infrastructure or a commercial enterprise, consider submitting a paper to the "CQRE [Secure] networking" conference. We are looking for papers and panel discussions covering: * electronic commerce - new business processes - secure business transactions - online merchandising - electronic payment / banking - innovative applications * network security - virtual private networks - security aspects in internet utilization - security aspects in multimedia applications - intrusion detection systems * legal aspects - digital signatures acts - privacy and anonymity - crypto regulation - liability * corporate security - access control - secure teleworking - enterprise key management - IT-audit - risk / disaster management - security awareness and training - implementation, accreditation, and operation of secure systems in a government, business, or industry environment * security technology - cryptography - public key infrastructures - chip card technology - biometrics * trust management - evaluation of products and systems - international harmonization of security evaluation criterias * standardization * future perspectives Any other contribution addressing the involvement of IT security in economic processes will be welcome. Authors are invited to submit an extended abstract of their contribution to the program chair. The submissions should be original research results, survey articles or "high quality" case studies and position papers. Product advertisements are welcome for presentation, but will not be considered for the proceedings. Manuscripts must be in English, and should not be more than 2.000 words. The extended abstracts should be in a form suitable for anonymous review, with no author names, affiliations, acknowledgements or obvious references. Contributions must not be submitted in parallel to any conference or workshop that has proceedings. Separately, an abstract of the paper with no more than 200 words and with title, name and addresses (incl. an E-mail address) of the authors shall be submitted. In the case of multiple authors the contacting author must be clearly identified. We strongly encourage electronic submission in Postscript format. The submissions must be in 11 pt format, use standard fonts or include the necessary fonts. Proposals for panel discussions should also be sent to the program chair. Panels of interest include those that present alternative/controversial viewpoints or those that encourage lively discussions of relevant issues. Panels that are collections of unrefereed papers will not be considered. Panel proposals should be a minimum of one page describing the subject matter, the appropriateness of the panel for this conference and should identify participants and their respective viewpoints. best paper award: This award will be presented at CQRE to the authors of the best paper to be selected by the program committee. mailing list/ web-site: If you want to receive emails with up to date information, please send a brief mail to cqre@secunet.de. You will find this call for papers and further information at http://www.secunet.de/forum/cqre.html. publication: The proceedings will be published by Springer-Verlag in the Lecture Notes of Computer Science (LNCS) Series. The final papers must be prepared as described in http://www.springer.de/comp/lncs/authors.html. important dates: deadline for submission of extended abstracts May 14, 1999 deadline for submission of panel proposals June 1, 1999 notification of acceptance June 25, 1999 deadline for submission of complete papers July 30, 1999 program committee: Johannes Buchmann (TU Darmstadt) Dirk Fox (Secorvo) Walter Fumy (Siemens) Ruediger Grimm (GMD) Helena Handschuh (ENST/Gemplus) Thomas Hoeren (Uni Muenster) Pil Joong Lee (POSTECH) Alfred Menezes (U.o.Waterloo/Certicom) David Naccache (Gemplus) Clifford Neumann (USC) Joachim Posegga (German Telekom) Mike Reiter (Bell Labs) Matt Robshaw (RSA) Richard Schlechter (EU-comm.) Bruce Schneier (Counterpane) Tsuyoshi Takagi (NTT) Yiannis Tsiounis (GTE Labs) Michael Waidner (IBM) Moti Yung (CERTCO) Robert Zuccherato (Entrust) program chair: Rainer Baumgart secunet - Security Networks GmbH Weidenauer Str. 223 - 225 57076 Siegen Germany Tel.: +49-271-48950-15 Fax: +49-271-48950-50 R.Baumgart@secunet.de Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA10018 for ietf-pkix-bks; Fri, 23 Apr 1999 05:05:12 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA10009 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 05:04:55 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id OAA14395; Fri, 23 Apr 1999 14:03:15 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Fri, 23 Apr 1999 14:03:14 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id OAA05733; Fri, 23 Apr 1999 14:03:08 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id OAA01367; Fri, 23 Apr 1999 14:03:08 +0200 Date: Fri, 23 Apr 1999 14:03:08 +0200 Message-Id: <199904231203.OAA01367@emeriau.edelweb.fr> To: robert.zuccherato@entrust.com, mherasg@nexo.es Subject: Re: Time-Stamp: Why not use several hashes? Cc: Denis.Pinkas@bull.net, jmanas@dit.upm.es, ietf-pkix@imc.org, afd@fnmt.es Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I support the request to have a SEQUENCE OF messageimprint in a time stamp. Although this could be obtained by having a combined hash function, this doesn't seem a good idea to me. If you add a new hash function, the number of needed algorithm identifiers may double. Peter Sylvester Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA27793 for ietf-pkix-bks; Thu, 22 Apr 1999 23:29:49 -0700 (PDT) Received: from ns.cmbchina.com ([202.96.161.112]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id XAA27789 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 23:29:47 -0700 (PDT) Received: from cmbchina.com ([10.1.4.27]) by ns.cmbchina.com (Netscape Messaging Server 3.01) with ESMTP id AAA3946 for <ietf-pkix@imc.org>; Fri, 23 Apr 1999 14:29:31 -0800 Message-ID: <37201399.A11EF8F5@cmbchina.com> Date: Fri, 23 Apr 1999 14:30:50 +0800 From: "Xiong Shao Jun" <xsj@cmbchina.com> Organization: China Merchants Bank X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: sample PKIX message data ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi, folks, I'm doing some development on PKIX protocols. But I want to know if there is any sample PKIX message data available for test, of if there is any site for protocol comformality test. Thanks in advance, Xiong Shaojun Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA27727 for ietf-pkix-bks; Thu, 22 Apr 1999 23:24:52 -0700 (PDT) Received: from mercury.softforum.co.kr ([210.124.178.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id XAA27723 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 23:24:48 -0700 (PDT) Received: (from uucp@localhost) by mercury.softforum.co.kr (8.8.7/8.8.7) id AAA03162 for <ietf-pkix@imc.org>; Sat, 24 Apr 1999 00:27:13 +0900 Received: from earth(210.124.178.132) by mercury via smap (V2.1) id xma003160; Sat, 24 Apr 99 00:26:52 +0900 Received: from softforum.co.kr by earth.softforum.co.kr (8.8.8+Sun/SMI-SVR4) id PAA05810; Fri, 23 Apr 1999 15:21:14 +0900 (KST) Message-ID: <3720125D.EBCB1EEC@softforum.co.kr> Date: Fri, 23 Apr 1999 15:25:33 +0900 From: =?iso-8859-1?Q?=C0=CC=B5=BF=C8=A3?= <dhlee@softforum.co.kr> X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: ieft <ietf-pkix@imc.org> Subject: Some term ambiguous on PKIX Roadmap Content-Type: multipart/mixed; boundary="------------267F493D234CA87E6190FEE0" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------267F493D234CA87E6190FEE0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit INTERNET DRAFT PKIX Roadmap 26 February 1999 For key management keys that are generated by the requester, the CA can send the user the requested public key, along with the CA's own private key, to encrypt some piece of data, and send it to the requester to be decrypted. For example, the CA can generate some random challenge, and require some action to be taken after decryption (e.g., "decrypt this encrypted random number and send it back to me"). If the requester does not take the requested action, the CA concludes that the requester did not possess the private key, and the certificate is not issued. Another method of providing POP for key management keys is for the CA to generate the requested certificate, and then send it to the requester in encrypted form. If the requester does not have access to the appropriate private key, the requester cannot decrypt the certificate, and thus cannot use it. After some period of time in which the certificate is not used, the CA will revoke the certificate. (This only works if the certificate is not made available to any untrusted entities until after the requester has successfully decrypted it.) ------------------------------------------------------------------------- Above is 31page of PKIX Roadmap. What CA's own private key above context means? CA's private key is so meaningless to send to a new requester? Can I interpret it as somewhat like a session key? And encrypt the session key with the requester's public key.. If the requester really have a corresponding private key, he can get the session key. Is my interpretation right? --------------267F493D234CA87E6190FEE0 Content-Type: text/x-vcard; charset=us-ascii; name="dhlee.vcf" Content-Description: Card for À̵¿È£ Content-Disposition: attachment; filename="dhlee.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Lee;Dongho tel;pager:015-7755-3705 tel;fax:02-3787-2099 tel;home:02-962-2637 tel;work:02-3787-2031 x-mozilla-html:TRUE fn;quoted-printable:=C0=CC=B5=BF=C8=A3 adr:;;;;;; version:2.1 email;internet:dhlee@softforum.co.kr x-mozilla-cpt:;0 end:vcard --------------267F493D234CA87E6190FEE0-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA15069 for ietf-pkix-bks; Thu, 22 Apr 1999 19:57:08 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA15060 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 19:57:07 -0700 (PDT) Received: from [128.33.238.34] ([12.7.152.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA28189; Thu, 22 Apr 1999 22:57:21 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a20b3458f4ad126@[128.33.238.34]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE987@DSG1> Date: Thu, 22 Apr 1999 22:53:36 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: SEIS: Re: Certificates, Directories, and Distinguished Names Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, I am puzzled by your comments. Let me try one more time to clarify what I said in my previous message. <snip> >> >Stephen - in all your words you never seem to come to grips with the >> >fact that X.509 is not ambigious in so far that it permits systems to >> be >> >built without certificate extensions - and for those build such >> systems >> >to determine by local means or imply what is a EE or a CA cert and >> what >> >use that cert has (eg for message verification or cert >> verification).. >> >X.509 - was written some years ago and it correctly (a a standard >> >should) provided a transition path to the use of cert extensions. >> >> Vome on Alan, we're talking about changes only with regard to X.509 >> v3. >> > Groan --- Which happens to be specified in X.509. - the >standard, Version 1 of X.509 did not envision extensions; all it did was include a version number, something that was left out of the CRL spec, by the way. Our diccussion about how to mark CA certs applies ONLY to v3 certs, since v1 certs failed to address this problem at all. We're not talking about how to fix v1 certs, only about how to make v3 certs unambiguous with regard to CA marking. >> >RFC 2459 came along some time later as a profile and just the fact >> that >> >people are discussing the issue in 2459 and it is unclear - means >> there >> >is a problem - in the Profile. >> >> 2459 did not come along much later than the adoption of X.509 v3. And, >> no, >> there is not a profile problem, as too many previous messages have >> show in >> detail. >> > I was referring to the standard (X.509) was written earlier than >the profiles .. thats a fact of life and common knowledge. > > To respond to my point with pointless statement that tries to >show me wrong me by changing context eg... > " 2459 did not come along much later than the adoption of X.509 >v3" > note the word "adoption" has been added to prove me wrong...... I used the word "adoption" to refer to final approval of X.509 v3, which was fairly recent. Both 2459 and X.509 v3 continued to evolve in parallel, with each document making changes to reflect decisions in the other standaards effort, so as to minimize differences between the two. The term adoption is perfectly appropriate here and is not some sort of trick to change the topic. You argued that X.509 came first and thus has prority over the 2459 profile. Well, v3 of X.509 was not completed much before 2459, and as my example re the missing v1 CRL version number field points out, being first and being a standard is no guarantee of correctness. > > If this is the approach to logical debate - that is also used to >debate technology issues , then one can see why these lists have >difficulty. Yes, this is a logical approach to debate. Sorry if my choice of terms was confusing, but I fear the real problem is deeper. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA03147 for ietf-pkix-bks; Thu, 22 Apr 1999 15:41:29 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA03143 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 15:41:28 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Thu, 22 Apr 1999 16:42:03 -0600 Message-Id: <s71f515b.015@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Thu, 22 Apr 1999 16:41:55 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <dpkemp@missi.ncsc.mil>, <housley@spyrus.com> Cc: <ietf-pkix@imc.org> Subject: Re: Delta CRL processing Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id PAA03144 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I must be dense, Russ. The text you attached seems to agree precisely with what Sharon said, and was exactly what I was requesting as well. Sharon used the term "publish", not "issue", and the last paragraph certainly seems to be quite explicit in allowing that option, by differentiating between issuing and publishing. Why do you disagree? What am I missing? Bob >>> Russ Housley <housley@spyrus.com> 04/22/99 01:38PM >>> >In a private message, Sharon Boeyen points out: > > "As of the 1997 edition of X.509 a CA is NOT required to publish > a full CRL." I disagree with Sharon. X.509-1997 says: " ... It is the decision of a CA as to whether to provide delta-CRLs. However, a delta-CRL shall not be issued without a corresponding complete CRL being issued at the same time." I have attached the entire section on delta-CRLs from X.509-1997 at the end of this message. >I claim that not only does an X.509 CA not have to "publish" a full >CRL, it also does not need to create a DER representation of the CRL >or generate a signature of that DER. The intent of the word "issue" >is to ensure that at any point in time, there is a single, unique, >unambiguous instance of a full CRL that would have been generated and >published had the CA chosen to do so. Or in other words, if an >application reconstructs the revocation status for a certain point in >time, it will always reconstruct the same status as would have been >obtained had a full CRL been generated, published, and retrieved. It >must be impossible to take two different inputs (combinations of full, >delta, and DP-partitioned CRLs) and arrive at conflicting conclusions >as to the status of a given certificate. Agree. >This is analogous to the procedure for Certification Path Validation, >which says: > > "Conforming implementations ... are not required to implement this > algorithm, but shall be functionally equivalent to the external > behavior resulting from this procedure." > >Reference algorithms are often chosen to emphasize simplicity, >correctness and tutorial value instead of operational efficiency. >Optimizations may be applied as long as the optimized algorithm yields >correct results. The external result of CRL processing is the >revocation status of a particular certificate at a particular time, and >the correct answer is the one which would have been obtained from a >full CRL. > >It would be perverse indeed to interpret X.509 as saying that optimized >revocation methods are allowed, as long as you also perform the >unoptimized reference method in parallel! > Russ --- Begin Section 12.6.3.3 from X.509-1997 --- 12.6.3.3 Delta CRL indicator field This CRL extension field identifies a CRL as being a delta-CRL only. This field is defined as follows: deltaCRLIndicator EXTENSION ::= { SYNTAX BaseCRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } BaseCRLNumber ::= CRLNumber The value of type BaseCRLNumber identifies the CRL number of the base CRL that was used as the starting point in the generation of this delta-CRL, i.e. this delta-CRL contains the changes between the base CRL and the complete CRL issued along with this delta-CRL. It is the decision of a CA as to whether to provide delta-CRLs. However, a delta-CRL shall not be issued without a corresponding complete CRL being issued at the same time. The value of the CRL number, as conveyed in the CRL number extension field (if present), shall be identical for both the delta-CRL and the corresponding complete CRL. The CRL user constructing a locally held CRL from delta-CRLs shall consider the constructed CRL incomplete and unusable if both the following conditions are true: - the value of the CRLNumber of the received delta-CRL is more than one greater than that of the CRLNumber of the delta-CRL last processed; and - the value of BaseCRLNumber of the received delta-crl has changed from the BaseCRLNumber of the delta-CRL last processed. This extension is always critical. A certificate user that does not understand the use of delta-CRLs should not use a CRL containing this extension, as the CRL may not be as complete as the user expects. CRLs not containing critical extensions must contain all current CRL entries for the issuing CA, including entries for all revoked user certificates and CA certificates. NOTE-It is the decision of the CA as to whether or not to distribute the CRLs issued between two base CRLs. For example, it may be the policy of the CA to distribute base CRLs via CD-ROM and delta-CRLs via an on-line service such as the Directory. Although the CA had issued its CRL with the associated delta-CRL, it may be the CA's policy that the user shall construct the current CRL by applying the delta-CRL to the base CRL held on the CD-ROM. --- End Section 12.6.3.3 from X.509-1997 --- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA00926 for ietf-pkix-bks; Thu, 22 Apr 1999 12:44:15 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA00922 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 12:44:14 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id MAA12786; Thu, 22 Apr 1999 12:43:51 -0700 (PDT) Message-Id: <4.1.19990422153903.009feb30@209.172.119.123> X-Sender: rhousley@209.172.119.123 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 22 Apr 1999 15:40:09 -0400 To: Francois Rousseau <f.rousseau@adga.ca> From: Russ Housley <housley@spyrus.com> Subject: Re: Delta CRL processing Cc: ietf-pkix@imc.org In-Reply-To: <3.0.1.32.19990421153437.00a43100@mail.ab.org> References: <199904191553.LAA07064@ara.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Francois: Irt will still be a Proposed Draft Addendum, not a standard (yet). Russ At 03:34 PM 4/21/99 -0400, Francois Rousseau wrote: >Note that Clause 12.6.3.3 on the Delta CRL indicator field in the Proposed >Draft Amendment (PDAM) on X.509(97) was already clarifying part of this >issue, however this item was discussed further at the last Directory >Working Group meeting in Orlando. > >The revised Clause 12.6.3.3 in the Final PDAM (FPDAM) on X.509 (97) should >soon be available. It will include a more precise explanation of the >proposed rules for constructing delta-CRLs along with a more extensive >example of their use. > >Francois Rousseau >AEPOS Technologies Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA00856 for ietf-pkix-bks; Thu, 22 Apr 1999 12:37:41 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA00852 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 12:37:40 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id MAA12644; Thu, 22 Apr 1999 12:37:18 -0700 (PDT) Message-Id: <4.1.19990422153021.009fc1e0@209.172.119.123> X-Sender: rhousley@209.172.119.123 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 22 Apr 1999 15:38:26 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Russ Housley <housley@spyrus.com> Subject: Re: Delta CRL processing Cc: ietf-pkix@imc.org In-Reply-To: <199904211927.PAA09252@ara.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >In a private message, Sharon Boeyen points out: > > "As of the 1997 edition of X.509 a CA is NOT required to publish > a full CRL." I disagree with Sharon. X.509-1997 says: " ... It is the decision of a CA as to whether to provide delta-CRLs. However, a delta-CRL shall not be issued without a corresponding complete CRL being issued at the same time." I have attached the entire section on delta-CRLs from X.509-1997 at the end of this message. >I claim that not only does an X.509 CA not have to "publish" a full >CRL, it also does not need to create a DER representation of the CRL >or generate a signature of that DER. The intent of the word "issue" >is to ensure that at any point in time, there is a single, unique, >unambiguous instance of a full CRL that would have been generated and >published had the CA chosen to do so. Or in other words, if an >application reconstructs the revocation status for a certain point in >time, it will always reconstruct the same status as would have been >obtained had a full CRL been generated, published, and retrieved. It >must be impossible to take two different inputs (combinations of full, >delta, and DP-partitioned CRLs) and arrive at conflicting conclusions >as to the status of a given certificate. Agree. >This is analogous to the procedure for Certification Path Validation, >which says: > > "Conforming implementations ... are not required to implement this > algorithm, but shall be functionally equivalent to the external > behavior resulting from this procedure." > >Reference algorithms are often chosen to emphasize simplicity, >correctness and tutorial value instead of operational efficiency. >Optimizations may be applied as long as the optimized algorithm yields >correct results. The external result of CRL processing is the >revocation status of a particular certificate at a particular time, and >the correct answer is the one which would have been obtained from a >full CRL. > >It would be perverse indeed to interpret X.509 as saying that optimized >revocation methods are allowed, as long as you also perform the >unoptimized reference method in parallel! > Russ --- Begin Section 12.6.3.3 from X.509-1997 --- 12.6.3.3 Delta CRL indicator field This CRL extension field identifies a CRL as being a delta-CRL only. This field is defined as follows: deltaCRLIndicator EXTENSION ::= { SYNTAX BaseCRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } BaseCRLNumber ::= CRLNumber The value of type BaseCRLNumber identifies the CRL number of the base CRL that was used as the starting point in the generation of this delta-CRL, i.e. this delta-CRL contains the changes between the base CRL and the complete CRL issued along with this delta-CRL. It is the decision of a CA as to whether to provide delta-CRLs. However, a delta-CRL shall not be issued without a corresponding complete CRL being issued at the same time. The value of the CRL number, as conveyed in the CRL number extension field (if present), shall be identical for both the delta-CRL and the corresponding complete CRL. The CRL user constructing a locally held CRL from delta-CRLs shall consider the constructed CRL incomplete and unusable if both the following conditions are true: - the value of the CRLNumber of the received delta-CRL is more than one greater than that of the CRLNumber of the delta-CRL last processed; and - the value of BaseCRLNumber of the received delta-crl has changed from the BaseCRLNumber of the delta-CRL last processed. This extension is always critical. A certificate user that does not understand the use of delta-CRLs should not use a CRL containing this extension, as the CRL may not be as complete as the user expects. CRLs not containing critical extensions must contain all current CRL entries for the issuing CA, including entries for all revoked user certificates and CA certificates. NOTE-It is the decision of the CA as to whether or not to distribute the CRLs issued between two base CRLs. For example, it may be the policy of the CA to distribute base CRLs via CD-ROM and delta-CRLs via an on-line service such as the Directory. Although the CA had issued its CRL with the associated delta-CRL, it may be the CA's policy that the user shall construct the current CRL by applying the delta-CRL to the base CRL held on the CD-ROM. --- End Section 12.6.3.3 from X.509-1997 --- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA00536 for ietf-pkix-bks; Thu, 22 Apr 1999 12:16:51 -0700 (PDT) Received: from aum (ip11.proper.com [165.227.249.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA00532; Thu, 22 Apr 1999 12:16:44 -0700 (PDT) Message-Id: <4.2.0.33.19990422121716.023a0be0@mail.imc.org> X-Sender: phoffman@mail.imc.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.33 (Beta) Date: Thu, 22 Apr 1999 12:17:38 -0700 To: Stephen Kent <kent@po1.bbn.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: WG Last call, redux In-Reply-To: <v04020a15b34509844f3d@[128.33.238.34]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 01:24 PM 4/22/99 -0400, Stephen Kent wrote: >Although the changes are largely editorial, >designed to eliminate possible ambiguities, at least one substantive change >was made and thus an abbreviated IETF and WG last call are being held, in >parallel. Care to give us a hint about the changes so that we can look at them in context in the draft? --Paul Hoffman, Director --Internet Mail Consortium Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA28623 for ietf-pkix-bks; Thu, 22 Apr 1999 10:22:56 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA28619 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 10:22:52 -0700 (PDT) Received: from [128.33.238.34] (TC038.BBN.COM [128.33.238.38]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA04502 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 13:23:49 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a15b34509844f3d@[128.33.238.34]> Date: Thu, 22 Apr 1999 13:24:18 -0400 To: ietf-pkix@imc.org From: Stephen Kent <kent@po1.bbn.com> Subject: WG Last call, redux Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Folks, At my request, the OCSP document underwent some revisions after WG last call, and IESG approval. Although the changes are largely editorial, designed to eliminate possible ambiguities, at least one substantive change was made and thus an abbreviated IETF and WG last call are being held, in parallel. The WG is being explicitly notified of this last call to expedite the process, but the notice from the IETF Secretariat will set the officical closing date for comments. Steve ---------------------------------- PKIX Working Group Michael Myers(VeriSign) draft-ietf-pkix-ocsp-08.txt Rich Ankney (CertCo) Ambarish Malpani (ValiCert) Slava Galperin (Teknowledge) Carlisle Adams (Entrust Technologies) Expires in 6 months March 1999 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP <draft-ietf-pkix-ocsp-08.txt> 1. Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. 2. Abstract This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. An overview of the protocol is provided in section 3. Functional requirements are specified in section 4. Details of the protocol are in section 5. We cover security issues with the protocol in section 6. Appendix A defines OCSP over HTTP, appendix B accumulates ASN.1 syntactic elements and appendix C specifies the mime types for the messages. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this Myers, Ankney, Malpani, Galperin, Adams [Page 1] INTERNET DRAFT OCSP March 1999 document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. 3. Protocol Overview In lieu of or as a supplement to checking against a periodic CRL, it may be necessary to obtain timely information regarding the revocation status of a certificate (cf. [RFC2459], Section 3.3). Examples include high-value funds transfer or large stock trades. The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response. This protocol specifies the data that needs to be exchanged between an application checking the status of a certificate and the server providing that status. 3.1 Request An OCSP request contains the following data: -- protocol version -- service request -- target certificate identifier -- optional extensions which MAY be processed by the OCSP Responder Upon receipt of a request, an OCSP Responder determines if: 1. the message is well formed 2. the responder is configured to provide the requested service and 3. the request contains the information needed by the responder If any one of the prior conditions are not met, the OCSP responder produces an error message; otherwise, it returns a definitive response. 3.2 Response OCSP responses can be of various types. An OCSP response consists of a response type and the bytes of the actual response. There is one basic type of OCSP response that MUST be supported by all OCSP Myers, Ankney, Malpani, Galperin, Adams [Page 2] INTERNET DRAFT OCSP March 1999 servers and clients. The rest of this section pertains only to this basic response type. All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question -- a Trusted Responder whose public key is trusted by the requester -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA A definitive response message is composed of: -- version of the response syntax -- name of the responder -- responses for each of the certificates in a request -- optional extensions -- signature algorithm OID -- signature computed across hash of the response The response for each of the certificates in a request consists of -- target certificate identifier -- certificate status value -- response validity interval -- optional extensions This specification defines the following definitive response indicators for use in the certificate status value: -- good -- revoked -- unknown The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc. The "revoked" state indicates that the certificate has been revoked (either permanantly or temporarily (on hold)). The "unknown" state indicates that the responder doesn't know about Myers, Ankney, Malpani, Galperin, Adams [Page 3] INTERNET DRAFT OCSP March 1999 the certificate being requested. 3.3 Exception Cases In case of errors, the OCSP Responder may return an error message. These messages are not signed. Errors can be of the following types: -- malformedRequest -- internalError -- tryLater -- sigRequired -- unauthorized A server produces the "malformedRequest" response if the request received does not conform to the OCSP syntax. The response "internalError" indicates that the OCSP responder reached an inconsistent internal state. The query should be retried, potentially with another responder. In the event that the OCSP responder is operational, but unable to return a status for the requested certificate, the "tryLater" response can be used to indicate that the service exists, but is temporarily unable to respond. The response "sigRequired" is returned in cases where the server requires the client sign the request in order to construct a response. The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server. 3.4 Semantics of thisUpdate, nextUpdate and producedAt Responses can contain three times in them - thisUpdate, nextUpdate and producedAt. The semantics of these fields are: - thisUpdate: The time at which the status being indicated is known to be correct - nextUpdate: The time at or before which newer information will be available about the status of the certificate - producedAt: The time at which the OCSP responder signed this response. If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time. Myers, Ankney, Malpani, Galperin, Adams [Page 4] INTERNET DRAFT OCSP March 1999 3.5 Response Pre-production OCSP responders MAY pre-produce signed responses specifying the status of certificates at a specified time. The time at which the status was known to be correct SHALL be reflected in the thisUpdate field of the response. The time at or before which newer information will be available is reflected in the nextUpdate field, while the time at which the response was produced will appear in the producedAt field of the response. 3.6 OCSP Signature Authority Delegation The key that signs a certificate's status information need not be the same key that signed the certificate. A certificate's issuer explicitly delegates OCSP signing authority by issuing a certificate containing a unique value for extendedKeyUsage in the OCSP signer's certificate. This certificate MUST be issued directly to the responder by the cognizant CA. 3.7 CA Key Compromise If an OCSP responder knows that a particular CA's private key has been compromised, it MAY return the revoked state for all certificates issued by that CA. 4. Functional Requirements 4.1 Certificate Content In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the AuthorityInfoAccess extension (defined in [RFC2459], section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client. CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MUST provide for the inclusion of a value for a uniformResourceIndicator (URI) accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE. The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL). Myers, Ankney, Malpani, Galperin, Adams [Page 5] INTERNET DRAFT OCSP March 1999 4.2 Signed Response Acceptance Requirements Prior to accepting a signed response as valid, OCSP clients SHALL confirm that: 1. The certificate identified in a received response corresponds to that which was identified in the corresponding request; 2. The signature on the response is valid; 3. The identity of the signer matches the intended recipient of the request. 4. The signer is currently authorized to sign the response. 5. The time at which the status being indicated is known to be correct (thisUpdate) is sufficiently recent. 6. When available, the time at or before which newer information will be available about the status of the certificate (nextUpdate) is greater than the current time. 5. Detailed Protocol The ASN.1 syntax imports terms defined in [RFC2459]. For signature calculation, the data to be signed is encoded using the ASN.1 distinguished encoding rules (DER) [X.690]. ASN.1 EXPLICIT tagging is used as a default unless specified otherwise. The terms imported from elsewhere are: Extensions, CertificateSerialNumber, SubjectPublicKeyInfo, Name, AlgorithmIdentifier, CRLReason 5.1 Requests This section specifies the ASN.1 specification for a confirmation request. The actual formatting of the message could vary depending on the transport mechanism used (HTTP, SMTP, LDAP, etc.). 5.1.1 Request Syntax OCSPRequest ::= SEQUENCE { tbsRequest TBSRequest, optionalSignature [0] EXPLICIT Signature OPTIONAL } Myers, Ankney, Malpani, Galperin, Adams [Page 6] INTERNET DRAFT OCSP March 1999 TBSRequest ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, requestorName [1] EXPLICIT GeneralName OPTIONAL, requestList SEQUENCE OF Request, requestExtensions [2] EXPLICIT Extensions OPTIONAL } Signature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL} Version ::= INTEGER { v1(0) } Request ::= SEQUENCE { reqCert CertID, singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of Issuer's DN issuerKeyHash OCTET STRING, -- Hash of Issuers public key serialNumber CertificateSerialNumber } issuerNameHash is the hash of the Issuer's distinguished name. The hash shall be calculated over the DER encoding of the issuer's name field in the certificate being checked. issuerKeyHash is the hash of the Issuer's public key. The hash shall be calculated over the value (excluding tag and length) of the subject public key field in the issuer's certificate. The hash algorithm used for both these hashes, is identified in hashAlgorithm. serialNumber is the serial number of the certificate for which status is being requested. 5.1.2 Notes on the Request Syntax The primary reason to use the hash of the CA's public key in addition to the hash of the CA's name, to identify the issuer, is that it is possible that two CAs may choose to use the same Name (uniqueness in the Name is a recommendation that cannot be enforced). Two CAs will never, however, have the same public key unless the CAs either explicitly decided to share their private key, or the key of one of the CAs was compromised. Support for any specific extension is OPTIONAL. The critical flag SHOULD NOT be set for any of them. Section 5.4 suggests several useful extensions. Additional extensions MAY be defined in additional RFCs. Unrecognized extensions MUST be ignored (unless they have the critical flag set and are not understood). Myers, Ankney, Malpani, Galperin, Adams [Page 7] INTERNET DRAFT OCSP March 1999 The requestor MAY choose to sign the OCSP request. In that case, the signature is computed over the tbsRequest structure. If the request is signed, the requestor SHALL specify its name in the requestorName field. Also, for signed requests, the requestor MAY include certificates that help the OCSP responder verify the requestor's signature in the certs field of Signature. 5.2 Response Syntax This section specifies the ASN.1 specification for a confirmation response. The actual formatting of the message could vary depending on the transport mechanism used (HTTP, SMTP, LDAP, etc.). 5.2.1 ASN.1 Specification of the OCSP Response An OCSP response at a minimum consists of a responseStatus field indicating the processing status of the prior request. If the value of responseStatus is one of the error conditions, responseBytes are not set. OCSPResponse ::= SEQUENCE { responseStatus OCSPResponseStatus, responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } OCSPResponseStatus ::= ENUMERATED { successful (0), --Response has valid confirmations malformedRequest (1), --Illegal confirmation request internalError (2), --Internal error in issuer tryLater (3), --Try again later --(4) is not used sigRequired (5), --Must sign the request unauthorized (6) --Request unauthorized } The value for responseBytes consists of an OBJECT IDENTIFIER and a response syntax identified by that OID encoded as an OCTET STRING: ResponseBytes ::= SEQUENCE { responseType OBJECT IDENTIFIER, response OCTET STRING } For a basic OCSP responder, responseType will be id-pkix-ocsp-basic: id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } OCSP responders SHALL be capable of producing responses of the id- Myers, Ankney, Malpani, Galperin, Adams [Page 8] INTERNET DRAFT OCSP March 1999 pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving and processing responses of the id-pkix-ocsp- basic response type. The value for response SHALL be the DER encoding of BasicOCSPResponse: BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } The value for signature SHALL be computed on the hash of the DER encoding ResponseData. ResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, responderID ResponderID, producedAt GeneralizedTime, responses SEQUENCE OF SingleResponse, responseExtensions [1] EXPLICIT Extensions OPTIONAL } ResponderID ::= CHOICE { byName [1] Name, byKey [2] KeyHash } KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key (excluding the tag and length fields) SingleResponse ::= SEQUENCE { certID CertID, certStatus CertStatus, thisUpdate GeneralizedTime, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, singleExtensions [1] EXPLICIT Extensions OPTIONAL } CertStatus ::= CHOICE { good [0] IMPLICIT NULL, revoked [1] IMPLICIT RevokedInfo, unknown [2] IMPLICIT UnknownInfo } RevokedInfo ::= SEQUENCE { revocationTime GeneralizedTime, revocationReason [0] EXPLICIT CRLReason OPTIONAL } UnknownInfo ::= NULL -- this can be replaced with an enumeration Myers, Ankney, Malpani, Galperin, Adams [Page 9] INTERNET DRAFT OCSP March 1999 5.2.2 Notes on OCSP Responses 5.2.2.1 Time The thisUpdate and nextUpdate fields define a recommended validity interval. This interval corresponds to the {thisUpdate, nextUpdate} interval in CRLs. Responses whose nextUpdate value is earlier than the local system time value SHOULD be considered unreliable. Responses whose thisUpdate time is later than the local system time SHOULD be considered unreliable. Responses where the nextUpdate value is not set are equivalent to a CRL with no time for nextUpdate (see Section 3.4). The producedAt time is the time at which this response was signed. 5.2.2.2 Authorized Responders The key that signs a certificate's status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MUST either sign the OCSP responses itself or it MUST explicitly designate this authority to another entity. OCSP signing delegation SHALL be designated by the inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate extension included in the OCSP response signer's certificate. This certificate MUST be issued directly by the CA that issued the certificate in question. id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing use of the id-ad-ocspSigning value as described above. They MAY provide a means of locally configuring one or more OCSP signing authorities, and specifying the set of CAs for which each signing authority is trusted. They MUST reject the response if the certificate required to validate the signature on the response fails to meet at least one of the following criteria: 1. Matches a local configuration of OCSP signing authority for the certificate in question; or 2. Is the certificate of the CA that issued the certificate in question; or 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage extension and is issued by the CA that issued the certificate in question." Myers, Ankney, Malpani, Galperin, Adams [Page 10] INTERNET DRAFT OCSP March 1999 Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. 5.2.2.2.1 Revocation Checking of an Authorized Responder Since an Authorized OCSP responder provides status information for one or more CAs, OCSP clients need to know how to check that an authorized responder's certificate has not been revoked. CAs may choose to deal with this problem in one of three ways: - A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the extension should be NULL. CAs issuing such a certificate should realized that a compromise of the responder's key, is as serious as the compromise of a CA key used to sign CRLs, at least for the validity period of this certificate. CA's may choose to issue this type of certificate with a very short lifetime and renew it frequently. id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } - A CA may specify how the responder's certificate be checked for revocation. This can be done using CRL Distribution Points if the check should be done using CRLs or CRL Distribution Points, or Authority Information Access if the check should be done in some other way. Details for specifying either of these two mechanisms are available in [RFC2459]. - A CA may choose not to specify any method of revocation checking for the responder's certificate, in which case, it would be up to the OCSP client's local security policy to decide whether that certificate should be checked for revocation or not. 5.3 Mandatory and Optional Cryptographic Algorithms Clients that request OCSP services SHALL be capable of processing responses signed used DSA keys identified by the DSA sig-alg-oid specified in section 7.2.2 of [RFC2459]. Clients SHOULD also be capable of processing RSA signatures as specified in section 7.2.1 of [RFC2459]. OCSP responders SHALL support the SHA1 hashing algorithm. 5.4 Extensions This section defines some standard extensions, based on the extension model employed in X.509 version 3 certificates see [RFC2459]. Support Myers, Ankney, Malpani, Galperin, Adams [Page 11] INTERNET DRAFT OCSP March 1999 for all extensions is optional for both clients and responders. For each extension, the definition indicates its syntax, processing performed by the OCSP Responder, and any extensions which are included in the corresponding response. 5.4.1 Nonce The nonce cryptographically binds a request and a response to prevent replay attacks. The nonce is included as one of the requestExtensions in requests, while in responses it would be included as one of the responseExtensions. In both the request and the response, the nonce will be identified by the object identifier id-pkix-ocsp-nonce, while the extnValue is the value of the nonce. id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 5.4.2 CRL References It may be desirable for the OCSP responder to indicate the CRL on which a revoked or onHold certificate is found. This can be useful where OCSP is used between repositories, and also as an auditing mechanism. The CRL may be specified by a URL (the URL at which the CRL is available), a number (CRL number) or a time (the time at which the relevant CRL was created). These extensions will be specified as singleExtensions. The identifier for this extension will be id-pkix- ocsp-crl, while the value will be CrlID. id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } CrlID ::= SEQUENCE { crlUrl [0] EXPLICIT IA5String OPTIONAL, crlNum [1] EXPLICIT INTEGER OPTIONAL, crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } For the choice crlUrl, the IA5String will specify the URL at which the CRL is available. For crlNum, the INTEGER will specify the value of the CRL number extension of the relevant CRL. For crlTime, the GeneralizedTime will indicate the time at which the relevant CRL was issued. 5.4.3 Acceptable Response Types An OCSP client MAY wish to specify the kinds of response types it understands. To do so, it SHOULD use an extension with the OID id- pkix-ocsp-response, and the value AcceptableResponses. This extension is included as one of the requestExtensions in requests. The OIDs included in AcceptableResponses are the OIDs of the various Myers, Ankney, Malpani, Galperin, Adams [Page 12] INTERNET DRAFT OCSP March 1999 response types this client can accept (e.g., id-pkix-ocsp-basic). id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER As noted in section 5.2.1, OCSP responders SHALL be capable of responding with responses of the id-pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving and processing responses of the id-pkix-ocsp-basic response type. 5.4.4 Archive Cutoff An OCSP responder MAY choose to retain revocation information beyond a certificate's expiration. The date obtained by subtracting this retention interval value from the producedAt time in a response is defined as the certificate's "archive cutoff" date. OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature was (or was not) reliable on the date it was produced even if the certificate needed to validate the signature has long since expired. OCSP servers that provide support for such historical reference SHOULD include an archive cutoff date extension in responses. If included, this value SHALL be provided as an OCSP singleExtensions extension identified by id-pkix-ocsp-archive-cutoff and of syntax GeneralizedTime: id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } ArchiveCutoff ::= GeneralizedTime To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1 then the value for ArchiveCutoff in the response would be (t1 - 7 years). 5.4.5 CRL Entry Extensions All the extensions specified as CRL Entry Extensions - in Section 5.3 of [RFC2459] - are also supported as singleExtensions. 5.4.6 Service Locator An OCSP server may be operated in a mode whereby the server receives a request and routes it to the OCSP server which is known to be authoritative for the identified certificate. The serviceLocator request extension is defined for this purpose. This extension is Myers, Ankney, Malpani, Galperin, Adams [Page 13] INTERNET DRAFT OCSP March 1999 included as one of the singleRequestExtensions in requests. id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } ServiceLocator ::= SEQUENCE { issuer Name, locator AuthorityInfoAccessSyntax OPTIONAL } Values for these fields are obtained from the corresponding fields in the subject certificate. 6. Security Considerations For this service to be effective, certificate using systems must connect to the certificate status service provider. In the event such a connection cannot be obtained, certificate-using systems could implement CRL processing logic as a fall-back position. A denial of service vulnerability is evident with respect to a flood of queries. The production of a cryptographic signature significantly affects response generation cycle time, thereby exacerbating the situation. Unsigned error responses open up the protocol to another denial of service attack, where the attacker sends false error responses. The use of precomputed responses allows replay attacks in which an old (good) response is replayed prior to its expiration date but after the certificate has been revoked. Deployments of OCSP should carefully evaluate the benefit of precomputed responses against the probability of a replay attack and the costs associated with its successful execution. Requests do not contain the responder they are directed to. This allows an attacker to replay a request to any number of OCSP responders. The reliance of HTTP caching in some deployment scenarios may result in unexpected results if intermediate servers are incorrectly configured or are known to possess cache management faults. Implementors are advised to take the reliability of HTTP cache mechanisms into account when deploying OCSP over HTTP. 7. References [RFC2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile, R. Housley, W. Ford, W. Polk, D. Solo, RFC 2459, January, 1999. Myers, Ankney, Malpani, Galperin, Adams [Page 14] INTERNET DRAFT OCSP March 1999 [HTTP] Hypertext Transfer Protocol -- HTTP/1.1, R. Fielding, J. Gettys, J. Mogul, H. Frystyk and T. Berners-Lee, RFC 2068, January 1997. [RFC2119] Key words for use in RFCs to Indicate Requirement Levels, S. Bradner, RFC 2119, March 1997. [URL] Uniform Resource Locators (URL), T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738, December 1994. [X.690] ITU-T Recommendation X.690 (1994) | ISO/IEC 8825-1:1995, Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). 8. Author's Address Michael Myers VeriSign, Inc. 1390 Shorebird Way Mountain View, CA 94019 mmyers@verisign.com Rich Ankney CertCo, LLC 13506 King Charles Dr. Chantilly, VA 20151 rankney@erols.com Ambarish Malpani ValiCert, Inc. 3160 W. Bayshore Drive Palo Alto, CA 94303 ambarish@valicert.com 650.567.5457 Slava Galperin Teknowledge Corporation 1810 Embarcadero Road Palo Alto, CA galperin@teknowledge.com Carlisle Adams Entrust Technologies 750 Heron Road, Suite E08 Ottawa, Ontario K1V 1A7 Myers, Ankney, Malpani, Galperin, Adams [Page 15] INTERNET DRAFT OCSP March 1999 Canada cadams@entrust.com Appendix A A.1 OCSP over HTTP This section describes the formatting that will be done to the request and response to support HTTP. A.1.1 Request HTTP based OCSP requests can use either the GET or the POST method to submit their requests. To enable HTTP caching, small requests (that after encoding are less than 255 bytes), MAY be submitted using GET. If HTTP caching is not important, or the request is greater than 255 bytes, the request SHOULD be submitted using POST. Where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either TLS/SSL or some other lower layer protocol. An OCSP request using the GET method is constructed as follows: GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest} where {url} may be derived from the value of AuthorityInfoAccess or other local configuration of the OCSP client. An OCSP request using the POST method is constructed as follows: The Content-Type header has the value "application/ocsp-request" while the body of the message is the binary value of the DER encoding of the OCSPRequest. A.1.2 Response An HTTP-based OCSP response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding of the OCSPResponse. The Content-Type header has the value "application/ocsp-response". The Content-Length header SHOULD specify the length of the response. Other HTTP headers MAY be present and MAY be ignored if not understood by the requestor. Appendix B: OCSP in ASN.1 OCSP DEFINITIONS EXPLICIT TAGS::= BEGIN Myers, Ankney, Malpani, Galperin, Adams [Page 16] INTERNET DRAFT OCSP March 1999 IMPORTS -- Directory Authentication Framework (X.509) Certificate, AlgorithmIdentifier, CRLReason FROM AuthenticationFramework { joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3 } -- PKIX Certificate Extensions AuthorityInfoAccessSyntax FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)} Name, GeneralName, CertificateSerialNumber, Extensions, id-kp, id-ad-ocsp FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}; OCSPRequest ::= SEQUENCE { tbsRequest TBSRequest, optionalSignature [0] EXPLICIT Signature OPTIONAL } TBSRequest ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, requestorName [1] EXPLICIT GeneralName OPTIONAL, requestList SEQUENCE OF Request, requestExtensions [2] EXPLICIT Extensions OPTIONAL } Signature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } Version ::= INTEGER { v1(0) } Request ::= SEQUENCE { reqCert CertID, singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of Issuer's DN issuerKeyHash OCTET STRING, -- Hash of Issuers public key serialNumber CertificateSerialNumber } Myers, Ankney, Malpani, Galperin, Adams [Page 17] INTERNET DRAFT OCSP March 1999 OCSPResponse ::= SEQUENCE { responseStatus OCSPResponseStatus, responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } OCSPResponseStatus ::= ENUMERATED { successful (0), --Response has valid confirmations malformedRequest (1), --Illegal confirmation request internalError (2), --Internal error in issuer tryLater (3), --Try again later --(4) is not used sigRequired (5), --Must sign the request unauthorized (6) --Request unauthorized } ResponseBytes ::= SEQUENCE { responseType OBJECT IDENTIFIER, response OCTET STRING } BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } ResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, responderID ResponderID, producedAt GeneralizedTime, responses SEQUENCE OF SingleResponse, responseExtensions [1] EXPLICIT Extensions OPTIONAL } ResponderID ::= CHOICE { byName [1] Name, byKey [2] KeyHash } KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key --(excluding the tag and length fields) SingleResponse ::= SEQUENCE { certID CertID, certStatus CertStatus, thisUpdate GeneralizedTime, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, singleExtensions [1] EXPLICIT Extensions OPTIONAL } CertStatus ::= CHOICE { good [0] IMPLICIT NULL, revoked [1] IMPLICIT RevokedInfo, Myers, Ankney, Malpani, Galperin, Adams [Page 18] INTERNET DRAFT OCSP March 1999 unknown [2] IMPLICIT UnknownInfo } RevokedInfo ::= SEQUENCE { revocationTime GeneralizedTime, revocationReason [0] EXPLICIT CRLReason OPTIONAL } UnknownInfo ::= NULL -- this can be replaced with an enumeration ArchiveCutoff ::= GeneralizedTime AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER ServiceLocator ::= SEQUENCE { issuer Name, locator AuthorityInfoAccessSyntax } -- Object Identifiers id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } END Appendix C: MIME registrations C.1 application/ocsp-request To: ietf-types@iana.org Subject: Registration of MIME media type application/ocsp-request MIME media type name: application MIME subtype name: ocsp-request Required parameters: None Optional parameters: None Encoding considerations: binary Myers, Ankney, Malpani, Galperin, Adams [Page 19] INTERNET DRAFT OCSP March 1999 Security considerations: Carries a request for information. This request may optionally be cryptographically signed. Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type: OCSP clients Additional information: Magic number(s): None File extension(s): .ORQ Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani <ambarish@valicert.com> Intended usage: COMMON Author/Change controller: Ambarish Malpani <ambarish@valicert.com> C.2 application/ocsp-response To: ietf-types@iana.org Subject: Registration of MIME media type application/ocsp-response MIME media type name: application MIME subtype name: ocsp-response Required parameters: None Optional parameters: None Encoding considerations: binary Security considerations: Carries a cryptographically signed response Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type: OCSP servers Myers, Ankney, Malpani, Galperin, Adams [Page 20] INTERNET DRAFT OCSP March 1999 Additional information: Magic number(s): None File extension(s): .ORS Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani <ambarish@valicert.com> Intended usage: COMMON Author/Change controller: Ambarish Malpani <ambarish@valicert.com> Myers, Ankney, Malpani, Galperin, Adams [Page 21] Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA26012 for ietf-pkix-bks; Thu, 22 Apr 1999 07:10:57 -0700 (PDT) Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA26008 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 07:10:55 -0700 (PDT) Received: from freeby.ben.algroup.co.uk (freeby.ben.algroup.co.uk [193.133.15.6]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id OAA20096; Thu, 22 Apr 1999 14:11:34 GMT Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id PAA03673; Thu, 22 Apr 1999 15:11:50 +0100 Message-ID: <371F2E14.64087E9B@algroup.co.uk> Date: Thu, 22 Apr 1999 15:11:32 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: Stefan Santesson <stefan@accurata.se>, ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <3.0.32.19990422135828.00aef1d0@mail.accurata.se> <371F20BA.261AA96A@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis Pinkas wrote: > My comments are along the lines. > > I have given this quite a thought the last days and I must say that I would favor an OPTIONAL URI pointer. > > Also I do not feel strong on this issue, I would favor the opposite. :-( > > The rational is as follows: > > 1) This data is private and may be released onbly if the subject wishes it. So it is very unlikely that you will find it in an URL free of access. What has this got to do with anything? Or are you suggesting that not revealing the URL will secure it? > 2) If the indication to fetch the information points to one of out several places, some people are going to argue that a sequence of such info is needed. So give them a sequence! Is there a shortage or something? > The basic question is whether the certificate should refer to the location of the biometric data or whether the biometric data should refer to the information in the certificate. I would think that the opposite is more meaningful. Which one is the opposite? If you mean that the biometric data should refer to the cert, how do I find it when all I have in my hand is a cert? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA25312 for ietf-pkix-bks; Thu, 22 Apr 1999 06:13:16 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA25308 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 06:13:08 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id PAA08500; Thu, 22 Apr 1999 15:13:42 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id PAA23480; Thu, 22 Apr 1999 15:13:42 +0200 (DFT) Message-ID: <371F20BA.261AA96A@bull.net> Date: Thu, 22 Apr 1999 15:14:34 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Stefan Santesson <stefan@accurata.se> CC: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <3.0.32.19990422135828.00aef1d0@mail.accurata.se> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, My comments are along the lines. > Stephen wrote: > <snip> > > I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite. > > Steve, > > I have given this quite a thought the last days and I must say that I would favor an OPTIONAL URI pointer. Also I do not feel strong on this issue, I would favor the opposite. :-( The rational is as follows: 1) This data is private and may be released onbly if the subject wishes it. So it is very unlikely that you will find it in an URL free of access. 2) If the indication to fetch the information points to one of out several places, some people are going to argue that a sequence of such info is needed. The basic question is whether the certificate should refer to the location of the biometric data or whether the biometric data should refer to the information in the certificate. I would think that the opposite is more meaningful. > The rationale is mainly: > > 1) It doesn't matter from which source the relying party gets the source data (e.g. picture) as long as it does match the hash. So the optional URI are not THE place to get the information, but rather A place to find it. What I mean by this is that there is no conflict if the source data is provided by several means. > > 2) The authentication process could then be carried out independent of the transaction. I.e. the relying party could verify and display the picture regardless of which protocol the certificate was used and/or presented. > > So, what I see before me with a hash AND an optional URI of a picture, is standard clients that automatically displays the picture of the subject when they get hold of a certificate, without having to integrate that process with the corresponding transaction protocol where the certificate is used. > > Because if the URI is not allowed, then the process of obtaining the source data will have to be solved by locally defined standards, integrated with some protocol. And that will never be a general standard solution. Beware. You mean that the standard solution will be to use the OPTIONAL field. :-) > Further, since we clearly focus on two types of bio-data (picture and signature image) maybe 3 three: add "fingerprint" whether it is coded as a bit-map or whatever. > I would also favor that these types are associated wit a predefined integer value (not needing an OID). Agreed. > By the reasons above I propose this ASN.1 structure for a bio-data record: > > BiometricData ::= SEQUENCE { > typeOfBiometricData TypeOfBioDataSyntax, > hashAlgorithm AlgorithmIdentifier, > biometricDataHash OCTET STRING, > sourceDataUri IA5String OPTIONAL} > > TypeOfBioDataSyntax ::== CHOICE { > predefinedBioType [0] INTEGER, > bioDataOid [1] OBJECT IDENTIFIER } > > with the following predefinedBioType defined (so far): > 0 picture > 1 handwritten signature > > Concerning source data format I don't believe that has to be addressed any further. > If an URI are used, then this is solved automatically. If not, this will have to be defined by local conventions. In extreme cases, the OID choice of TypeOfBioDataSyntax should be used to define both type and format. No. there are multiple ways to encode a picture, so the type of encoding cannot be derived from the type of biometrics information. It may be useful to know in advance the encoding, to know if it can be processed. I got a proposal from Anders Rundgren which solves the problem. He suggested to use mime-types that allow to represent picture, sound. movie, text-file, xml-file, java-object etc. We could thus add a mime type defined as: mime_type PRINTABLE STRING, i.e. the string contains a text-string like "image/jpeg" . The advantage to using this scheme is that there already are many types defined. As a conclusion I would favor: BiometricData ::= SEQUENCE { typeOfBiometricData TypeOfBioDataSyntax, mime_type PRINTABLE STRING, hashAlgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING, } Regards, Denis > /Stefan > ------------------------------------------------------------------- > Stefan Santesson <stefan@accurata.se> > Accurata Systemsäkerhet AB http://www.accurata.se > Slagthuset Tel. +46-40 108588 > 211 20 Malmö Fax. +46-40 150790 > Sweden Mobile +46-70 5247799 > > PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 > ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA23705 for ietf-pkix-bks; Thu, 22 Apr 1999 04:57:41 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA23701 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 04:57:39 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id NAA10823; Thu, 22 Apr 1999 13:58:27 +0200 Message-Id: <3.0.32.19990422135828.00aef1d0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 22 Apr 1999 13:58:29 +0200 To: Stephen Kent <kent@po1.bbn.com>, "Peter Williams" <peterw@valicert.com> From: Stefan Santesson <stefan@accurata.se> Subject: Re: New proposed solution to the QC biometric issue Cc: <ietf-pkix@imc.org> Mime-Version: 1.0 Content-Type: text/enriched; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 01:37 PM 4/19/99 -0400, Stephen Kent wrote: <<snip>=20 <excerpt>I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite. </excerpt> Steve, I have given this quite a thought the last days and I must say that I would favor an OPTIONAL URI pointer. The rationale is mainly: 1) It doesn't matter from which source the relying party gets the source data (e.g. picture) as long as it does match the hash. So the optional URI are not THE place to get the information, but rather A place to find it. What I mean by this is that there is no conflict if the source data is provided by several means. 2) The authentication process could then be carried out independent of the transaction. I.e. the relying party could verify and display the picture regardless of which protocol the certificate was used and/or presented. So, what I see before me with a hash AND an optional URI of a picture, is standard clients that automatically displays the picture of the subject when they get hold of a certificate, without having to integrate that process with the corresponding transaction protocol where the certificate is used. Because if the URI is not allowed, then the process of obtaining the source data will have to be solved by locally defined standards, integrated with some protocol. And that will never be a general standard solution. Further, since we clearly focus on two types of bio-data (picture and signature image) I would also favor that these types are associated wit a predefined integer value (not needing an OID). By the reasons above I propose this ASN.1 structure for a bio-data record: BiometricData ::=3D SEQUENCE { typeOfBiometricData TypeOfBioDataSyntax, hashAlgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING, sourceDataUri IA5String OPTIONAL} TypeOfBioDataSyntax ::=3D=3D CHOICE { predefinedBioType [0] INTEGER, bioDataOid [1] OBJECT IDENTIFIER }=20 with the following predefinedBioType defined (so far): 0 picture 1 handwritten signature Concerning source data format I don't believe that has to be addressed any further.=20 If an URI are used, then this is solved automatically. If not, this will have to be defined by local conventions. In extreme cases, the OID choice of TypeOfBioDataSyntax should be used to define both type and format. /Stefan ------------------------------------------------------------------- Stefan Santesson <<stefan@accurata.se> Accurata Systems=E4kerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 =20 211 20 Malm=F6 Fax. +46-40 150790 =20 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA16024 for ietf-pkix-bks; Thu, 22 Apr 1999 02:22:26 -0700 (PDT) Received: from nexus.webmatic.de (nexus.webmatic.de [195.206.76.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA16020 for <ietf-pkix@imc.org>; Thu, 22 Apr 1999 02:22:24 -0700 (PDT) Received: from chappi.deh.de (chappi.deh.de [195.206.79.60]) by nexus.webmatic.de (Postfix) with ESMTP id EC1DC4D; Thu, 22 Apr 1999 11:23:25 +0200 (CEST) Received: from deh.de (juergen.deh.de [195.206.79.54]) by chappi.deh.de (8.9.0/8.9.0) with ESMTP id LAA03782; Thu, 22 Apr 1999 11:23:33 +0200 Message-ID: <371EEAB5.42F6156C@deh.de> Date: Thu, 22 Apr 1999 11:24:05 +0200 From: Juergen Walter <walter@deh.de> Reply-To: walter@deh.de Organization: DEH information systems GmbH X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Subject: Re: Delta CRL processing References: <199904211814.OAA09236@ara.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Comments in line. "David P. Kemp" wrote: > > > From: Juergen Walter <walter@deh.de> > > > > I think that a delta crl along with its base crl is just a (temporal?) > > replacement of *a* CRL that is issued after the time when the base CRL > > is isssued. > > Agree. > > > Two examples. # short for CRLNumber in the following. > > > > (1) Cert A is pending at CRL #1. Delta-CRL #2 is issued according to the > > base CRL #1. Delta-CRL #2 indicates that Cert A is removedFromCRL i. e. > > Cert A is valid. Delta-CRL #3 does not contain any CRL entry > > corresponding to Cert A. A relying application that does only process > > Delta-CRL #3 (but not Delta-CRL #2) returns the result that Cert A is > > always pending. But Cert A is valid after Delta-CRL #2 is issued. > > What do you mean by pending? I assume you mean that Cert A appears > on CRL #1 with a CRLReason of "certificateHold" in its entry extension. > > If CRL #2 has no entry for Cert A, Delta-CRL #2 (referring to baseCRL #1) > would have Cert A with a CRLReason of removedFromCRL. I see. It was a wrong example. Thanks. > Similarly, Delta-CRL #3 (referring to baseCRL #1) would have Cert A > with a CRLReason of removedFromCRL, and so would Delta #4, Delta #5, > and all other Deltas with a baseCRL of #1. > > Your assertion that Delta-CRL #3 would indicate that cert A is on > certificateHold is incorrect. Agreed. Here is the replacement: (1)' Cert A is valid at the time when CRL #1 is issued. Delta-CRL #2/baseCRL #1 has a CRL entry for Cert A with reasonCode of "certificateHold". Delta-CRL #3/baseCRL #1 has not any entry according to Cert A. Certificate path validation that does not take notice of Delta-CRL #2 results in valid for the time interval whereby the certificate was on hold. > > > (2) Cert B is valid at CRL #1. Delta-CRL #2 contains a CRL entry for > > Cert B. Cert B expires before Delta-CRL #3 is issued. Delta-CRL #3 may > > not contain any CRL entry for Cert B. A relying application that does > > process only Delta-CRL #3 (but not Delta-CRL #2) returns the result that > > Cert B is valid before it expires. But Cert B was revoked prior to > > expiration. > > This situation is not specific to Delta CRLs, it applies to CRLs in > general. Agreed. > > If the relying application wants to know whether a cert was revoked > in a time interval, it must check the CRL issued at the end of that > interval. In your example, Cert B is revoked sometime between CRL #1 > and CRL #2, and it appears on CRL #2 and Delta-CRL #2. If it appears > on CRL #3, it will also appear on Delta-CRL #3 (referring to baseCRL #1). > It would not appear on Delta-CRL #3 (referring to baseCRL #2) > because CRL #2 already shows that Cert B is revoked. Either case > (Delta#3/Base#1 or Delta#3/Base#2) must return the same result > as CRL #3. > > > Therefore the corresponding RFC 2459 paragraph > > > > 'A CRL user constructing a locally held CRL from delta-CRLs MUST > > consider the constructed CRL incomplete and unusable if the CRLNumber > > of the received delta-CRL is more than one greater than the CRLnumber > > of the delta-CRL last processed.' > > > > should remain unchanged. > > Your very first statement contradicts this. You are right again. The RFC 2459 is more suitable for those crls that I called epsilon-CRLs. My examples are not delta-crl specific. It is simply the fact that you need the appropriate CRLs for certificate path validation at a certain time in the past. > A delta CRL along with its > base CRL must *IN EVERY CASE* yield identical results to a CRL issued > (hypothetically or actually) at the time of the delta CRL. That is the > mathematical definition of a delta: the difference between two > absolutes. > > Proof by construction: if you create Delta-CRL #15 as the difference > between CRL #15 and CRL #1, then CRL #1 + Delta-CRL #15 must yield > CRL #15. > > The contents of Delta-CRLs #2,3,....14 are irrelevant. I resume that nobody wants to implement epsilon-crls. Alternatively one may split up large crls according to revocationTime intervals. Is it prudent to go this way? Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA12697 for ietf-pkix-bks; Wed, 21 Apr 1999 13:58:41 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA12693 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 13:58:40 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 21 Apr 1999 14:55:13 -0600 Message-Id: <s71de6d1.099@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Wed, 21 Apr 1999 14:54:56 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <ietf-pkix@imc.org>, <dpkemp@missi.ncsc.mil> Subject: Re: Delta CRL processing Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id NAA12694 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> David, I appreciate and agree with your analysis in this case. It would indeed be perverse to implement a more efficient algorithm such as delta-CRLs, and then force the CA to go through an onerous and unnecessary publication step. If "issue" in this case is closer to "create the equivalent of and hold it in a private archive in case it's needed", I'm perfectly happy. But what, precisely, does RFC 2459 currently require, and does the language need to be modified to fit this interpretation of x.509? With respect to what Juergan called an epsilon-CRL, i.e., a delta CRL that is NOT cumulative since the last base, but instead is incremental, requiring the entire collection in order to be complete, I was not proposing such a construct -- I just want to be clear that WASN'T what we were doing. I'm not necessarily opposed to such a function -- I just haven't heard a sufficient explanation of where it might apply to be convinced yet. Regards, Bob >>> "David P. Kemp" <dpkemp@missi.ncsc.mil> 04/21/99 01:27PM >>> > From: Russ Housley <housley@spyrus.com> > > Bob: > > delta-CRLs do not operate as you describe. They are the updates since the > specified base. Further, X.509 requires the CA to issue a full CRL every > time that a delta-CRL is generated. RFC 2459 did not create this > requirement, itis inherited from X.509. > > Russ We need a glossary which clarifies exactly what X.509 means by "issue". In a private message, Sharon Boeyen points out: "As of the 1997 edition of X.509 a CA is NOT required to publish a full CRL." I claim that not only does an X.509 CA not have to "publish" a full CRL, it also does not need to create a DER representation of the CRL or generate a signature of that DER. The intent of the word "issue" is to ensure that at any point in time, there is a single, unique, unambiguous instance of a full CRL that would have been generated and published had the CA chosen to do so. Or in other words, if an application reconstructs the revocation status for a certain point in time, it will always reconstruct the same status as would have been obtained had a full CRL been generated, published, and retrieved. It must be impossible to take two different inputs (combinations of full, delta, and DP-partitioned CRLs) and arrive at conflicting conclusions as to the status of a given certificate. This is analogous to the procedure for Certification Path Validation, which says: "Conforming implementations ... are not required to implement this algorithm, but shall be functionally equivalent to the external behavior resulting from this procedure." Reference algorithms are often chosen to emphasize simplicity, correctness and tutorial value instead of operational efficiency. Optimizations may be applied as long as the optimized algorithm yields correct results. The external result of CRL processing is the revocation status of a particular certificate at a particular time, and the correct answer is the one which would have been obtained from a full CRL. It would be perverse indeed to interpret X.509 as saying that optimized revocation methods are allowed, as long as you also perform the unoptimized reference method in parallel! Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA12103 for ietf-pkix-bks; Wed, 21 Apr 1999 12:41:10 -0700 (PDT) Received: from luc.ab.org (mail.ab.org [209.112.11.37]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA12099 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 12:41:09 -0700 (PDT) Received: from xfile ([207.112.70.165]) by luc.ab.org (Netscape Messaging Server 3.5) with SMTP id 87; Wed, 21 Apr 1999 15:55:19 -0400 Message-Id: <3.0.1.32.19990421153437.00a43100@mail.ab.org> X-Sender: frousseau@mail.ab.org X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 21 Apr 1999 15:34:37 -0400 To: ietf-pkix@imc.org From: Francois Rousseau <f.rousseau@adga.ca> Subject: Re: Delta CRL processing Cc: dpkemp@missi.ncsc.mil In-Reply-To: <199904191553.LAA07064@ara.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Note that Clause 12.6.3.3 on the Delta CRL indicator field in the Proposed Draft Amendment (PDAM) on X.509(97) was already clarifying part of this issue, however this item was discussed further at the last Directory Working Group meeting in Orlando. The revised Clause 12.6.3.3 in the Final PDAM (FPDAM) on X.509 (97) should soon be available. It will include a more precise explanation of the proposed rules for constructing delta-CRLs along with a more extensive example of their use. Francois Rousseau AEPOS Technologies Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA11982 for ietf-pkix-bks; Wed, 21 Apr 1999 12:27:31 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA11978 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 12:27:30 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id PAA09702 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 15:28:30 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id PAA09698 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 15:28:30 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id PAA13152 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 15:28:41 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id PAA09252 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 15:27:38 -0400 (EDT) Message-Id: <199904211927.PAA09252@ara.missi.ncsc.mil> Date: Wed, 21 Apr 1999 15:27:38 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Delta CRL processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: HgASiX9m1Mm+DI2T3AT7OA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > From: Russ Housley <housley@spyrus.com> > > Bob: > > delta-CRLs do not operate as you describe. They are the updates since the > specified base. Further, X.509 requires the CA to issue a full CRL every > time that a delta-CRL is generated. RFC 2459 did not create this > requirement, itis inherited from X.509. > > Russ We need a glossary which clarifies exactly what X.509 means by "issue". In a private message, Sharon Boeyen points out: "As of the 1997 edition of X.509 a CA is NOT required to publish a full CRL." I claim that not only does an X.509 CA not have to "publish" a full CRL, it also does not need to create a DER representation of the CRL or generate a signature of that DER. The intent of the word "issue" is to ensure that at any point in time, there is a single, unique, unambiguous instance of a full CRL that would have been generated and published had the CA chosen to do so. Or in other words, if an application reconstructs the revocation status for a certain point in time, it will always reconstruct the same status as would have been obtained had a full CRL been generated, published, and retrieved. It must be impossible to take two different inputs (combinations of full, delta, and DP-partitioned CRLs) and arrive at conflicting conclusions as to the status of a given certificate. This is analogous to the procedure for Certification Path Validation, which says: "Conforming implementations ... are not required to implement this algorithm, but shall be functionally equivalent to the external behavior resulting from this procedure." Reference algorithms are often chosen to emphasize simplicity, correctness and tutorial value instead of operational efficiency. Optimizations may be applied as long as the optimized algorithm yields correct results. The external result of CRL processing is the revocation status of a particular certificate at a particular time, and the correct answer is the one which would have been obtained from a full CRL. It would be perverse indeed to interpret X.509 as saying that optimized revocation methods are allowed, as long as you also perform the unoptimized reference method in parallel! Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA10913 for ietf-pkix-bks; Wed, 21 Apr 1999 11:14:04 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA10909 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 11:14:03 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA00756 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 14:15:03 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id OAA00752 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 14:15:03 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id OAA04558 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 14:15:14 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id OAA09236 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 14:14:11 -0400 (EDT) Message-Id: <199904211814.OAA09236@ara.missi.ncsc.mil> Date: Wed, 21 Apr 1999 14:14:11 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Delta CRL processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 6KuUEVD4FdJBUMulUlyTTA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > From: Juergen Walter <walter@deh.de> > > I think that a delta crl along with its base crl is just a (temporal?) > replacement of *a* CRL that is issued after the time when the base CRL > is isssued. Agree. > Two examples. # short for CRLNumber in the following. > > (1) Cert A is pending at CRL #1. Delta-CRL #2 is issued according to the > base CRL #1. Delta-CRL #2 indicates that Cert A is removedFromCRL i. e. > Cert A is valid. Delta-CRL #3 does not contain any CRL entry > corresponding to Cert A. A relying application that does only process > Delta-CRL #3 (but not Delta-CRL #2) returns the result that Cert A is > always pending. But Cert A is valid after Delta-CRL #2 is issued. What do you mean by pending? I assume you mean that Cert A appears on CRL #1 with a CRLReason of "certificateHold" in its entry extension. If CRL #2 has no entry for Cert A, Delta-CRL #2 (referring to baseCRL #1) would have Cert A with a CRLReason of removedFromCRL. Similarly, Delta-CRL #3 (referring to baseCRL #1) would have Cert A with a CRLReason of removedFromCRL, and so would Delta #4, Delta #5, and all other Deltas with a baseCRL of #1. Your assertion that Delta-CRL #3 would indicate that cert A is on certificateHold is incorrect. > (2) Cert B is valid at CRL #1. Delta-CRL #2 contains a CRL entry for > Cert B. Cert B expires before Delta-CRL #3 is issued. Delta-CRL #3 may > not contain any CRL entry for Cert B. A relying application that does > process only Delta-CRL #3 (but not Delta-CRL #2) returns the result that > Cert B is valid before it expires. But Cert B was revoked prior to > expiration. This situation is not specific to Delta CRLs, it applies to CRLs in general. If the relying application wants to know whether a cert was revoked in a time interval, it must check the CRL issued at the end of that interval. In your example, Cert B is revoked sometime between CRL #1 and CRL #2, and it appears on CRL #2 and Delta-CRL #2. If it appears on CRL #3, it will also appear on Delta-CRL #3 (referring to baseCRL #1). It would not appear on Delta-CRL #3 (referring to baseCRL #2) because CRL #2 already shows that Cert B is revoked. Either case (Delta#3/Base#1 or Delta#3/Base#2) must return the same result as CRL #3. > Therefore the corresponding RFC 2459 paragraph > > 'A CRL user constructing a locally held CRL from delta-CRLs MUST > consider the constructed CRL incomplete and unusable if the CRLNumber > of the received delta-CRL is more than one greater than the CRLnumber > of the delta-CRL last processed.' > > should remain unchanged. Your very first statement contradicts this. A delta CRL along with its base CRL must *IN EVERY CASE* yield identical results to a CRL issued (hypothetically or actually) at the time of the delta CRL. That is the mathematical definition of a delta: the difference between two absolutes. Proof by construction: if you create Delta-CRL #15 as the difference between CRL #15 and CRL #1, then CRL #1 + Delta-CRL #15 must yield CRL #15. The contents of Delta-CRLs #2,3,....14 are irrelevant. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA10187 for ietf-pkix-bks; Wed, 21 Apr 1999 09:56:42 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA10183 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 09:56:41 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id JAA17249; Wed, 21 Apr 1999 09:56:16 -0700 (PDT) Message-Id: <4.1.19990421113330.00929cb0@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 21 Apr 1999 11:35:19 -0400 To: "Bob Jueneman" <BJUENEMAN@novell.com> From: Russ Housley <housley@spyrus.com> Subject: Re: Delta CRL processing Cc: ietf-pkix@imc.org In-Reply-To: <s71ccf48.071@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Bob: delta-CRLs do not operate as you describe. They are the updates since the specified base. Further, X.509 requires the CA to issue a full CRL every time that a delta-CRL is generated. RFC 2459 did not create this requirement, itis inherited from X.509. Russ At 07:02 PM 4/20/99 -0600, Bob Jueneman wrote: >Russ, > >Let me poke at this for a moment. > >Does this make it crystal clear that relying party software is not required to >to obtain each and every CRL that is issued, nor every delta that might have >been issued since the last time the base was updated? > >When I first suggested the concept of a delta CRL to Warwick, back during >the waning days of PEM, I had in mind a "CRL CD of the month club" >type of mechanism, whereby I could efficiently retrieve the large bulk of >CRLs and then download only the changes since that baseline. Since the >deltas would be cumulative since the baseline, the latest delta would >always be correct. I had in mind particularly the case where I am about >to jump on an airplane, and I want to do some kind of a "hit the road" >option with a minimum of fuss and bother. > >By comparison, if the relying party is required to download each and every >delta that might have been issued, then either there will be a lot of >bandwidth wasted loading the same information about some revoked >certificate over and over again, or else (if such information is sent only >once), the RP would be at risk of having missed one, and/or there would >be a significant synchronization problem. > >If some applications want to receive deltas at one second intervals, and >for my purposes I only care about once a week, I don't want to be compelled >to check or download any more data or any more often than is >necessary for my application, regardless of what some other application >might require. > >I also question the need to issue a new, complete CRL every time a delta >is issued. Although it may not matter if I am operating a local CA with its >own >repository, or if I am a public CA (same thing), it might matter a very great >deal if I am publishing all of my certs through some kind of a third party >repository - the cost could end up being prohibitive. > >Is there something I don't understand? If we have delta CRLs, why must >we also support full CRLs at the same frequency -- this seems to defeat the >basic purpose of having delta CRLs in the first place?? > >Bob > >>>> Russ Housley <housley@spyrus.com> 04/20/99 12:23PM >>> >Dave: > >I think that your proposed rewording is more clear. Two things are important: > > (1) The CA must issue a full CRL every time a delta is issued. > > (2) The relying party may use a delta and the assocuated base. > >Russ > > >At 06:03 PM 4/19/99 -0400, David P. Kemp wrote: >>Russ, >> >>Thanks for the background info. But do you agree that the sentence >>quoted below does not accurately describe the usage of delta CRLs >>(by either a server or an end user application), and should be >>removed from the next version of the PKIX profile? >> >>The input to a delta CRL processor is one base CRL and one delta CRL. >>There is no state involved in the process, and the CRLNumbers of >>delta CRLs processed before or after the current one are irrelevant. >> >>The sentence as written is no more security-helpful than, for example: >> >> "A CRL user constructing a locally held CRL from delta-CRLs MUST >> consider the constructed CRL incomplete and unusable if the >> delta-CRL is received on the third Thursday of the month." >> >> >>Dave K. >> >> >> >>> From: Russ Housley <housley@spyrus.com> >>> >>> Dave: >>> >>> I thought some background might help. When I was drafting the CRL section >>> for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced >>> that they have some value when a high-end server caches CRL information in >>> a local format for rapid access. In this environment, the delta-CRL is >>> used to update the server-friendly data structure without having to process >>> the entire CRL. Note that X.509 requires that a full CRL be generated >>> every time that a delta-CRL is generated. So, it seemed to be reasonable >>> that the server obtain the most recent full CRL when it has a few spare >>> cycles. This means that the delta-CRL information is only used for a brief >>> period until the server have resources to convert the most recent full CRL >>> into the server-friendly format. >>> >>> Russ >>> >>> >>> At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: >>> > >>> >RFC 2459 section 5.2.4 contains the following requirement: >>> > >>> > "A CRL user constructing a locally held CRL from delta-CRLs MUST >>> > consider the constructed CRL incomplete and unusable if the CRLNumber >>> > of the received delta-CRL is more than one greater than the CRLnumber >>> > of the delta-CRL last processed." >> >> [remainder snipped] >> > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA09998 for ietf-pkix-bks; Wed, 21 Apr 1999 09:41:33 -0700 (PDT) Received: from nexus.webmatic.de (nexus.webmatic.de [195.206.76.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA09992 for <ietf-pkix@imc.org>; Wed, 21 Apr 1999 09:41:24 -0700 (PDT) Received: from chappi.deh.de (chappi.deh.de [195.206.79.60]) by nexus.webmatic.de (Postfix) with ESMTP id 85B6B5B; Wed, 21 Apr 1999 18:42:12 +0200 (CEST) Received: from deh.de (juergen.deh.de [195.206.79.54]) by chappi.deh.de (8.9.0/8.9.0) with ESMTP id SAA01792; Wed, 21 Apr 1999 18:42:11 +0200 Message-ID: <371E000A.4F4BF422@deh.de> Date: Wed, 21 Apr 1999 18:42:50 +0200 From: Juergen Walter <walter@deh.de> Reply-To: walter@deh.de Organization: DEH information systems GmbH X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Bob Jueneman <BJUENEMAN@novell.com> Cc: dpkemp@missi.ncsc.mil, housley@spyrus.com, ietf-pkix@imc.org Subject: Re: Delta CRL processing References: <s71ccf48.071@prv-mail20.provo.novell.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I think that a delta crl along with its base crl is just a (temporal?) replacement of *a* CRL that is issued after the time when the base CRL is isssued. If it is a regularly scheduled CRL which is replaced then the CRLNumber ensures that no regularly scheduled CRL is missed by the relying application. There might be more sophisticated mechanisms (a detailed thisUpdate - nextUpdate analysis over a set of CRLs when appropriately implemented) nevertheless CRLNumber might be the best. Two examples. # short for CRLNumber in the following. (1) Cert A is pending at CRL #1. Delta-CRL #2 is issued according to the base CRL #1. Delta-CRL #2 indicates that Cert A is removedFromCRL i. e. Cert A is valid. Delta-CRL #3 does not contain any CRL entry corresponding to Cert A. A relying application that does only process Delta-CRL #3 (but not Delta-CRL #2) returns the result that Cert A is always pending. But Cert A is valid after Delta-CRL #2 is issued. (2) Cert B is valid at CRL #1. Delta-CRL #2 contains a CRL entry for Cert B. Cert B expires before Delta-CRL #3 is issued. Delta-CRL #3 may not contain any CRL entry for Cert B. A relying application that does process only Delta-CRL #3 (but not Delta-CRL #2) returns the result that Cert B is valid before it expires. But Cert B was revoked prior to expiration. Therefore the corresponding RFC 2459 paragraph 'A CRL user constructing a locally held CRL from delta-CRLs MUST consider the constructed CRL incomplete and unusable if the CRLNumber of the received delta-CRL is more than one greater than the CRLnumber of the delta-CRL last processed.' should remain unchanged. Clients that are not suitable for CRL downloading may use OCSP including cashing. Another solution might be the use of CMP´s revocation announcement (RFC 2510). Note, initially the intended usage of CMP´s revocation announcement was different. Therefore you can not expect any security measure that ensures that the client does not miss a particular revocation announcement at protocol level. Last but not least, Bob mentioned a new style delta-crl. I would like to add new notation to Bob´s posting. An interesting question is the following. Do we need an epsilon-crl i. e. a crl containing only changes between the previously issued epsilon-crl and the current certificate status information? Should be epsilon-crls regularly scheduled? Could a crl issuer leave the crl generation at each time when an epsilon-crl is issued? Is there a need for such an epsilon-crl? I tend to say yes. I have chosen the term epsilon-crl to make it clear that a current delta-crl MUST NOT generated in the above specified way. Juergen Bob Jueneman wrote: > > Russ, > > Let me poke at this for a moment. > > Does this make it crystal clear that relying party software is not required to > to obtain each and every CRL that is issued, nor every delta that might have > been issued since the last time the base was updated? > > When I first suggested the concept of a delta CRL to Warwick, back during > the waning days of PEM, I had in mind a "CRL CD of the month club" > type of mechanism, whereby I could efficiently retrieve the large bulk of > CRLs and then download only the changes since that baseline. Since the > deltas would be cumulative since the baseline, the latest delta would > always be correct. I had in mind particularly the case where I am about > to jump on an airplane, and I want to do some kind of a "hit the road" > option with a minimum of fuss and bother. > > By comparison, if the relying party is required to download each and every > delta that might have been issued, then either there will be a lot of > bandwidth wasted loading the same information about some revoked > certificate over and over again, or else (if such information is sent only > once), the RP would be at risk of having missed one, and/or there would > be a significant synchronization problem. > > If some applications want to receive deltas at one second intervals, and > for my purposes I only care about once a week, I don't want to be compelled > to check or download any more data or any more often than is > necessary for my application, regardless of what some other application > might require. > > I also question the need to issue a new, complete CRL every time a delta > is issued. Although it may not matter if I am operating a local CA with its own > repository, or if I am a public CA (same thing), it might matter a very great > deal if I am publishing all of my certs through some kind of a third party > repository - the cost could end up being prohibitive. > > Is there something I don't understand? If we have delta CRLs, why must > we also support full CRLs at the same frequency -- this seems to defeat the > basic purpose of having delta CRLs in the first place?? > > Bob > > >>> Russ Housley <housley@spyrus.com> 04/20/99 12:23PM >>> > Dave: > > I think that your proposed rewording is more clear. Two things are important: > > (1) The CA must issue a full CRL every time a delta is issued. > > (2) The relying party may use a delta and the assocuated base. > > Russ > > At 06:03 PM 4/19/99 -0400, David P. Kemp wrote: > >Russ, > > > >Thanks for the background info. But do you agree that the sentence > >quoted below does not accurately describe the usage of delta CRLs > >(by either a server or an end user application), and should be > >removed from the next version of the PKIX profile? > > > >The input to a delta CRL processor is one base CRL and one delta CRL. > >There is no state involved in the process, and the CRLNumbers of > >delta CRLs processed before or after the current one are irrelevant. > > > >The sentence as written is no more security-helpful than, for example: > > > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > > consider the constructed CRL incomplete and unusable if the > > delta-CRL is received on the third Thursday of the month." > > > > > >Dave K. > > > > > > > >> From: Russ Housley <housley@spyrus.com> > >> > >> Dave: > >> > >> I thought some background might help. When I was drafting the CRL section > >> for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced > >> that they have some value when a high-end server caches CRL information in > >> a local format for rapid access. In this environment, the delta-CRL is > >> used to update the server-friendly data structure without having to process > >> the entire CRL. Note that X.509 requires that a full CRL be generated > >> every time that a delta-CRL is generated. So, it seemed to be reasonable > >> that the server obtain the most recent full CRL when it has a few spare > >> cycles. This means that the delta-CRL information is only used for a brief > >> period until the server have resources to convert the most recent full CRL > >> into the server-friendly format. > >> > >> Russ > >> > >> > >> At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: > >> > > >> >RFC 2459 section 5.2.4 contains the following requirement: > >> > > >> > "A CRL user constructing a locally held CRL from delta-CRLs MUST > >> > consider the constructed CRL incomplete and unusable if the CRLNumber > >> > of the received delta-CRL is more than one greater than the CRLnumber > >> > of the delta-CRL last processed." > > > > [remainder snipped] > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA19890 for ietf-pkix-bks; Tue, 20 Apr 1999 18:02:19 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id SAA19886 for <ietf-pkix@imc.org>; Tue, 20 Apr 1999 18:02:17 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Tue, 20 Apr 1999 19:02:32 -0600 Message-Id: <s71ccf48.071@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Tue, 20 Apr 1999 19:02:27 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <dpkemp@missi.ncsc.mil>, <housley@spyrus.com> Cc: <ietf-pkix@imc.org> Subject: Re: Delta CRL processing Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id SAA19887 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Russ, Let me poke at this for a moment. Does this make it crystal clear that relying party software is not required to to obtain each and every CRL that is issued, nor every delta that might have been issued since the last time the base was updated? When I first suggested the concept of a delta CRL to Warwick, back during the waning days of PEM, I had in mind a "CRL CD of the month club" type of mechanism, whereby I could efficiently retrieve the large bulk of CRLs and then download only the changes since that baseline. Since the deltas would be cumulative since the baseline, the latest delta would always be correct. I had in mind particularly the case where I am about to jump on an airplane, and I want to do some kind of a "hit the road" option with a minimum of fuss and bother. By comparison, if the relying party is required to download each and every delta that might have been issued, then either there will be a lot of bandwidth wasted loading the same information about some revoked certificate over and over again, or else (if such information is sent only once), the RP would be at risk of having missed one, and/or there would be a significant synchronization problem. If some applications want to receive deltas at one second intervals, and for my purposes I only care about once a week, I don't want to be compelled to check or download any more data or any more often than is necessary for my application, regardless of what some other application might require. I also question the need to issue a new, complete CRL every time a delta is issued. Although it may not matter if I am operating a local CA with its own repository, or if I am a public CA (same thing), it might matter a very great deal if I am publishing all of my certs through some kind of a third party repository - the cost could end up being prohibitive. Is there something I don't understand? If we have delta CRLs, why must we also support full CRLs at the same frequency -- this seems to defeat the basic purpose of having delta CRLs in the first place?? Bob >>> Russ Housley <housley@spyrus.com> 04/20/99 12:23PM >>> Dave: I think that your proposed rewording is more clear. Two things are important: (1) The CA must issue a full CRL every time a delta is issued. (2) The relying party may use a delta and the assocuated base. Russ At 06:03 PM 4/19/99 -0400, David P. Kemp wrote: >Russ, > >Thanks for the background info. But do you agree that the sentence >quoted below does not accurately describe the usage of delta CRLs >(by either a server or an end user application), and should be >removed from the next version of the PKIX profile? > >The input to a delta CRL processor is one base CRL and one delta CRL. >There is no state involved in the process, and the CRLNumbers of >delta CRLs processed before or after the current one are irrelevant. > >The sentence as written is no more security-helpful than, for example: > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > consider the constructed CRL incomplete and unusable if the > delta-CRL is received on the third Thursday of the month." > > >Dave K. > > > >> From: Russ Housley <housley@spyrus.com> >> >> Dave: >> >> I thought some background might help. When I was drafting the CRL section >> for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced >> that they have some value when a high-end server caches CRL information in >> a local format for rapid access. In this environment, the delta-CRL is >> used to update the server-friendly data structure without having to process >> the entire CRL. Note that X.509 requires that a full CRL be generated >> every time that a delta-CRL is generated. So, it seemed to be reasonable >> that the server obtain the most recent full CRL when it has a few spare >> cycles. This means that the delta-CRL information is only used for a brief >> period until the server have resources to convert the most recent full CRL >> into the server-friendly format. >> >> Russ >> >> >> At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: >> > >> >RFC 2459 section 5.2.4 contains the following requirement: >> > >> > "A CRL user constructing a locally held CRL from delta-CRLs MUST >> > consider the constructed CRL incomplete and unusable if the CRLNumber >> > of the received delta-CRL is more than one greater than the CRLnumber >> > of the delta-CRL last processed." > > [remainder snipped] > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA18693 for ietf-pkix-bks; Tue, 20 Apr 1999 17:32:04 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA18689 for <ietf-pkix@imc.org>; Tue, 20 Apr 1999 17:32:01 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <JF42TZT3>; Wed, 21 Apr 1999 10:32:49 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE987@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: SEIS: Re: Certificates, Directories, and Distinguished Names Date: Wed, 21 Apr 1999 10:32:49 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I wont continue this simply because of the context shifting in the responses - Sad examples below. > -----Original Message----- > From: Stephen Kent > Sent: Wednesday, April 14, 1999 11:29 PM > To: Alan Lloyd > Cc: ietf-pkix@imc.org; list@seis.nc-forum.com > Subject: SEIS: Re: Certificates, Directories, and Distinguished > Names > > --- Message on the SEIS mailing list (list@seis.nc-forum.com) > > Alan, > > >Stephen - in all your words you never seem to come to grips with the > >fact that X.509 is not ambigious in so far that it permits systems to > be > >built without certificate extensions - and for those build such > systems > >to determine by local means or imply what is a EE or a CA cert and > what > >use that cert has (eg for message verification or cert > verification).. > >X.509 - was written some years ago and it correctly (a a standard > >should) provided a transition path to the use of cert extensions. > > Vome on Alan, we're talking about changes only with regard to X.509 > v3. > Groan --- Which happens to be specified in X.509. - the standard, > >RFC 2459 came along some time later as a profile and just the fact > that > >people are discussing the issue in 2459 and it is unclear - means > there > >is a problem - in the Profile. > > 2459 did not come along much later than the adoption of X.509 v3. And, > no, > there is not a profile problem, as too many previous messages have > show in > detail. > I was referring to the standard (X.509) was written earlier than the profiles .. thats a fact of life and common knowledge. To respond to my point with pointless statement that tries to show me wrong me by changing context eg... " 2459 did not come along much later than the adoption of X.509 v3" note the word "adoption" has been added to prove me wrong...... If this is the approach to logical debate - that is also used to debate technology issues , then one can see why these lists have difficulty. regards as always. alan > <text not contributing to resolution of the issue deleted ...> > > Steve > > > ----------------- SEIS mailing list (list@seis.nc-forum.com) > Info about this list: http://www.nc-forum.com/seis > SEIS Contact: info@seis.se Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA17944 for ietf-pkix-bks; Tue, 20 Apr 1999 17:07:07 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA17939 for <ietf-pkix@imc.org>; Tue, 20 Apr 1999 17:07:00 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <JF42TZTK>; Wed, 21 Apr 1999 10:07:41 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE986@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Russ Housley'" <housley@spyrus.com>, Moshe Litvin <moshe@cale.checkpoint.com> Cc: ietf-pkix@imc.org Subject: RE: CA vs. EE cert processing Date: Wed, 21 Apr 1999 10:07:39 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> No problems with 2459 - time will tell - any chance of getting OCSP key identification compatable with it? 2459 requires Issuer Name, Auth Key Id and cert SN for identification - magic... OCSP wants cert Ids hashed according to some chosen algorithm the cert SN and optionally Issuer name (service locator extension) and no Auth Key Id... ie does OCSP validate according to 2459 MUSTS? regards alan. > -----Original Message----- > From: Russ Housley > Sent: Tuesday, April 20, 1999 2:21 AM > To: Moshe Litvin > Cc: ietf-pkix@imc.org > Subject: Re: CA vs. EE cert processing > > Moshe: > > I will say is again. There is not a problem with RFC 2459. If an > implementor wishes to support more than one profile, then that > implementor > must resolve any ambiguities that result. > > As far as I am concerned, this issue has been thrashed to death, and > we > should bring this thread to an end. > > Russ > > > At 12:17 PM 4/18/99 +0300, Moshe Litvin wrote: > >Russ, > > > >Russ Housley wrote: > > > >> I have kept quiet on this thread. I cannot hold it in any longer. > >> > >> RFC 2459 has no ambiguity in this area. If basicConstraints is > present, > >> then the cA boolean tells whether the certificate belongs to a CA > or an EE. > >> If basicConstraints is absent, then the certificate belongs to an > EE. > >Period. > > > >The term "ambiguity" is not the exact term. The problem is not > ambiguity but > >relying on out of band data. RFC 2459 is very clear as long as you > know by > >out of > >band data that the certificate was issued by RFC 2459 compliant CA. > > > >> > >> > >> If an implementor wishes to support other profiles in addition to > RFC 2459, > >> then the logic may be more complex. Fine. This was a market > choice made > >> by the implementor. > >> > >> I do not think that RFC 2459 should be altered to make support for > multiple > >> profiles easier. > > > >Why? do you think that whole world would choose adopt RFC 2459 and > all the > >other > >profiles (including the base X.509) will become obsolete? > > > >Why would you force software designers to choose between two > contradicting > >profiles > >of the same standard when you can easily allow them to support both? > > > >What is the compelling reason to prevent interpretability in that > way? > > > >Moshe > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA05123 for ietf-pkix-bks; Tue, 20 Apr 1999 11:23:06 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA05119 for <ietf-pkix@imc.org>; Tue, 20 Apr 1999 11:23:05 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id LAA24510; Tue, 20 Apr 1999 11:22:36 -0700 (PDT) Message-Id: <4.1.19990420142103.00a711a0@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 20 Apr 1999 14:23:11 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Russ Housley <housley@spyrus.com> Subject: Re: Delta CRL processing Cc: ietf-pkix@imc.org In-Reply-To: <199904192203.SAA07274@ara.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Dave: I think that your proposed rewording is more clear. Two things are important: (1) The CA must issue a full CRL every time a delta is issued. (2) The relying party may use a delta and the assocuated base. Russ At 06:03 PM 4/19/99 -0400, David P. Kemp wrote: >Russ, > >Thanks for the background info. But do you agree that the sentence >quoted below does not accurately describe the usage of delta CRLs >(by either a server or an end user application), and should be >removed from the next version of the PKIX profile? > >The input to a delta CRL processor is one base CRL and one delta CRL. >There is no state involved in the process, and the CRLNumbers of >delta CRLs processed before or after the current one are irrelevant. > >The sentence as written is no more security-helpful than, for example: > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > consider the constructed CRL incomplete and unusable if the > delta-CRL is received on the third Thursday of the month." > > >Dave K. > > > >> From: Russ Housley <housley@spyrus.com> >> >> Dave: >> >> I thought some background might help. When I was drafting the CRL section >> for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced >> that they have some value when a high-end server caches CRL information in >> a local format for rapid access. In this environment, the delta-CRL is >> used to update the server-friendly data structure without having to process >> the entire CRL. Note that X.509 requires that a full CRL be generated >> every time that a delta-CRL is generated. So, it seemed to be reasonable >> that the server obtain the most recent full CRL when it has a few spare >> cycles. This means that the delta-CRL information is only used for a brief >> period until the server have resources to convert the most recent full CRL >> into the server-friendly format. >> >> Russ >> >> >> At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: >> > >> >RFC 2459 section 5.2.4 contains the following requirement: >> > >> > "A CRL user constructing a locally held CRL from delta-CRLs MUST >> > consider the constructed CRL incomplete and unusable if the CRLNumber >> > of the received delta-CRL is more than one greater than the CRLnumber >> > of the delta-CRL last processed." > > [remainder snipped] > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA03784 for ietf-pkix-bks; Tue, 20 Apr 1999 10:54:48 -0700 (PDT) Received: from ns1.dmz.valicert.com (ns1.valicert.com [209.185.6.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA03779 for <ietf-pkix@imc.org>; Tue, 20 Apr 1999 10:54:46 -0700 (PDT) Received: from ns1.serverfarm.valicert.com (corporate-gw.valicert.com [209.185.6.5]) by ns1.dmz.valicert.com (8.9.2/8.9.2) with ESMTP id KAA24236; Tue, 20 Apr 1999 10:54:52 -0700 (PDT) Received: from peternt (static-3-26.engineering.valicert.com [192.168.3.26] (may be forged)) by ns1.serverfarm.valicert.com (8.9.2/8.9.2) with SMTP id KAA15136; Tue, 20 Apr 1999 10:54:58 -0700 (PDT) Message-ID: <00bd01be8b46$eaae84f0$1a03a8c0@peternt.valicert.com> From: "Peter Williams" <peterw@valicert.com> To: "Stephen Kent" <kent@po1.bbn.com> Cc: <ietf-pkix@imc.org> Subject: Re: New proposed solution to the QC biometric issue Date: Tue, 20 Apr 1999 11:00:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Specifying an "Optional" QC-extension-based URI name/locator to subject's bio-template data is fine. Peter. -----Original Message----- From: Stephen Kent <kent@po1.bbn.com> To: Peter Williams <peterw@valicert.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Monday, April 19, 1999 9:52 PM Subject: Re: New proposed solution to the QC biometric issue Peter, >I fail to see how one can rationalize the need of putting a CRL iDP (with >http reference) into a cert, but one cannot point to user information >in similar form, on similar grounds. And similarly for the PKIX >CPS-reference - where additional CA-related information is >bound to the certificate via a PKIX-standarized https reference. I disagree with the analogy. The examples you cite involve pointers to information that in intrinsic to the management of a PKI, and we have reasonably well-described architectures that calls for inclusion of these values in certs. the biometric data is anciliary, employed for user authentication, not certificate validation, and we have no corresponding architecture for use of the biometric data. I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite. >If one were to accept the argument presented, then PKIX >should require SSL and S/MIME protocols to convey iDP >addressing signals, and ban CRL locating information from PKIX certs. see comments above. >Similarly, the CPS http reference put into 2459 by one of the WG >chairs should be presumably immediately banned - as bad practice. If >its technically inappropriate to convey legalistic user references, it is >technically >inappropriate to convey rather similar authority references which further > (legally) describe that PKI party! see comments above. >There is another side to this story, however. Based on the language >and intent of PKIX 2459, those deploying Internet CAs already >have all the freedom they need to do as some on the list are describing :- > >- One can note that PKIX users may already name themselves using a >URI name-form - and in a manner wholly consistent with RFC 2459. > >- Should they name themselves with an https URI which happens to point >to their biometric profile, then I can only conclude that 2459 already >allows >what is being argued here in policy-regimes which establish their own >operating rules - as contemplated and facilitiated by PKIX 2459. > >- The URI name form plus the QC hash value can seeming >work together fine to accomplish what some people on the mailing list want. > >- Those relying parties who respect a policy id which binds the URI name and >hash fields at cert-processing time can now implement the desired >application >of PKIX certs. They can even now use certs to signal >specific biometric template data - as incorporated via a hash-based secure >URI reference - into their policy-based cert issuing and handling >procedures. Very creative Peter, and syntactically valid, but I think it violates the semantics of the subjectAltName field. 2459 says "The subject alternative names extension allows additional identities to be bound to the subject of the certificate." The URI you propose including is not the identity of the subject; but is a blob of bits used to help authenticate the subject's identity. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA18433 for ietf-pkix-bks; Mon, 19 Apr 1999 19:52:14 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA18423 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 19:52:12 -0700 (PDT) Received: from [128.33.238.78] (TC078.BBN.COM [128.33.238.78]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA19622; Mon, 19 Apr 1999 22:53:00 -0400 (EDT) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="============_-1287545686==_ma============" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a01b340f9c66941@[128.33.238.214]> In-Reply-To: <002601be8861$5fbb2ca0$1a03a8c0@peternt.valicert.com> Date: Mon, 19 Apr 1999 13:37:07 -0400 To: "Peter Williams" <peterw@valicert.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: New proposed solution to the QC biometric issue Cc: <ietf-pkix@imc.org> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --============_-1287545686==_ma============ Content-Type: text/plain; charset="us-ascii" Peter, >I fail to see how one can rationalize the need of putting a CRL iDP (with >http reference) into a cert, but one cannot point to user information >in similar form, on similar grounds. And similarly for the PKIX >CPS-reference - where additional CA-related information is >bound to the certificate via a PKIX-standarized https reference. I disagree with the analogy. The examples you cite involve pointers to information that in intrinsic to the management of a PKI, and we have reasonably well-described architectures that calls for inclusion of these values in certs. the biometric data is anciliary, employed for user authentication, not certificate validation, and we have no corresponding architecture for use of the biometric data. I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite. >If one were to accept the argument presented, then PKIX >should require SSL and S/MIME protocols to convey iDP >addressing signals, and ban CRL locating information from PKIX certs. see comments above. >Similarly, the CPS http reference put into 2459 by one of the WG >chairs should be presumably immediately banned - as bad practice. If >its technically inappropriate to convey legalistic user references, it is >technically >inappropriate to convey rather similar authority references which further > (legally) describe that PKI party! see comments above. >There is another side to this story, however. Based on the language >and intent of PKIX 2459, those deploying Internet CAs already >have all the freedom they need to do as some on the list are describing :- > >- One can note that PKIX users may already name themselves using a >URI name-form - and in a manner wholly consistent with RFC 2459. > >- Should they name themselves with an https URI which happens to point >to their biometric profile, then I can only conclude that 2459 already >allows >what is being argued here in policy-regimes which establish their own >operating rules - as contemplated and facilitiated by PKIX 2459. > >- The URI name form plus the QC hash value can seeming >work together fine to accomplish what some people on the mailing list want. > >- Those relying parties who respect a policy id which binds the URI name and >hash fields at cert-processing time can now implement the desired >application >of PKIX certs. They can even now use certs to signal >specific biometric template data - as incorporated via a hash-based secure >URI reference - into their policy-based cert issuing and handling >procedures. Very creative Peter, and syntactically valid, but I think it violates the semantics of the subjectAltName field. 2459 says "The subject alternative names extension allows additional identities to be bound to the subject of the certificate." The URI you propose including is not the identity of the subject; but is a blob of bits used to help authenticate the subject's identity. Steve --============_-1287545686==_ma============ Content-Type: text/enriched; charset="us-ascii" Peter, >I fail to see how one can rationalize the need of putting a CRL iDP (with >http reference) into a cert, but one cannot point to user information >in similar form, on similar grounds. And similarly for the PKIX >CPS-reference - where additional CA-related information is >bound to the certificate via a PKIX-standarized https reference. I disagree with the analogy. The examples you cite involve pointers to information that in intrinsic to the management of a PKI, and we have reasonably well-described architectures that calls for inclusion of these values in certs. the biometric data is anciliary, employed for user authentication, not certificate validation, and we have no corresponding architecture for use of the biometric data. I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite. >If one were to accept the argument presented, then PKIX >should require SSL and S/MIME protocols to convey iDP >addressing signals, and ban CRL locating information from PKIX certs. see comments above. >Similarly, the CPS http reference put into 2459 by one of the WG >chairs should be presumably immediately banned - as bad practice. If >its technically inappropriate to convey legalistic user references, it is >technically >inappropriate to convey rather similar authority references which further > (legally) describe that PKI party! see comments above. >There is another side to this story, however. Based on the language >and intent of PKIX 2459, those deploying Internet CAs already >have all the freedom they need to do as some on the list are describing :- > >- One can note that PKIX users may already name themselves using a >URI name-form - and in a manner wholly consistent with RFC 2459. > >- Should they name themselves with an https URI which happens to point >to their biometric profile, then I can only conclude that 2459 already >allows >what is being argued here in policy-regimes which establish their own >operating rules - as contemplated and facilitiated by PKIX 2459. > >- The URI name form plus the QC hash value can seeming >work together fine to accomplish what some people on the mailing list want. > >- Those relying parties who respect a policy id which binds the URI name and >hash fields at cert-processing time can now implement the desired >application >of PKIX certs. They can even now use certs to signal >specific biometric template data - as incorporated via a hash-based secure >URI reference - into their policy-based cert issuing and handling >procedures. Very creative Peter, and syntactically valid, but I think it violates the semantics of the subjectAltName field. 2459 says "The subject alternative names extension allows additional identities to be bound to the subject of the certificate<bigger><bigger>.<fontfamily><param>Times</param>" </fontfamily></bigger></bigger>The URI you propose including is not the identity of the subject; but is a blob of bits used to help authenticate the subject's identity. Steve --============_-1287545686==_ma============-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA06326 for ietf-pkix-bks; Mon, 19 Apr 1999 15:03:00 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA06321 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 15:02:58 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id SAA27161 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 18:03:49 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id SAA27154 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 18:03:49 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id SAA02252 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 18:04:00 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id SAA07274 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 18:03:01 -0400 (EDT) Message-Id: <199904192203.SAA07274@ara.missi.ncsc.mil> Date: Mon, 19 Apr 1999 18:03:01 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Delta CRL processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: maFH09QS4KURqKQMHCpd2g== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Russ, Thanks for the background info. But do you agree that the sentence quoted below does not accurately describe the usage of delta CRLs (by either a server or an end user application), and should be removed from the next version of the PKIX profile? The input to a delta CRL processor is one base CRL and one delta CRL. There is no state involved in the process, and the CRLNumbers of delta CRLs processed before or after the current one are irrelevant. The sentence as written is no more security-helpful than, for example: "A CRL user constructing a locally held CRL from delta-CRLs MUST consider the constructed CRL incomplete and unusable if the delta-CRL is received on the third Thursday of the month." Dave K. > From: Russ Housley <housley@spyrus.com> > > Dave: > > I thought some background might help. When I was drafting the CRL section > for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced > that they have some value when a high-end server caches CRL information in > a local format for rapid access. In this environment, the delta-CRL is > used to update the server-friendly data structure without having to process > the entire CRL. Note that X.509 requires that a full CRL be generated > every time that a delta-CRL is generated. So, it seemed to be reasonable > that the server obtain the most recent full CRL when it has a few spare > cycles. This means that the delta-CRL information is only used for a brief > period until the server have resources to convert the most recent full CRL > into the server-friendly format. > > Russ > > > At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: > > > >RFC 2459 section 5.2.4 contains the following requirement: > > > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > > consider the constructed CRL incomplete and unusable if the CRLNumber > > of the received delta-CRL is more than one greater than the CRLnumber > > of the delta-CRL last processed." [remainder snipped] Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA03975 for ietf-pkix-bks; Mon, 19 Apr 1999 13:02:10 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA03970 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 13:02:09 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id NAA03840; Mon, 19 Apr 1999 13:01:36 -0700 (PDT) Message-Id: <4.1.19990419153838.00a82100@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 19 Apr 1999 15:44:49 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Russ Housley <housley@spyrus.com> Subject: Re: Delta CRL processing Cc: ietf-pkix@imc.org In-Reply-To: <199904191553.LAA07064@ara.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Dave: I thought some background might help. When I was drafting the CRL section for RFC 2459, I wanted to say "do not used delta-CRLs." I was convinced that they have some value when a high-end server caches CRL information in a local format for rapid access. In this environment, the delta-CRL is used to update the server-friendly data structure without having to process the entire CRL. Note that X.509 requires that a full CRL be generated every time that a delta-CRL is generated. So, it seemed to be reasonable that the server obtain the most recent full CRL when it has a few spare cycles. This means that the delta-CRL information is only used for a brief period until the server have resources to convert the most recent full CRL into the server-friendly format. Russ At 11:53 AM 4/19/99 -0400, David P. Kemp wrote: > >RFC 2459 section 5.2.4 contains the following requirement: > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > consider the constructed CRL incomplete and unusable if the CRLNumber > of the received delta-CRL is more than one greater than the CRLnumber > of the delta-CRL last processed." > > >Aside from being poorly specified (what happens the first time a >delta-CRL is used and there isn't one that was last processed?), the >requirement adds no security value. But more importantly, it effectively >precludes the use of delta-CRLs to support near-realtime certificate >status checking. > >Consider the following scenario: > >1. A CA generates and posts to the distribution channel a full CRL every > 7 days. The thisUpdate field is set to time T, and the nextUpdate > field is set to time T + 7 days. > >2. The CA generates and posts to a (probably different) distribution > channel a delta CRL every 60 seconds. The BaseCRLNumber refers to > the most recent full CRL issued in step 1 at time T. (To conform > with another unnecessary RFC2459 requirement, the CA also "issues", > but does not necessarily post, a full CRL every 60 seconds, > incrementing CRLNumber each time. These would be considered > unscheduled updates, despite their being "issued" on a regular > schedule. :-) When I discussed the X.509 text with Hoyt a while > back, he pointed out the useful distinction between issuing and > distributing. If a tree falls in an empty forest, is there a sound? > If a CRL is issued but not distributed, does it exist? :-) > >* A relying application validates a certificate, fetches the applicable > base CRL for time T, and fetches the current delta CRL, say for time > T + 13 hours 37 min. A couple of hours later, it validates another > cert, fetching the delta CRL for time T + 15 hours 45 min. Since > the base CRL is still valid, it doesn't need to be fetched again, > saving the bandwidth of a year's worth of revocations. > >In this scenario, the relying application gets revocation information >as fresh as its policy requires (24 hours, 4 hours, 15 min, or 1 min), >yet it only incurs the transmission cost of fetching full CRLs every 7 >days. The delta CRLs only contain up to a week's worth of revocations, >so they don't add much overhead to the validation process. They could >either be fetched by the verifier(s) when needed, or fetched by the signer >and passed to the verifier(s) along with the signed info. > >This scenario is, as far as I can tell, secure. Yet it violates the >1-up rule cited above. > >If the 1-up rule serves no security-enhancing purpose, can it be >scrapped when the PKIX profile goes to Draft? If the rule does enhance >security, can someone describe the hole in this scenario? > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA29954 for ietf-pkix-bks; Mon, 19 Apr 1999 10:01:34 -0700 (PDT) Received: from cale.checkpoint.com (ns.checkpoint.com [199.203.73.197]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA29936 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 10:01:28 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id UAA29631; Mon, 19 Apr 1999 20:04:52 +0300 (IDT) Message-ID: <371B6170.897FC370@cale.checkpoint.com> Date: Mon, 19 Apr 1999 20:01:36 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Russ Housley <housley@spyrus.com> CC: ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> <4.1.19990415142347.00a4f620@mail.spyrus.com> <4.1.19990419121855.00a79b40@mail.spyrus.com> Content-Type: multipart/mixed; boundary="------------4630A6D85B3B4D489B3A02D7" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------4630A6D85B3B4D489B3A02D7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ Housley wrote: > Moshe: > > I will say is again. There is not a problem with RFC 2459. What I tell you three times is true. > If an > implementor wishes to support more than one profile, then that implementor > must resolve any ambiguities that result. > > As far as I am concerned, this issue has been thrashed to death, and we > should bring this thread to an end. > > Russ > > At 12:17 PM 4/18/99 +0300, Moshe Litvin wrote: > >Russ, > > > >Russ Housley wrote: > > > >> I have kept quiet on this thread. I cannot hold it in any longer. > >> > >> RFC 2459 has no ambiguity in this area. If basicConstraints is present, > >> then the cA boolean tells whether the certificate belongs to a CA or an EE. > >> If basicConstraints is absent, then the certificate belongs to an EE. > >Period. > > > >The term "ambiguity" is not the exact term. The problem is not ambiguity but > >relying on out of band data. RFC 2459 is very clear as long as you know by > >out of > >band data that the certificate was issued by RFC 2459 compliant CA. > > > >> > >> > >> If an implementor wishes to support other profiles in addition to RFC 2459, > >> then the logic may be more complex. Fine. This was a market choice made > >> by the implementor. > >> > >> I do not think that RFC 2459 should be altered to make support for multiple > >> profiles easier. > > > >Why? do you think that whole world would choose adopt RFC 2459 and all the > >other > >profiles (including the base X.509) will become obsolete? > > > >Why would you force software designers to choose between two contradicting > >profiles > >of the same standard when you can easily allow them to support both? > > > >What is the compelling reason to prevent interpretability in that way? > > > >Moshe > > --------------4630A6D85B3B4D489B3A02D7 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------4630A6D85B3B4D489B3A02D7-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA29747 for ietf-pkix-bks; Mon, 19 Apr 1999 09:38:53 -0700 (PDT) Received: from wuher.cygnacom.com (endor.cygnacom.com [205.177.169.102]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA29742 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 09:38:52 -0700 (PDT) Received: by WUHER with Internet Mail Service (5.0.1458.49) id <JH59HCSZ>; Mon, 19 Apr 1999 12:32:54 -0400 Message-ID: <51BF55C30B4FD1118B4900207812701E3165FB@WUHER> From: Santosh Chokhani <chokhani@cygnacom.com> To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: Delta CRL processing Date: Mon, 19 Apr 1999 12:32:53 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Dave: You are correct. This wording seems to be wrong. The proper way to use a delta CRL is to apply it to an appropriate base CRL. A delta CRL need not be applied previous deltas since deltas are issued with respect to a base. > -----Original Message----- > From: David P. Kemp [SMTP:dpkemp@missi.ncsc.mil] > Sent: Monday, April 19, 1999 11:53 AM > To: ietf-pkix@imc.org > Subject: Delta CRL processing > > > RFC 2459 section 5.2.4 contains the following requirement: > > "A CRL user constructing a locally held CRL from delta-CRLs MUST > consider the constructed CRL incomplete and unusable if the > CRLNumber > of the received delta-CRL is more than one greater than the > CRLnumber > of the delta-CRL last processed." > > > Aside from being poorly specified (what happens the first time a > delta-CRL is used and there isn't one that was last processed?), the > requirement adds no security value. But more importantly, it > effectively > precludes the use of delta-CRLs to support near-realtime certificate > status checking. > > Consider the following scenario: > > 1. A CA generates and posts to the distribution channel a full CRL > every > 7 days. The thisUpdate field is set to time T, and the nextUpdate > field is set to time T + 7 days. > > 2. The CA generates and posts to a (probably different) distribution > channel a delta CRL every 60 seconds. The BaseCRLNumber refers to > the most recent full CRL issued in step 1 at time T. (To conform > with another unnecessary RFC2459 requirement, the CA also "issues", > but does not necessarily post, a full CRL every 60 seconds, > incrementing CRLNumber each time. These would be considered > unscheduled updates, despite their being "issued" on a regular > schedule. :-) When I discussed the X.509 text with Hoyt a while > back, he pointed out the useful distinction between issuing and > distributing. If a tree falls in an empty forest, is there a sound? > If a CRL is issued but not distributed, does it exist? :-) > > * A relying application validates a certificate, fetches the > applicable > base CRL for time T, and fetches the current delta CRL, say for time > T + 13 hours 37 min. A couple of hours later, it validates another > cert, fetching the delta CRL for time T + 15 hours 45 min. Since > the base CRL is still valid, it doesn't need to be fetched again, > saving the bandwidth of a year's worth of revocations. > > In this scenario, the relying application gets revocation information > as fresh as its policy requires (24 hours, 4 hours, 15 min, or 1 min), > yet it only incurs the transmission cost of fetching full CRLs every 7 > days. The delta CRLs only contain up to a week's worth of > revocations, > so they don't add much overhead to the validation process. They could > either be fetched by the verifier(s) when needed, or fetched by the > signer > and passed to the verifier(s) along with the signed info. > > This scenario is, as far as I can tell, secure. Yet it violates the > 1-up rule cited above. > > If the 1-up rule serves no security-enhancing purpose, can it be > scrapped when the PKIX profile goes to Draft? If the rule does > enhance > security, can someone describe the hole in this scenario? > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA29585 for ietf-pkix-bks; Mon, 19 Apr 1999 09:22:49 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA29580 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 09:22:47 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id JAA27740; Mon, 19 Apr 1999 09:21:50 -0700 (PDT) Message-Id: <4.1.19990419121855.00a79b40@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 19 Apr 1999 12:20:51 -0400 To: Moshe Litvin <moshe@cale.checkpoint.com> From: Russ Housley <housley@spyrus.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org In-Reply-To: <3719A318.90D809C3@cale.checkpoint.com> References: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> <4.1.19990415142347.00a4f620@mail.spyrus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moshe: I will say is again. There is not a problem with RFC 2459. If an implementor wishes to support more than one profile, then that implementor must resolve any ambiguities that result. As far as I am concerned, this issue has been thrashed to death, and we should bring this thread to an end. Russ At 12:17 PM 4/18/99 +0300, Moshe Litvin wrote: >Russ, > >Russ Housley wrote: > >> I have kept quiet on this thread. I cannot hold it in any longer. >> >> RFC 2459 has no ambiguity in this area. If basicConstraints is present, >> then the cA boolean tells whether the certificate belongs to a CA or an EE. >> If basicConstraints is absent, then the certificate belongs to an EE. >Period. > >The term "ambiguity" is not the exact term. The problem is not ambiguity but >relying on out of band data. RFC 2459 is very clear as long as you know by >out of >band data that the certificate was issued by RFC 2459 compliant CA. > >> >> >> If an implementor wishes to support other profiles in addition to RFC 2459, >> then the logic may be more complex. Fine. This was a market choice made >> by the implementor. >> >> I do not think that RFC 2459 should be altered to make support for multiple >> profiles easier. > >Why? do you think that whole world would choose adopt RFC 2459 and all the >other >profiles (including the base X.509) will become obsolete? > >Why would you force software designers to choose between two contradicting >profiles >of the same standard when you can easily allow them to support both? > >What is the compelling reason to prevent interpretability in that way? > >Moshe > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA28743 for ietf-pkix-bks; Mon, 19 Apr 1999 08:53:10 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA28738 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 08:53:09 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id LAA26627 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 11:53:55 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id LAA26622 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 11:53:54 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id LAA18054 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 11:52:24 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id LAA07064 for <ietf-pkix@imc.org>; Mon, 19 Apr 1999 11:53:07 -0400 (EDT) Message-Id: <199904191553.LAA07064@ara.missi.ncsc.mil> Date: Mon, 19 Apr 1999 11:53:07 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Delta CRL processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: +EkuJDM1RuT0JCeob+fTFw== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> RFC 2459 section 5.2.4 contains the following requirement: "A CRL user constructing a locally held CRL from delta-CRLs MUST consider the constructed CRL incomplete and unusable if the CRLNumber of the received delta-CRL is more than one greater than the CRLnumber of the delta-CRL last processed." Aside from being poorly specified (what happens the first time a delta-CRL is used and there isn't one that was last processed?), the requirement adds no security value. But more importantly, it effectively precludes the use of delta-CRLs to support near-realtime certificate status checking. Consider the following scenario: 1. A CA generates and posts to the distribution channel a full CRL every 7 days. The thisUpdate field is set to time T, and the nextUpdate field is set to time T + 7 days. 2. The CA generates and posts to a (probably different) distribution channel a delta CRL every 60 seconds. The BaseCRLNumber refers to the most recent full CRL issued in step 1 at time T. (To conform with another unnecessary RFC2459 requirement, the CA also "issues", but does not necessarily post, a full CRL every 60 seconds, incrementing CRLNumber each time. These would be considered unscheduled updates, despite their being "issued" on a regular schedule. :-) When I discussed the X.509 text with Hoyt a while back, he pointed out the useful distinction between issuing and distributing. If a tree falls in an empty forest, is there a sound? If a CRL is issued but not distributed, does it exist? :-) * A relying application validates a certificate, fetches the applicable base CRL for time T, and fetches the current delta CRL, say for time T + 13 hours 37 min. A couple of hours later, it validates another cert, fetching the delta CRL for time T + 15 hours 45 min. Since the base CRL is still valid, it doesn't need to be fetched again, saving the bandwidth of a year's worth of revocations. In this scenario, the relying application gets revocation information as fresh as its policy requires (24 hours, 4 hours, 15 min, or 1 min), yet it only incurs the transmission cost of fetching full CRLs every 7 days. The delta CRLs only contain up to a week's worth of revocations, so they don't add much overhead to the validation process. They could either be fetched by the verifier(s) when needed, or fetched by the signer and passed to the verifier(s) along with the signed info. This scenario is, as far as I can tell, secure. Yet it violates the 1-up rule cited above. If the 1-up rule serves no security-enhancing purpose, can it be scrapped when the PKIX profile goes to Draft? If the rule does enhance security, can someone describe the hole in this scenario? Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA22475 for ietf-pkix-bks; Sun, 18 Apr 1999 02:17:50 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA22457 for <ietf-pkix@imc.org>; Sun, 18 Apr 1999 02:17:43 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id MAA12694; Sun, 18 Apr 1999 12:20:29 +0300 (IDT) Message-ID: <3719A318.90D809C3@cale.checkpoint.com> Date: Sun, 18 Apr 1999 12:17:12 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Russ Housley <housley@spyrus.com>, ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> <4.1.19990415142347.00a4f620@mail.spyrus.com> Content-Type: multipart/mixed; boundary="------------AABD03B275790212FE65E1E5" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------AABD03B275790212FE65E1E5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, Russ Housley wrote: > I have kept quiet on this thread. I cannot hold it in any longer. > > RFC 2459 has no ambiguity in this area. If basicConstraints is present, > then the cA boolean tells whether the certificate belongs to a CA or an EE. > If basicConstraints is absent, then the certificate belongs to an EE. Period. The term "ambiguity" is not the exact term. The problem is not ambiguity but relying on out of band data. RFC 2459 is very clear as long as you know by out of band data that the certificate was issued by RFC 2459 compliant CA. > > > If an implementor wishes to support other profiles in addition to RFC 2459, > then the logic may be more complex. Fine. This was a market choice made > by the implementor. > > I do not think that RFC 2459 should be altered to make support for multiple > profiles easier. Why? do you think that whole world would choose adopt RFC 2459 and all the other profiles (including the base X.509) will become obsolete? Why would you force software designers to choose between two contradicting profiles of the same standard when you can easily allow them to support both? What is the compelling reason to prevent interpretability in that way? Moshe --------------AABD03B275790212FE65E1E5 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------AABD03B275790212FE65E1E5-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA19787 for ietf-pkix-bks; Fri, 16 Apr 1999 22:30:10 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA19782 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 22:30:06 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <28N0K3GP>; Sat, 17 Apr 1999 15:30:20 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0E2BB9@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org>, "'Russ Housley '" <housley@spyrus.com> Subject: RE: CA vs. EE cert processing Date: Sat, 17 Apr 1999 15:30:17 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Russ. I aboslutely agree that the Profile should say that if the Ext BC is not there OR it is there with a NULL then its an EE cert - but this does not text define usage - which is the critical part. And the SHALL NOT bit and the fuzzy words of 2119 just leave curiosity. It would be nice if the para with SHALL NOT in is replaced with words like. "If the BC extension is not present or set to a NULL then the certificate belongs to an EE and MUST NOT be used by the certificate using system to verify the signature of a certificate." All done, precise, no indirection to other text which is fuzzy. regards alan ---------- From: Russ Housley To: ietf-pkix@imc.org Sent: 4/16/99 4:32:32 AM Subject: RE: CA vs. EE cert processing I have kept quiet on this thread. I cannot hold it in any longer. RFC 2459 has no ambiguity in this area. If basicConstraints is present, then the cA boolean tells whether the certificate belongs to a CA or an EE. If basicConstraints is absent, then the certificate belongs to an EE. Period. If an implementor wishes to support other profiles in addition to RFC 2459, then the logic may be more complex. Fine. This was a market choice made by the implementor. I do not think that RFC 2459 should be altered to make support for multiple profiles easier. Russ Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA05023 for ietf-pkix-bks; Fri, 16 Apr 1999 18:27:06 -0700 (PDT) Received: from ns1.dmz.valicert.com (ns1.valicert.com [209.185.6.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA05019 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 18:27:05 -0700 (PDT) Received: from ns1.serverfarm.valicert.com (corporate-gw.valicert.com [209.185.6.5]) by ns1.dmz.valicert.com (8.9.2/8.9.2) with ESMTP id SAA08790; Fri, 16 Apr 1999 18:26:52 -0700 (PDT) Received: from peternt (static-3-26.engineering.valicert.com [192.168.3.26] (may be forged)) by ns1.serverfarm.valicert.com (8.9.2/8.9.2) with SMTP id SAA10742; Fri, 16 Apr 1999 18:26:59 -0700 (PDT) Message-ID: <002601be8861$5fbb2ca0$1a03a8c0@peternt.valicert.com> From: "Peter Williams" <peterw@valicert.com> To: <ietf-pkix@imc.org>, "Stephen Kent" <kent@po1.bbn.com> Subject: Re: New proposed solution to the QC biometric issue Date: Fri, 16 Apr 1999 18:32:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -----Original Message----- From: Stephen Kent <kent@po1.bbn.com> To: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Friday, April 16, 1999 7:12 PM Subject: Re: New proposed solution to the QC biometric issue >Folks, > >We discussed the biometric issue at length and the current proposal to >include a hash of a biometric template, for some well-defined set of human >verifiable biometrics, is the compromise we have reached. > >We are not putting a biometrioc template in the cert because it might be >very big and we generally discourage inclusion of very large data items in >certs. > >We are not putting a URI in because, under different assumptions, the >matching templame might be stored somewhere for reference, or might be >passed as part of an application protocol. If the template is not passed >with the cert, then the application protocol may chose to include a URI. >The only thing that does need to be in the cert, for secruity, is the hash >of the template, and the management data to know what hash algorithm was >employed, and what sort of template the hash refers to, e.g., facial image >or handwriting. Steve, I fail to see how one can rationalize the need of putting a CRL iDP (with http reference) into a cert, but one cannot point to user information in similar form, on similar grounds. And similarly for the PKIX CPS-reference - where additional CA-related information is bound to the certificate via a PKIX-standarized https reference. If one were to accept the argument presented, then PKIX should require SSL and S/MIME protocols to convey iDP addressing signals, and ban CRL locating information from PKIX certs. Similarly, the CPS http reference put into 2459 by one of the WG chairs should be presumably immediately banned - as bad practice. If its technically inappropriate to convey legalistic user references, it is technically inappropriate to convey rather similar authority references which further (legally) describe that PKI party! There is another side to this story, however. Based on the language and intent of PKIX 2459, those deploying Internet CAs already have all the freedom they need to do as some on the list are describing :- - One can note that PKIX users may already name themselves using a URI name-form - and in a manner wholly consistent with RFC 2459. - Should they name themselves with an https URI which happens to point to their biometric profile, then I can only conclude that 2459 already allows what is being argued here in policy-regimes which establish their own operating rules - as contemplated and facilitiated by PKIX 2459. - The URI name form plus the QC hash value can seeming work together fine to accomplish what some people on the mailing list want. - Those relying parties who respect a policy id which binds the URI name and hash fields at cert-processing time can now implement the desired application of PKIX certs. They can even now use certs to signal specific biometric template data - as incorporated via a hash-based secure URI reference - into their policy-based cert issuing and handling procedures. Peter -------- 2459 quotes: " The CPS Pointer qualifier contains a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI." " The subject alternative names extension allows additional identities to be bound to the subject of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a uniform resource identifier (URI). Other options exist, including completely local definitions. Multiple name forms, and multiple instances of each name form, may be included. " " Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present. " >Steve > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04539 for ietf-pkix-bks; Fri, 16 Apr 1999 17:03:07 -0700 (PDT) Received: from ns1.dmz.valicert.com (ns1.valicert.com [209.185.6.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04534 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 17:03:06 -0700 (PDT) Received: from ns1.serverfarm.valicert.com (corporate-gw.valicert.com [209.185.6.5]) by ns1.dmz.valicert.com (8.9.2/8.9.2) with ESMTP id RAA08455 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 17:02:54 -0700 (PDT) Received: from peternt (static-3-26.engineering.valicert.com [192.168.3.26] (may be forged)) by ns1.serverfarm.valicert.com (8.9.2/8.9.2) with SMTP id RAA09547 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 17:03:01 -0700 (PDT) Message-ID: <000901be8855$a53da1b0$1a03a8c0@peternt.valicert.com> From: "Peter Williams" <peterw@valicert.com> To: <ietf-pkix@imc.org> Subject: Re: New proposed solution to the QC biometric issue Date: Fri, 16 Apr 1999 17:08:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Some biometric primers: http://www.dss.state.ct.us/digital.htm http://www.biometrics.org/ The PKIX QC project may not solve the probably unsolvable Internet-name problem; but it may enable PKIX to properly address biometrics! Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA03987 for ietf-pkix-bks; Fri, 16 Apr 1999 16:02:17 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA03983 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 16:02:16 -0700 (PDT) Received: from [128.89.0.111] (YAKOV.BBN.COM [128.89.0.111]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id TAA22916; Fri, 16 Apr 1999 19:02:45 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a09b33d6da73a0d@[128.89.0.111]> In-Reply-To: <37160053.13362BE1@darmstadt.gmd.de> Date: Fri, 16 Apr 1999 19:02:26 -0400 To: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: New proposed solution to the QC biometric issue Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Petra, >4. The rationale as it stands is wrong from my point of view: There are >no "biometric comparing algorithms" involved which have to compare >reference data with actually measured verification data taken from the >person to be authenticated. An acceptable wording would be: "The >rationale for supporting biometric data (i.e. a certificate holder >portrait image) would be to support biometric data in a qualified >certificate in the sense of a certified attribute of the certificate >holding person." I'm a bit confused by your statement. Biometric authentication is generically done by registering a user and creating a template that characterizes the biometric for that user. later, when the user tries to "login" a new biometric is captured and is compared, algorithmically, to the template. if a suitably high score is achieved, the user is authenticated. In the more restricted cases we are considering here, the assumption is that the template is an image of a user's face or of his/her handwritten signature, that will be viewed by a person acting as the authenticator, matched against an in-person image of the user or signature. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA03844 for ietf-pkix-bks; Fri, 16 Apr 1999 15:44:46 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA03840 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 15:44:45 -0700 (PDT) Received: from [128.89.0.111] (YAKOV.BBN.COM [128.89.0.111]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA20956 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 18:45:21 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a08b33d6af29736@[128.89.0.111]> In-Reply-To: <002601be8781$dfff8b30$020000c0@mega.vincent.se> Date: Fri, 16 Apr 1999 18:39:21 -0400 To: <ietf-pkix@imc.org> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: New proposed solution to the QC biometric issue Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Folks, We discussed the biometric issue at length and the current proposal to include a hash of a biometric template, for some well-defined set of human verifiable biometrics, is the compromise we have reached. We are not putting a biometrioc template in the cert because it might be very big and we generally discourage inclusion of very large data items in certs. We are not putting a URI in because, under different assumptions, the matching templame might be stored somewhere for reference, or might be passed as part of an application protocol. If the template is not passed with the cert, then the application protocol may chose to include a URI. The only thing that does need to be in the cert, for secruity, is the hash of the template, and the management data to know what hash algorithm was employed, and what sort of template the hash refers to, e.g., facial image or handwriting. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA03758 for ietf-pkix-bks; Fri, 16 Apr 1999 15:38:23 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA03754 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 15:38:22 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 16 Apr 1999 16:38:04 -0600 Message-Id: <s717676c.028@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Fri, 16 Apr 1999 16:38:00 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <walter@deh.de>, <jimsch@exchange.microsoft.com>, <ietf-pkix@imc.org> Subject: RE: New CMC Draft available - Confirmation Message Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id PAA03755 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Jim, I have to agree with Juergan. The client shouldn't have to check for revocation if (s)he disagrees with the certificate, even though it might be prudent to do so. But if the client does accept the certificate and the CA thinks it hasn't, that is at least fail safe. If the CA ends up calling the client, screaming "What do you mean you are rejecting the certificate -- do you want to keep on working here?!", then at least the problem will end up getting resolved. But if the client thinks it rejected the certificate and the CA goes ahead and publishes it anyway, very real and perhaps substantial damages could occur - it might be someone else's public key, it might disclose private information, or it might contain a Reliance Limit that is higher than the client wishes to accept., etc. Positive acknowledgment of acceptance by the Subscriber is a firm requirement. Bob >>> "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> 04/13/99 01:01PM >>> Juergen, The problem that I have with this approach is that there is no way of knowing what the delay is going to be on the acceptance showing up on at the CA. (Nor do all transport mechinisms guantee delivery.) Thus a client can think it did accept a certificate and the CA can reach an opposite conclusion. If the client asks for revocation, it can later check to make sure that this operation occured. jim -----Original Message----- From: Juergen Walter [mailto:walter@deh.de] Sent: Tuesday, April 13, 1999 1:32 AM To: Jim Schaad (Exchange); IETF-PKIX (E-mail) Subject: Re: New CMC Draft available - Confirmation Message Jim, [snip] > > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't know > of any reason for the oppositite to be required in a general protocal. That > is the client must positively accept a certificate. > When I remember right e. g. ABA Guidelines requires that an EE explicitly confirms an issued certificate. This may be not a protocol requirement in pure PKI implementations. But I know environments where a certificate receipt is at least an operational requirement. I think that an appropriate message (optional) would be an improvement. When the rejection (i. e. sending of revocation request) stays away we have no explicite confirmation of the certificate (may be a legal issue). The time-frame of such stay away process may cause complicated validation issues. I prefer a message that indicates the fact whether an EE accept his certificate or not. This may replace the revocation request on the one hand and the pure revocation request on the other hand. Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA01998 for ietf-pkix-bks; Fri, 16 Apr 1999 13:30:55 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA01986 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 13:30:51 -0700 (PDT) Received: from [128.89.0.111] (YAKOV.BBN.COM [128.89.0.111]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA17414; Fri, 16 Apr 1999 16:30:51 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a05b33bb949b831@[128.33.238.53]> In-Reply-To: <199904141542.QAA20978@baboo.sse.ie> References: Your message of "Wed, 14 Apr 1999 12:57:35 +0200." <3.0.32.19990414125735.00adf960@mail.accurata.se> Date: Thu, 15 Apr 1999 11:46:33 -0400 To: Stephen Farrell <stephen.farrell@sse.ie> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: New proposed solution to the QC biometric issue Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen, >- if you're only storing a hash, how do I find the >original - maybe a URI is needed in addition maybe, but not always. the template can be passed as part of a transaction, or be stored in a file, or whatever. because there are multiple, legitimate ways to provide the template, and nthey may differ for the same cert user in different contexts, I think it inappropriate to incorporate any one in the cert itself. >- if you buy into the above, couldn't the URI replace >the OID (since e.g. a HTTP response has a MIME type >which identififes at least the syntax and also >identifies the transfer encoding of the actual data) I'm not in favor of the above, and anyway, HTTP is but one possible transport medium ... >- you'll need an algo id somewhere or you can't recalc. the >hash >- you'll need to specify how the actual data is to be >flattened before hash calculation (e.g. strip CR/LF or >whatever), this could be incorporated with the >algo id (so use a transform id) do you mean canonicalize the template? these templates are typically binary, not ASCII, I think. Any canonicalization rules should be specified in the ID we use to specify the template type, maybe as a sub-type. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA01572 for ietf-pkix-bks; Fri, 16 Apr 1999 03:17:09 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA01567 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 03:16:52 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id MAA21642; Fri, 16 Apr 1999 12:17:12 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id MAA43106; Fri, 16 Apr 1999 12:17:09 +0200 (DFT) Message-ID: <37170E44.80D708BA@bull.net> Date: Fri, 16 Apr 1999 12:17:41 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> CC: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <199904141542.QAA20978@baboo.sse.ie> <3715B644.86B0E3A4@darmstadt.gmd.de> <3715C296.E61B2CC6@bull.net> <37160BBC.F3164EC5@darmstadt.gmd.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Petra, My comments are along the lines. > Denis Pinkas wrote: > > > > >From these examples, it can be seen that a URI is not mandatory, but the > > name of the corresponding file would be usefull as well as the type of > > biometric information. As far as the typeOfBiometricData is concerned I > > would prefer an integer instead of an OID: it is shorter (when > > certificates are stored in smart cards) and we could expand the list of > > integers as needed. At the time being, two integers seem sufficient > > (picture or manual signature). > > > > Denis, > > why would you like to include the name of the corresponding file in > the certificate as well? > I originally thought to have the name of the file to point to the right > attached file and the extension of the file to select the right viewer. The name of the file is not needed if there is some "other ways" to differentiate (in the case when there are multiple attachments) between an attached picture, a manual signature and, maybe, a fingerprint (that was not in my original list). I am however still wondering if there might be some interrest to have nevertheless the extension of the file, for exemple: GIF, TIF, BMP, MPG, MP3, etc ... to know, only when looking at the certificate, what kind of viewer will be necessary. I do not feel strong on this issue, I am trying to find the pros and cons before taking a decision. Other thoughts ? Regards, Denis > Without this name I'd suggest the following structure considering the > comments of Stephen and you: > > BiometricData ::= SEQUENCE { > URIorOID URIorOIDsyntax, > hashalgorithm AlgorithmIdentifier, > biometricDataHash OCTET STRING } > > URIorOIDsyntax ::== CHOICE { > uri [0] IA5String > typeOfBiometricData [1] INTEGER } > > with the following types of biometric data defined so far: > 0 picture > 1 manual signature > > Best regards - Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA21262 for ietf-pkix-bks; Thu, 15 Apr 1999 23:39:05 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id XAA21258 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 23:39:03 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id IAA02517 for <ietf-pkix@imc.org>; Fri, 16 Apr 1999 08:39:34 +0200 Received: from mega (t1o69p77.telia.com [62.20.144.77]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id IAA89969; Fri, 16 Apr 1999 08:39:30 +0200 Message-ID: <000801be87db$ffd55070$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Paul Koning" <pkoning@xedia.com>, <ietf-pkix@imc.org> Subject: Re: New proposed solution to the QC biometric issue Date: Fri, 16 Apr 1999 08:37:36 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id XAA21259 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Paul, <snip>> >I'm puzzled. A week or two ago it sounded like this whole topic had >been talked to death and was being set aside entirely. Now it seems >all to be coming back again. Do we have to debate the entire thing >all over? Paul, I understand that you are puzzled. The problem is that the IETF have grossly underestimated the task of making a QC profile that will get the importance it should. I think that QCs as a whole should haven been discussed in an own list by people who have interests in this and have a wider background than just PKI. Now the PKIX-list is filled with (for many people) annoying, and largely uninteresting posts. In the case of bio-metrics it is IMO as an initial step enough to find out: 1) What kind of bio-metric data that should be supported and why 2) How the infrastructure is supposed to work (in particular access to the original bio-data template). There could be a few variants here are otherwise consensus may not be reached When the requirements are known - then it is time for the ASN.1 - people to make a TECHNICAL solution. Of course there must be technical discussions going on from the start to see that the end-result is useful. But this wish is probably MUCH too late to be realized. Anders Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA26425 for ietf-pkix-bks; Thu, 15 Apr 1999 13:52:35 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA26420 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 13:52:34 -0700 (PDT) Received: from xedia.com by relay5.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQglcd06407 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 16:52:13 -0400 (EDT) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA16374; Thu, 15 Apr 99 16:51:52 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id QAA19225; Thu, 15 Apr 1999 16:52:01 -0400 Date: Thu, 15 Apr 1999 16:52:01 -0400 Message-Id: <199904152052.QAA19225@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <002601be8781$dfff8b30$020000c0@mega.vincent.se> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Anders" == Anders Rundgren <anders.rundgren@jaybis.com> writes: Anders> <snip> >>> There are two kinds of biometric attributes that can be used : a >>> picture or a manual signature from the certificate owner. Anders> Fingerprints are coming strong. I'm puzzled. A week or two ago it sounded like this whole topic had been talked to death and was being set aside entirely. Now it seems all to be coming back again. Do we have to debate the entire thing all over? paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA25875 for ietf-pkix-bks; Thu, 15 Apr 1999 12:59:37 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id MAA25869 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 12:59:35 -0700 (PDT) Received: id PAA23100; Thu, 15 Apr 1999 15:55:26 -0400 Received: by gateway id <269J4YKT>; Thu, 15 Apr 1999 15:57:48 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BDD1@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: "'Manuel Heras Gilsanz'" <mherasg@nexo.es> Cc: Denis Pinkas <Denis.Pinkas@bull.net>, "'Jose A. Manas'" <jmanas@dit.upm.es>, ietf-pkix@imc.org, afd@fnmt.es Subject: RE: Time-Stamp: Why not use several hashes? Date: Thu, 15 Apr 1999 15:57:47 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> My comments are below. > ---------- > From: Manuel Heras Gilsanz[SMTP:mherasg@nexo.es] > Sent: Wednesday, April 14, 1999 6:39 PM > To: Robert Zuccherato > Cc: Denis Pinkas; 'Jose A. Manas'; ietf-pkix@imc.org; afd@fnmt.es > Subject: Re: Time-Stamp: Why not use several hashes? > > Robert, > > > I think that if a common hash function is broken (for example SHA-1) > then no > > signature created within that infrastructure, with that hash function > can be > > trusted, including the TSA's. Thus, I am reluctant to include multiple > > hashes within the message imprint. It will not actually help if the > hash > > algorithm used to sign the token is broken. [...] > > I don't agree with you in the importance assigned to the hashes used in > the request itself and those used in the signatures. I think both hashes > have unequal impact on the process, for several reasons: > > -The digital signature is not necessarily the single evidence supporting > the validity of time-stamp tokens; there could exist some form of > linking, there could be inter-TSA cross-time-stamping, etc., and in > these cases the weakest point in the architecture is the path from the > user document to the TSA, i.e., the message imprint(s) provided by the > user in the time-stamp request. [In fact, reliable time-stamping schemes > can be devised without resort to digital signatures.] > But in the scheme we describe, the digital signature is the single evidence supporting the validity of the time stamp tokens. > -Digital signatures can become obsolete (they will when the certificates > of the user, the TSA and/or main CA expire), but in time-stamping > operations time is essential, and TS-tokens should survive to the pass > of time. If a hash were broken, the digital signatures could be > re-issued (time is not essential in them), whereas time-stamps using > this (single) algorithm for imprint generation would have to be > invalidated. > Well actually if SHA-1, for example, was broken today then every timestamp signed using SHA-1 would be invalidated. What is more likely though is that SHA-1 would be broken over a period of time and people would know that it was nearing the end of its useful life. Then tokens signed using SHA-1 should be re-timestamped. Similarly, if the message imprint was computed using SHA-1, the message and the token together could be re-timestamped to show that the message and imprint existed before SHA-1 actually broke. > -New document imprints cannot be obtained without cooperation from the > user, whereas additional digital signatures can be provided by the TSA > independently. Therefore providing support for several message imprints > in a single request would greatly reduce the need of user intervention, > and would increase the time between renewals. > Surely you are not suggesting that a TSA would re-issue EVERY timestamp that it had issued using a particular hash algorithm. What is more likely is that the TSA would inform user's that an algorithm was reaching the end of it's lifetime and advise them to re-timestamp those items which are still important. This requires user interaction. > > Also, as I stated earlier, if > > certain individuals really want to do this, they can do it by defining a > new > > OID. > > > In Section 2.1, "Requirements on the TSA" of the current TS PKIX draft, > point 8 specifies that the OIDs of the hashes provided by the users must > be analyzed by the TSA in order to check that they are "sufficiently > secure"; this is a very important and appropriate requirement, > introduced to prevent the use of potentially weak hashes. According to > this requirement, users cannot (unilaterally) define new hash OIDs in > order to aggregate several "normal" hashes into one, since these OIDs > would be unknown to the TSA, and therefore rejected. Apart from this > conflict with the requirements on TSA operation, I sincerely believe it > is much easier to accomodate the multiple-imprints construct within the > protocol structures, thus avoiding the need of agreeing on a full set of > OIDs for multiple-hash functions. > I did not mean to imply that a user could unilaterally define a new hash OID. A TSA would most likely list in its policy which hash functions were acceptable to it. If the TSA felt that this was an important issue, one of those could be an OID signaling a concatenation of hashes. Robert. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA25837 for ietf-pkix-bks; Thu, 15 Apr 1999 12:54:52 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA25833 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 12:54:46 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id VAA24104 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 21:55:16 +0200 Received: from mega (t1o69p12.telia.com [62.20.144.12]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id VAA32326; Thu, 15 Apr 1999 21:54:06 +0200 Message-ID: <002501be8781$d88f8d50$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stefan Santesson" <stefan@accurata.se>, "Stephen Farrell" <stephen.farrell@sse.ie> Cc: <farrell@baboo.sse.ie>, <ietf-pkix@imc.org> Subject: Re: New proposed solution to the QC biometric issue Date: Thu, 15 Apr 1999 21:52:12 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id MAA25834 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen, >- if you're only storing a hash, how do I find the >original - maybe a URI is needed in addition Absolutely! Although I am more into calling them URLs... Unfortunately this scheme has a few inherent problems that some of the other proposed schemes do not exibit: 1) Who has access to these URIs? Assuming they are networked this is a problem. 2) The exclusion of the "real thing" from QCs makes it impossible to sign in a STANDARD way (PKCS #7) and retaining biodata as the URIs do not have to be accessible for anyone and they may also die after the cert has expired. 3) One (networked) fetch for each biometric attribute slows down the process a bit. Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA25818 for ietf-pkix-bks; Thu, 15 Apr 1999 12:53:58 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA25814 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 12:53:54 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id VAA24095 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 21:54:23 +0200 Received: from mega (t1o69p12.telia.com [62.20.144.12]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id VAA102017; Thu, 15 Apr 1999 21:54:22 +0200 Message-ID: <002601be8781$dfff8b30$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, <ietf-pkix@imc.org> Subject: Re: New proposed solution to the QC biometric issue Date: Thu, 15 Apr 1999 21:52:28 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id MAA25815 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> <snip> >> Proposed text: >> >> " In some cases the subject name that is contained in a public key >> certificate may not be meaningful enough. This may happen because of the >> existence of synonyms or because of the use of pseudonyms. A distinction >> could be made if more attributes were present. However, adding more >> attributes to a public key certificate placed in a public repository >> would be going against privacy protection. I do not agree on your conclusion. Whatever attributes you put in a certificate they should not be in a PUBLIC repository. A so trivial item like "dateOfBirth" is a thing that many people object to having published. <snip> >>There are two kinds of biometric >> attributes that can be used : a picture or a manual signature from the >> certificate owner. Fingerprints are coming strong. http://www.veridicom.com/ Note: There are at least 25 other companies doing similar stuff although I was impressed by Veridicom's system as the manage to make their templates a mere 300 bytes. Formulas rather than pattern it seems. Fingerprints have one big advantage over the other two items: They CAN actually be used to automatically verify a persons authenticity at an entrance in a reasonable controlled area. That you can cut of a person's finger is true but there is always some end to what is possible in terms of security. The fingerprint solution is very LOW-COST and complements a smart-card PIN-code very well. <snip> Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA25379 for ietf-pkix-bks; Thu, 15 Apr 1999 12:07:27 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA25375 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 12:07:26 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.66.108.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id MAA12701 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 12:06:42 -0700 (PDT) Message-Id: <4.1.19990415142347.00a4f620@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 15 Apr 1999 14:32:32 -0400 To: ietf-pkix@imc.org From: Russ Housley <housley@spyrus.com> Subject: RE: CA vs. EE cert processing In-Reply-To: <v04020a05b33a4da98bab@[128.33.238.50]> References: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I have kept quiet on this thread. I cannot hold it in any longer. RFC 2459 has no ambiguity in this area. If basicConstraints is present, then the cA boolean tells whether the certificate belongs to a CA or an EE. If basicConstraints is absent, then the certificate belongs to an EE. Period. If an implementor wishes to support other profiles in addition to RFC 2459, then the logic may be more complex. Fine. This was a market choice made by the implementor. I do not think that RFC 2459 should be altered to make support for multiple profiles easier. Russ Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA24187 for ietf-pkix-bks; Thu, 15 Apr 1999 10:07:58 -0700 (PDT) Received: from smtp7.ny.us.ibm.com (smtp7.ny.us.ibm.com [198.133.22.19]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA24183 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 10:07:57 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by smtp7.ny.us.ibm.com (8.8.8/8.8.7) with ESMTP id NAA81684; Thu, 15 Apr 1999 13:08:11 -0400 Received: from D51MTA05.pok.ibm.com (d51mta05.pok.ibm.com [9.117.200.33]) by northrelay02.pok.ibm.com (8.8.8m2/NCO v1.8) with SMTP id NAA211208; Thu, 15 Apr 1999 13:07:48 -0400 Received: by D51MTA05.pok.ibm.com(Lotus SMTP MTA Internal build v4.6.2 (651.2 6-10-1998)) id 85256754.005E13E5 ; Thu, 15 Apr 1999 13:07:34 -0400 X-Lotus-FromDomain: IBMUS To: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> cc: Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org Message-ID: <85256754.005E12D5.00@D51MTA05.pok.ibm.com> Date: Thu, 15 Apr 1999 13:07:20 -0400 Subject: Re: New proposed solution to the QC biometric issue Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Wouldn't a better syntax for URIorOIDsyntax be URIorOIDsyntax ::== CHOICE { uri IA5String, biometricType [0] IMPLICIT OBJECT IDENTIFIER } ? You could add a third choice value as: stdBiometricType [1] IMPLICIT StdBiometricType StdBiometricType ::= INTEGER { PICTURE_GIF (0), HANDWRITTEN_SIGNATURE_GIF(1) -- more to follow } I think you have to specify both the format and the interpretation of a graphic for pictures and manual signatures. Tom Gindin Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> on 04/15/99 11:54:36 AM To: Denis Pinkas <Denis.Pinkas@bull.net> cc: ietf-pkix@imc.org (bcc: Tom Gindin/Watson/IBM) Subject: Re: New proposed solution to the QC biometric issue Denis Pinkas wrote: > > >From these examples, it can be seen that a URI is not mandatory, but the > name of the corresponding file would be usefull as well as the type of > biometric information. As far as the typeOfBiometricData is concerned I > would prefer an integer instead of an OID: it is shorter (when > certificates are stored in smart cards) and we could expand the list of > integers as needed. At the time being, two integers seem sufficient > (picture or manual signature). > Denis, why would you like to include the name of the corresponding file in the certificate as well? Without this name I'd suggest the following structure considering the comments of Stephen and you: BiometricData ::= SEQUENCE { URIorOID URIorOIDsyntax, hashalgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING } URIorOIDsyntax ::== CHOICE { uri [0] IA5String typeOfBiometricData [1] INTEGER } with the following types of biometric data defined so far: 0 picture 1 manual signature Best regards - Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA23539 for ietf-pkix-bks; Thu, 15 Apr 1999 08:55:47 -0700 (PDT) Received: from sonne.darmstadt.gmd.de (sonne.darmstadt.gmd.de [141.12.62.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA23535 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 08:55:45 -0700 (PDT) Received: from darmstadt.gmd.de (pc-ravenna [141.12.33.61]) by sonne.darmstadt.gmd.de (8.8.8/8.8.5) with ESMTP id RAA02535; Thu, 15 Apr 1999 17:55:08 +0200 (MET DST) Message-ID: <37160BBC.F3164EC5@darmstadt.gmd.de> Date: Thu, 15 Apr 1999 17:54:36 +0200 From: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <199904141542.QAA20978@baboo.sse.ie> <3715B644.86B0E3A4@darmstadt.gmd.de> <3715C296.E61B2CC6@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis Pinkas wrote: > > >From these examples, it can be seen that a URI is not mandatory, but the > name of the corresponding file would be usefull as well as the type of > biometric information. As far as the typeOfBiometricData is concerned I > would prefer an integer instead of an OID: it is shorter (when > certificates are stored in smart cards) and we could expand the list of > integers as needed. At the time being, two integers seem sufficient > (picture or manual signature). > Denis, why would you like to include the name of the corresponding file in the certificate as well? Without this name I'd suggest the following structure considering the comments of Stephen and you: BiometricData ::= SEQUENCE { URIorOID URIorOIDsyntax, hashalgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING } URIorOIDsyntax ::== CHOICE { uri [0] IA5String typeOfBiometricData [1] INTEGER } with the following types of biometric data defined so far: 0 picture 1 manual signature Best regards - Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA23078 for ietf-pkix-bks; Thu, 15 Apr 1999 08:07:44 -0700 (PDT) Received: from sonne.darmstadt.gmd.de (sonne.darmstadt.gmd.de [141.12.62.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA23074 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 08:07:42 -0700 (PDT) Received: from darmstadt.gmd.de (pc-ravenna [141.12.33.61]) by sonne.darmstadt.gmd.de (8.8.8/8.8.5) with ESMTP id RAA01306; Thu, 15 Apr 1999 17:06:27 +0200 (MET DST) Message-ID: <37160053.13362BE1@darmstadt.gmd.de> Date: Thu, 15 Apr 1999 17:05:55 +0200 From: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: ietf-pkix@imc.org CC: struif@darmstadt.gmd.de Subject: Re: New proposed solution to the QC biometric issue Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I'm forwarding the following comment on behalf of Bruno Struif who is involoved in biometric technologies and algorithms at GMD: Comment to "Biometrics in Qualified Certificates" 1. The only biometric data which may have some relevance to qualified certificates is a "certificate holder portrait image" (i.e. a foto) in a defined coding scheme. 2. If the foto is too big (about 2 kbytes in a compressed version), the hash value of the foto may be used. 3. If the hash value is used then the hash algorithm has to be denoted and the reference where the foto from which the hash value was derived is located. A verifier has to fetch the foto, to hash it and to compare the computed hash value with the hash value presented in the qualified certificate. 4. The rationale as it stands is wrong from my point of view: There are no "biometric comparing algorithms" involved which have to compare reference data with actually measured verification data taken from the person to be authenticated. An acceptable wording would be: "The rationale for supporting biometric data (i.e. a certificate holder portrait image) would be to support biometric data in a qualified certificate in the sense of a certified attribute of the certificate holding person." Bruno Struif e-mail: bruno.struif@darmstadt.gmd.de Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA17786 for ietf-pkix-bks; Thu, 15 Apr 1999 06:34:53 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA17782 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 06:34:51 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id PAA21169; Thu, 15 Apr 1999 15:32:02 +0200 Message-Id: <3.0.32.19990415153202.00af6710@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 15 Apr 1999 15:32:02 +0200 To: Denis Pinkas <Denis.Pinkas@bull.net>, Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> From: Stefan Santesson <stefan@accurata.se> Subject: Re: New proposed solution to the QC biometric issue Cc: ietf-pkix@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id GAA17783 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, In general good suggestions but I oppose to the following general approach: At 12:42 PM 4/15/99 +0200, Denis Pinkas wrote: <snip> >"In order to achieve a balance >between these two opposite requirements the hash values of some >additional attributes can be placed in a public key certificate." As a general approach this would be a bad thing to do. Most name attributes doesn't have enough name space for a hash to provide any protection against exhaustive search for the originating data. Say for example that you provide hash on names. It would not be to hard to make an exhaustive search on frequent names and thereby find most of the names through their hash. The same with a social security number or a birth date. The name space are in these cases tiny compared to the computing power of a single workstation. So providing additional "hidden" attributes by providing their hash will generally require some additional construct algorithm which prevents exhaustive search (e.g. adding random data and/or combining several attributes), and such logic is well beyond the scope of the QC work (As I see it now). /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA16441 for ietf-pkix-bks; Thu, 15 Apr 1999 04:42:12 -0700 (PDT) Received: from epic.iris.com (epic.iris.com [198.112.211.21]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA16437 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 04:42:09 -0700 (PDT) From: Mary_Ellen_Zurko@iris.com Subject: WG process and interactions (RE: CA vs. EE cert processing) To: Stephen Kent <kent@po1.bbn.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> X-Mailer: Lotus Notes PVCS Build (based on 165) "Mar 11 1999" Date: Thu, 15 Apr 1999 11:42:38 GMT Message-ID: <OF7A353A2E.EC15B998-ON85256754.00401BAA@iris.com> X-Priority: 3 (Normal) X-MIMETrack: Serialize by Router on Epic/Iris(Daily Build (based on 166.1)|Apr 6 1999) at 04/15/99 07:44:59 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > from joining in. I have received several private messages expressing > support for the position I have stated, but these, and probably other > folks, don't want to become engaged in a protracted e-mail exchange of this > sort. >From a process point of view, this is very unfortunate. It's important to the WG for the members to be able to recognize the same "rough concensus" as the chair. People should be encouraged to feel comfortable stating their opinion and _not_ engaging in protracted exchanges, if that's what they prefer. So, here's my attempt at encouraging :-). Mez Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA16152 for ietf-pkix-bks; Thu, 15 Apr 1999 04:21:21 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA16148 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 04:21:17 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id NAA14906 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 13:21:38 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id NAA23518 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 13:21:38 +0200 (DFT) Message-ID: <3715CBDF.5E3AA77F@bull.net> Date: Thu, 15 Apr 1999 13:22:07 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <199904141542.QAA20978@baboo.sse.ie> <3715B644.86B0E3A4@darmstadt.gmd.de> <3715C296.E61B2CC6@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> In the attached message, I would guess that everyone would have noticed that I wrote "synonyms", but I meant "homonyms". :-) Denis > Petra, > > It has been requested on the list to indicate the usage of such > data.While this kind of information does not belong to the core > document, it would nevertheless be interresting to place it in an > informative annex. Hereafter is a first stone to build that section. > This is not the single way to use the extension, but one way. From this, > you can see the implications on the ASN1. > > Proposed text: > > " In some cases the subject name that is contained in a public key > certificate may not be meaningful enough. This may happen because of the > existence of synonyms or because of the use of pseudonyms. A distinction > could be made if more attributes were present. However, adding more > attributes to a public key certificate placed in a public repository > would be going against privacy protection. In order to achieve a balance > between these two opposite requirements the hash values of some > additional attributes can be placed in a public key certificate. When > these additional attributes are provided by the certificate owner, then > they can be verified. Using biometric attributes may allow to > unambiguously identify a person. There are two kinds of biometric > attributes that can be used : a picture or a manual signature from the > certificate owner. > > A picture can be used if the verifier once met the person and later on > wants to verify that the certificate that he got is relative to the > person which was met. In such a case, at the first exchange the picture > is sent and the hash contained in the certificate may be used by the > verifier to verify that it is the right person. At the next exchange the > picture does not need to be sent again. > > A manual signatuere may be used if a signed document has been received > before hand. In such a case, at the first exchange the drawing of the > manual signature is sent and the hash contained in the certificate may > be used by the verifier to verify that it is the right manual signature. > At the next exchange the manual signature does not need to be sent > again." > > >From these examples, it can be seen that a URI is not mandatory, but the > name of the corresponding file would be usefull as well as the type of > biometric information. As far as the typeOfBiometricData is concerned I > would prefer an integer instead of an OID: it is shorter (when > certificates are stored in smart cards) and we could expand the list of > integers as needed. At the time being, two integers seem sufficient > (picture or manual signature). > > Regards, > > Denis > > > Hi Stephen, > > > > Stephen Farrell wrote: > > > > > > - you'll need an algo id somewhere or you can't recalc. the > > > hash > > > > yes, I agree. So I correct my ASN.1 definition of the BiometricData: > > > > BiometricData ::= SEQUENCE { > > typeOfBiometricData OBJECT IDENTIFIER > > hashalgorithm AlgorithmIdentifier > > biometricDataHash OCTET STRING } > > > > > - you'll need to specify how the actual data is to be > > > flattened before hash calculation (e.g. strip CR/LF or > > > whatever), this could be incorporated with the > > > algo id (so use a transform id) > > > > As I understood the whole discussion the reference data has been > > provided before, i.e. it is already existing and pre-stored. > > There is no new verification data which needs to be transformed > > and compared against the reference data. The purpose of the > > biometrics extension is just to verify by a signed message that > > the provided reference data belongs to the certificate holder. > > > > Correct me, if I'm wrong! > > > > Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA14211 for ietf-pkix-bks; Thu, 15 Apr 1999 03:41:42 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA14202 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 03:41:39 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id MAA20342; Thu, 15 Apr 1999 12:42:01 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id MAA44808; Thu, 15 Apr 1999 12:42:01 +0200 (DFT) Message-ID: <3715C296.E61B2CC6@bull.net> Date: Thu, 15 Apr 1999 12:42:30 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> CC: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <199904141542.QAA20978@baboo.sse.ie> <3715B644.86B0E3A4@darmstadt.gmd.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Petra, It has been requested on the list to indicate the usage of such data.While this kind of information does not belong to the core document, it would nevertheless be interresting to place it in an informative annex. Hereafter is a first stone to build that section. This is not the single way to use the extension, but one way. From this, you can see the implications on the ASN1. Proposed text: " In some cases the subject name that is contained in a public key certificate may not be meaningful enough. This may happen because of the existence of synonyms or because of the use of pseudonyms. A distinction could be made if more attributes were present. However, adding more attributes to a public key certificate placed in a public repository would be going against privacy protection. In order to achieve a balance between these two opposite requirements the hash values of some additional attributes can be placed in a public key certificate. When these additional attributes are provided by the certificate owner, then they can be verified. Using biometric attributes may allow to unambiguously identify a person. There are two kinds of biometric attributes that can be used : a picture or a manual signature from the certificate owner. A picture can be used if the verifier once met the person and later on wants to verify that the certificate that he got is relative to the person which was met. In such a case, at the first exchange the picture is sent and the hash contained in the certificate may be used by the verifier to verify that it is the right person. At the next exchange the picture does not need to be sent again. A manual signatuere may be used if a signed document has been received before hand. In such a case, at the first exchange the drawing of the manual signature is sent and the hash contained in the certificate may be used by the verifier to verify that it is the right manual signature. At the next exchange the manual signature does not need to be sent again." >From these examples, it can be seen that a URI is not mandatory, but the name of the corresponding file would be usefull as well as the type of biometric information. As far as the typeOfBiometricData is concerned I would prefer an integer instead of an OID: it is shorter (when certificates are stored in smart cards) and we could expand the list of integers as needed. At the time being, two integers seem sufficient (picture or manual signature). Regards, Denis > Hi Stephen, > > Stephen Farrell wrote: > > > > - you'll need an algo id somewhere or you can't recalc. the > > hash > > yes, I agree. So I correct my ASN.1 definition of the BiometricData: > > BiometricData ::= SEQUENCE { > typeOfBiometricData OBJECT IDENTIFIER > hashalgorithm AlgorithmIdentifier > biometricDataHash OCTET STRING } > > > - you'll need to specify how the actual data is to be > > flattened before hash calculation (e.g. strip CR/LF or > > whatever), this could be incorporated with the > > algo id (so use a transform id) > > As I understood the whole discussion the reference data has been > provided before, i.e. it is already existing and pre-stored. > There is no new verification data which needs to be transformed > and compared against the reference data. The purpose of the > biometrics extension is just to verify by a signed message that > the provided reference data belongs to the certificate holder. > > Correct me, if I'm wrong! > > Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA10143 for ietf-pkix-bks; Thu, 15 Apr 1999 02:51:21 -0700 (PDT) Received: from sonne.darmstadt.gmd.de (sonne.darmstadt.gmd.de [141.12.62.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA10137 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 02:51:18 -0700 (PDT) Received: from darmstadt.gmd.de (pc-ravenna [141.12.33.61]) by sonne.darmstadt.gmd.de (8.8.8/8.8.5) with ESMTP id LAA03591; Thu, 15 Apr 1999 11:50:27 +0200 (MET DST) Message-ID: <3715B644.86B0E3A4@darmstadt.gmd.de> Date: Thu, 15 Apr 1999 11:49:56 +0200 From: Petra Gloeckner <Petra.Gloeckner@darmstadt.gmd.de> X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Stephen Farrell <stephen.farrell@sse.ie> CC: Stefan Santesson <stefan@accurata.se>, ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <199904141542.QAA20978@baboo.sse.ie> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Stephen, Stephen Farrell wrote: > > - you'll need an algo id somewhere or you can't recalc. the > hash yes, I agree. So I correct my ASN.1 definition of the BiometricData: BiometricData ::= SEQUENCE { typeOfBiometricData OBJECT IDENTIFIER hashalgorithm AlgorithmIdentifier biometricDataHash OCTET STRING } > - you'll need to specify how the actual data is to be > flattened before hash calculation (e.g. strip CR/LF or > whatever), this could be incorporated with the > algo id (so use a transform id) As I understood the whole discussion the reference data has been provided before, i.e. it is already existing and pre-stored. There is no new verification data which needs to be transformed and compared against the reference data. The purpose of the biometrics extension is just to verify by a signed message that the provided reference data belongs to the certificate holder. Correct me, if I'm wrong! Petra Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA05923 for ietf-pkix-bks; Thu, 15 Apr 1999 00:39:31 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA05919 for <ietf-pkix@imc.org>; Thu, 15 Apr 1999 00:39:28 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id JAA17048; Thu, 15 Apr 1999 09:39:22 +0200 Message-Id: <3.0.32.19990415093921.00a16760@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 15 Apr 1999 09:39:22 +0200 To: Stephen Farrell <stephen.farrell@sse.ie> From: Stefan Santesson <stefan@accurata.se> Subject: Re: New proposed solution to the QC biometric issue Cc: farrell@baboo.sse.ie, ietf-pkix@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id AAA05920 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Good idea Stephen, I like the idea to include an URI, Im not so sure that the OID should be excluded though. But maybe the best thing would be to make both OID and URI optional. /Stefan At 04:42 PM 4/14/99 +0100, Stephen Farrell wrote: > >Stefan, > >Haven't followed this but a couple of thoughts occur: > >- if you're only storing a hash, how do I find the >original - maybe a URI is needed in addition > >- if you buy into the above, couldn't the URI replace >the OID (since e.g. a HTTP response has a MIME type >which identififes at least the syntax and also >identifies the transfer encoding of the actual data) > >- you'll need an algo id somewhere or you can't recalc. the >hash > >- you'll need to specify how the actual data is to be >flattened before hash calculation (e.g. strip CR/LF or >whatever), this could be incorporated with the >algo id (so use a transform id) > >Regards, >Stephen. > > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA01440 for ietf-pkix-bks; Wed, 14 Apr 1999 23:24:52 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id XAA01435 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 23:24:49 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id JAA28023; Thu, 15 Apr 1999 09:27:21 +0300 (IDT) Message-ID: <371585FE.E0A50949@cale.checkpoint.com> Date: Thu, 15 Apr 1999 09:23:58 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@po1.bbn.com> CC: ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <v04020a17b331af2ed303@[128.33.238.98]> <v04020a0bb332fcbd7733@[128.33.238.98]> <v04020a01b33978524f43@[128.33.238.70]> Content-Type: multipart/mixed; boundary="------------9B79D27B2162F7F83D56B30F" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------9B79D27B2162F7F83D56B30F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Kent wrote: <snip> > As David pointed out, this analysis focuses on the wrong cert. The problem > is NOT for EE certs, but for CA certs. We need to determine if a cert is or > is not a CA cert when we encounter it along a path prior to the terminal > cert. <snip> Steve, The problem is determining weather a certificate is eligible to be in a certificate path prior to the terminal cert. That is, is it an EE certificate or a CA certificate. And the problem is what to do if the certificate doesn't contain the basicConstraints extension. Moshe --------------9B79D27B2162F7F83D56B30F Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------9B79D27B2162F7F83D56B30F-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA10829 for ietf-pkix-bks; Wed, 14 Apr 1999 15:46:57 -0700 (PDT) Received: from smtp.bankinter.es (dns.bankinter.es [195.235.30.34]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA10825 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 15:46:48 -0700 (PDT) Received: from nexo.es (h029217.nexo.es [195.235.29.217]) by smtp.bankinter.es (8.8.8+Sun/8.8.8) with ESMTP id AAA13330; Thu, 15 Apr 1999 00:43:40 +0200 (MET DST) Message-ID: <3715190E.4C31B205@nexo.es> Date: Thu, 15 Apr 1999 00:39:10 +0200 From: Manuel Heras Gilsanz <mherasg@nexo.es> X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Robert Zuccherato <robert.zuccherato@entrust.com> CC: Denis Pinkas <Denis.Pinkas@bull.net>, "'Jose A. Manas'" <jmanas@dit.upm.es>, ietf-pkix@imc.org, afd@fnmt.es Subject: Re: Time-Stamp: Why not use several hashes? References: <01E1D01C12D7D211AFC70090273D20B112BDBE@sothmxs06> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Robert, > I think that if a common hash function is broken (for example SHA-1) then no > signature created within that infrastructure, with that hash function can be > trusted, including the TSA's. Thus, I am reluctant to include multiple > hashes within the message imprint. It will not actually help if the hash > algorithm used to sign the token is broken. [...] I don't agree with you in the importance assigned to the hashes used in the request itself and those used in the signatures. I think both hashes have unequal impact on the process, for several reasons: -The digital signature is not necessarily the single evidence supporting the validity of time-stamp tokens; there could exist some form of linking, there could be inter-TSA cross-time-stamping, etc., and in these cases the weakest point in the architecture is the path from the user document to the TSA, i.e., the message imprint(s) provided by the user in the time-stamp request. [In fact, reliable time-stamping schemes can be devised without resort to digital signatures.] -Digital signatures can become obsolete (they will when the certificates of the user, the TSA and/or main CA expire), but in time-stamping operations time is essential, and TS-tokens should survive to the pass of time. If a hash were broken, the digital signatures could be re-issued (time is not essential in them), whereas time-stamps using this (single) algorithm for imprint generation would have to be invalidated. -Whereas there is (in principle) no imposed restriction on the structure of user documents to be time-stamped, the digitally signed constructs follow rigid definitions that limit the degrees of freedom in a search for collisions to a hash function. -New document imprints cannot be obtained without cooperation from the user, whereas additional digital signatures can be provided by the TSA independently. Therefore providing support for several message imprints in a single request would greatly reduce the need of user intervention, and would increase the time between renewals. > Also, as I stated earlier, if > certain individuals really want to do this, they can do it by defining a new > OID. In Section 2.1, "Requirements on the TSA" of the current TS PKIX draft, point 8 specifies that the OIDs of the hashes provided by the users must be analyzed by the TSA in order to check that they are "sufficiently secure"; this is a very important and appropriate requirement, introduced to prevent the use of potentially weak hashes. According to this requirement, users cannot (unilaterally) define new hash OIDs in order to aggregate several "normal" hashes into one, since these OIDs would be unknown to the TSA, and therefore rejected. Apart from this conflict with the requirements on TSA operation, I sincerely believe it is much easier to accomodate the multiple-imprints construct within the protocol structures, thus avoiding the need of agreeing on a full set of OIDs for multiple-hash functions. Best wishes, - Manuel - Robert Zuccherato wrote: > > > ---------- > > From: Jose A. Manas[SMTP:jmanas@dit.upm.es] > > Sent: Monday, April 12, 1999 4:24 AM > > To: Denis Pinkas > > Cc: Manuel Heras Gilsanz; ietf-pkix@imc.org; afd@fnmt.es > > Subject: Re: Time-Stamp: Why not use several hashes? > > > > Denis, > > I feel uneasy with both arguments. > > > > If a guy finds out how to provoke collisions on a hash functions, > > there is a serious temptation to exploit the hole before > > publishing it. Breaking a time-stamp infrastructure is a nice > > goal: you break it before anybody knows it can be broken, > > and then there is a difficult question about when the TSA was > > no longer to be trusted. > > > > I have some concern as well with respect to breaking a digital > > signature. If broken but time-stamped, > > a TSA can still prove that it was signed > > before it was breakable. But if you break the TSA itself, then > > there is no help. That about breaking the hash. > > > > Still, if you break the TSA signature, you have audit records > > (stored evidence in the TSA) to help you (as far as there are > > no collisions in the hash). > > > > Alltogether, I aim to say that breaking a hash does break down > > everything, and it sounds interesting to foresee the case. > > Allowing for several messageimprints sounds as a cheap end > > effective countermeasure. > > > > pp > > > > Denis Pinkas wrote: > > > > > > Manuel, > > > > > > We want to keep the protocol simple. The threat you mention can be > > countered > > > by another way: re-time-stamp later on with a new hash function. If > > SHA-1 > > > gets broken one day, this will not happen in just one day. Some > > > cryptographer will first find some weaknesses before you can really > > forge a > > > meaningfull message that has the same hash. So you get some time for > > > re-stamping. > > > > > > If this argument were used, then we should sign TWICE, i.e. in case one > > > digital signature algorithm was broken. We do not do that. There is no > > > reason to do it for the hash function. > > > > > > Regards, > > > > > > Denis > > > > > > > Hi. > > > > > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > > > Sept. 23, 1998, time-stamp requests and tokens support the insertion > > of > > > > a single message imprint. > > > > > > > > I think several message imprints should be supported. If a hash > > > > algorithm were broken, time-stamp tokens using it (as the single > > message > > > > imprint) would have to be regarded invalid (even if some kind of > > linking > > > > mechanism were implemented!). If several hashes had been used, the > > token > > > > would still be valid, and it could be promptly renewed in order to > > > > prevent invalidation should further advances in cryptography render > > > > other hashes obsolete! > > > > > > > > (One must be careful here: there are different extents to which a hash > > > > algorithm could be broken; in Appendix A of PKITS-D3 > > > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > > > implications that the different kinds of hash failures would have on > > the > > > > time-stamping process.) > > > > > > > > Of course the requirements on the time-stamp verification process > > would > > > > also have be modified to require ("MUST" level) *all* the hashes to > > > > correctly verify in order to regard the corresponding time-stamp token > > > > valid. > > > > > > > > Best regards, > > > > > > > > - Manuel - > > > > > > > > ---- > > > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > > > Independent Security Consultant > > > > Phone: +34-629 07 53 31 > > > > -- -------------------------------------------------------- > > Prof. Jose A. Manas <jmanas@dit.upm.es> > > Dpt. Telematica http://www.dit.upm.es/~pepe > > E.T.S.I. Telecomunicacion tel: [+34] 91 336 73 25 > > Ciudad Universitaria gsm: [+34] 607 73 38 94 > > E-28040 Madrid, SPAIN fax: [+34] 91 336 73 33 > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA05291 for ietf-pkix-bks; Wed, 14 Apr 1999 08:42:11 -0700 (PDT) Received: from mail0.sse.ie (mail0.sse.ie [193.120.32.47]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA05287 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 08:42:09 -0700 (PDT) Received: from mail2.sse.ie by mail0.sse.ie; Wed, 14 Apr 1999 16:42:18 +0100 Received: from mail0.sse.ie (mail0.sse.ie) by mail2.sse.ie (Content Technologies SMTPRS 2.0.15) with ESMTP id <B0000021743@mail2.sse.ie>; Wed, 14 Apr 1999 16:42:12 +0100 Received: from baboo.sse.ie (root@baboo.sse.ie [193.120.32.109]) by mail0.sse.ie (8.9.1a/8.9.1) with ESMTP id QAA25946; Wed, 14 Apr 1999 16:42:06 +0100 (BST) Received: from baboo.sse.ie (farrell@baboo [193.120.32.109]) by baboo.sse.ie (8.9.1/8.9.1) with ESMTP id QAA20978; Wed, 14 Apr 1999 16:42:05 +0100 (BST) Message-Id: <199904141542.QAA20978@baboo.sse.ie> X-Mailer: exmh version 1.6.9 8/22/96 To: Stefan Santesson <stefan@accurata.se> Cc: farrell@baboo.sse.ie, ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue In-Reply-To: Your message of "Wed, 14 Apr 1999 12:57:35 +0200." <3.0.32.19990414125735.00adf960@mail.accurata.se> MIME-Version: 1.0 Date: Wed, 14 Apr 1999 16:42:05 +0100 From: Stephen Farrell <stephen.farrell@sse.ie> Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, Haven't followed this but a couple of thoughts occur: - if you're only storing a hash, how do I find the original - maybe a URI is needed in addition - if you buy into the above, couldn't the URI replace the OID (since e.g. a HTTP response has a MIME type which identififes at least the syntax and also identifies the transfer encoding of the actual data) - you'll need an algo id somewhere or you can't recalc. the hash - you'll need to specify how the actual data is to be flattened before hash calculation (e.g. strip CR/LF or whatever), this could be incorporated with the algo id (so use a transform id) Regards, Stephen. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04868 for ietf-pkix-bks; Wed, 14 Apr 1999 08:16:04 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA04864 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 08:16:01 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id RAA24136; Wed, 14 Apr 1999 17:16:21 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id RAA26216; Wed, 14 Apr 1999 17:16:20 +0200 (DFT) Message-ID: <3714B15D.C28B9FB5@bull.net> Date: Wed, 14 Apr 1999 17:16:45 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Stefan Santesson <stefan@accurata.se> CC: ietf-pkix@imc.org Subject: Re: New proposed solution to the QC biometric issue References: <3.0.32.19990414125735.00adf960@mail.accurata.se> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, I welcome and support your proposal in general. > All, > > The long debate regarding biometric data in Qualified certificates ended > with the conclusion: > > "For bio-metric data to be included in the QC, the list has to provide an > agreeable solution that can enhance interoperability in some meaningful > way. Until then this issue will not be addressed in the profile." > > Well, since then I have had a lot of off list discussions ending up in a > new conclusion: > > 1) It could be valuable to include support for biometric data aimed for > human verification (not machine verification), e.g. human verification of > picture image or signature image. In fact face recognition and signature > recognition are regarded as the two major implementations which justify > this proposed expansion of the draft. I would propose that we limit our goal, for the time being, to these two biometric features which seem indeed enough. > 2) The supported solution should only address storage of a hash value of > biometric data. This would provide all necessary functionality for > authenticating bio-data without loading the certificates to much. Correct. > 3) Storage of bio-data-hash should NOT be done in the PersonalData field > since this data is conceptually different from id-attributes. Further, > since bio-data need storage of 2 parameters (OID + hash), those values > can't be stored in a single predefined attribute. Instead a new optional > extension should be defined for this purpose. I agree. > Petra Glöckner has prepared a proposal for this new extension in QC as > follows: I have several minor concerns with this following ASN1 proposal, but I will wait a little bit to see other responses before commenting any further. Thanks again for your efforts for trying to find a consensus, Regards, Denis > Extension ::= SEQUENCE { > extnId OBJECT IDENTIFIER, > critical BOOLEAN DEFAULT FALSE, > extnValue OCTET STRING } > > biometric EXTENSION ::= { > SYNTAX BiometricSyntax > IDENTIFIED BY id-qext-biometric } > > id-qext-biometric OBJECT IDENTIFIER ::= {id-qext xx} > > BiometricSyntax ::= SEQUENCE OF BiometricData > > BiometricData ::= SEQUENCE { > typeOfBiometricData OBJECT IDENTIFIER > biometricDataHash OCTET STRING } > > So with this concrete proposal I would like to reopen the issue for > comments on this. > Consequently I will move this issue to the unsettled topics on the QC web ( > http://www.accurata.se/QC/ ) > > /Stefan > ------------------------------------------------------------------- > Stefan Santesson <stefan@accurata.se> > Accurata Systemsäkerhet AB http://www.accurata.se > Slagthuset Tel. +46-40 108588 > 211 20 Malmö Fax. +46-40 150790 > Sweden Mobile +46-70 5247799 > > PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 > ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04791 for ietf-pkix-bks; Wed, 14 Apr 1999 08:12:16 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA04784 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 08:12:12 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id RAA04060 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 17:12:19 +0200 Received: from HYDRA ([195.198.186.77]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id RAA70700; Wed, 14 Apr 1999 17:12:17 +0200 Received: by HYDRA with Microsoft Mail id <01BE8699.F270F580@HYDRA>; Wed, 14 Apr 1999 17:12:16 +0200 Message-ID: <01BE8699.F270F580@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'Stefan Santesson'" <stefan@accurata.se> Subject: RE: New proposed solution to the QC biometric issue Date: Wed, 14 Apr 1999 17:12:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id IAA04788 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> <snip> Stefan, This is a little bit like the DS issue. Without any specified infrastructure the inclusion of hashed biometrics in QCs becomes too theoretical. Being the originator of the request for biometric data in QCs I feel bad about the idea of hash of biometrics since this is very inconvenient (my guess) compared to store the real thing in "signed, certified, structured, container" that a certificate is. If this is "all we get" you could IMO equally well drop it entirely as all serious implementers will probably use other measures to achieve the functionality required. For an almost complete down-to-earth ASN.1-free solution trying solve today's problems with current technology, please look into: http://www.mobilephones-tng.com/papers/idcards.html This solution is (mainly) intended for use locally in banks, security controls etc. where you want to know that the bearer of a card is the person it was issued for. Not exactly rocket-science (application-wise) but pretty useful anyway. And unlike current photo-cards impossible to forge. But I do believe that fully automatic fingerprint verification as a COMPLEMENT to the ID-cert and PIN-code would work wonders in entrance controls. To steal both a person's card, PIN-code AND forge a "finger emulator" seems pretty hard. Actually there is a much bigger risk associated with persons you trust which no digital signature, biometric or whatever has a cure for! The presented solution works fine with current smart-card technology which I also find important since most QCs will probably be stored in such. Regards Anders Rundgren Senior Internet e-commerce Architect +46 70 - 627 74 37 PS If you insist on the hash scheme I think that it makes sense to write a simple spec. on how you meant that it should work as well. There is a bit more to biometrics than just ASN.1-code... DS >Well, since then I have had a lot of off list discussions ending up in a >new conclusion: >1) It could be valuable to include support for biometric data aimed for >human verification (not machine verification), e.g. human verification of >picture image or signature image. In fact face recognition and signature >recognition are regarded as the two major implementations which justify >this proposed expansion of the draft. >2) The supported solution should only address storage of a hash value of >biometric data. This would provide all necessary functionality for >authenticating bio-data without loading the certificates to much. >3) Storage of bio-data-hash should NOT be done in the PersonalData field >since this data is conceptually different from id-attributes. Further, >since bio-data need storage of 2 parameters (OID + hash), those values >can't be stored in a single predefined attribute. Instead a new optional >extension should be defined for this purpose. >Petra Glöckner has prepared a proposal for this new extension in QC as >follows: >Extension ::= SEQUENCE { >extnId OBJECT IDENTIFIER, >critical BOOLEAN DEFAULT FALSE, >extnValue OCTET STRING } >biometric EXTENSION ::= { >SYNTAX BiometricSyntax >IDENTIFIED BY id-qext-biometric } >id-qext-biometric OBJECT IDENTIFIER ::= {id-qext xx} >BiometricSyntax ::= SEQUENCE OF BiometricData >BiometricData ::= SEQUENCE { >typeOfBiometricData OBJECT IDENTIFIER >biometricDataHash OCTET STRING } >So with this concrete proposal I would like to reopen the issue for >comments on this. Thanx! Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04650 for ietf-pkix-bks; Wed, 14 Apr 1999 08:02:18 -0700 (PDT) Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA04645 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 08:02:17 -0700 (PDT) Received: from threadgill.austin.innosoft.com ([207.8.108.5]) by INNOSOFT.COM (PMDF V5.2-32 #30494) with ESMTP id <01JA0LCPRV6Y8WWPKD@INNOSOFT.COM> for ietf-pkix@imc.org; Wed, 14 Apr 1999 08:01:39 PDT Received: from threadgill.austin.innosoft.com (threadgill.austin.innosoft.com [207.8.108.5]) by austin.innosoft.com (PMDF V5.2-30 #13579) with SMTP id <0FA600DG3PQ80A@austin.innosoft.com>; Wed, 14 Apr 1999 10:01:20 -0500 (CDT) Date: Wed, 14 Apr 1999 10:01:20 -0500 From: Mark Wahl <M.Wahl@INNOSOFT.COM> Subject: Re: Double quotes in DNs In-reply-to: "Your message of Wed, 14 Apr 1999 11:03:13 +0200." <3.0.32.19990414110312.010c3490@mail.cost.se> To: Martin =?iso-8859-1?Q?Lindstr=F6m?= <martin@cost.se> Cc: ietf-pkix@imc.org, daniel@cost.se, dpn@bbn.com, rmasters@bbn.com Message-id: <5988.924102080@threadgill.austin.innosoft.com> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> RFC 2253, which obsoletes RFC 1779, describes in section 2.4 the procedure by which an ASN.1 attribute value is converted to a string. You do not need to have a double quote as part of the _attribute_value_ for your O. The double quote is automatically added by the process of converting an X.500 DN encoding (BER) to an LDAP DN encoding (BNF). Thesefore the PrintableString character set is suitable, just use Martin Lindstrom, Creative Computing as the value. Mark Wahl, Directory Product Architect Innosoft International, Inc. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA03824 for ietf-pkix-bks; Wed, 14 Apr 1999 06:59:15 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA03820 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 06:59:14 -0700 (PDT) Received: from [128.33.238.50] (TC101.BBN.COM [128.33.238.101]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA13067; Wed, 14 Apr 1999 09:59:20 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a05b33a4da98bab@[128.33.238.50]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> Date: Wed, 14 Apr 1999 09:55:35 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: CA vs. EE cert processing Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, > >I am also surprised that with the number of X.500 specialists on this >list that they are not saying that X.509 has errors. >I think most of think that X.509 is a standard that provides a >transition strategy to the use of extensions. And RFC 2450 is a profile >(hence its title) that determines how (repeat HOW) that standard is >used. >If the profile reflects an ambiguity (which is deemed by a few) in the >standard, then the profile document has failed. > >Simple isnt it. Simplie or simplistic :-). Based on my quite a few years of experience in the IETF community, I'd say that tone and duration of this message exchange have deterred many people from joining in. I have received several private messages expressing support for the position I have stated, but these, and probably other folks, don't want to become engaged in a protracted e-mail exchange of this sort. I've submitted a defect report to the X.509 editor and the matter will be addressed at the meeting next week. I suggest we not waste time on the list until we hear from the X.509 folks. steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA03526 for ietf-pkix-bks; Wed, 14 Apr 1999 06:32:41 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA03522 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 06:32:40 -0700 (PDT) Received: from [128.33.238.50] (TC050.BBN.COM [128.33.238.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA01736; Wed, 14 Apr 1999 09:31:29 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a03b3397f4ef32b@[128.33.238.70]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE97D@DSG1> Date: Wed, 14 Apr 1999 09:29:06 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: SEIS: RE: Certificates, Directories, and Distinguished Names Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, >Stephen - in all your words you never seem to come to grips with the >fact that X.509 is not ambigious in so far that it permits systems to be >built without certificate extensions - and for those build such systems >to determine by local means or imply what is a EE or a CA cert and what >use that cert has (eg for message verification or cert verification).. >X.509 - was written some years ago and it correctly (a a standard >should) provided a transition path to the use of cert extensions. Vome on Alan, we're talking about changes only with regard to X.509 v3. >RFC 2459 came along some time later as a profile and just the fact that >people are discussing the issue in 2459 and it is unclear - means there >is a problem - in the Profile. 2459 did not come along much later than the adoption of X.509 v3. And, no, there is not a profile problem, as too many previous messages have show in detail. <text not contributing to resolution of the issue deleted ...> Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA03502 for ietf-pkix-bks; Wed, 14 Apr 1999 06:31:22 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA03498 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 06:31:19 -0700 (PDT) Received: from [128.33.238.50] (TC050.BBN.COM [128.33.238.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA01760; Wed, 14 Apr 1999 09:31:35 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a04b33980a04290@[128.33.238.70]> In-Reply-To: <37105050.1C542DCE@cale.checkpoint.com> References: <v04020a18b331b07b2125@[128.33.238.98]> <v04020a0ab332fc3d5915@[128.33.238.98]> Date: Tue, 13 Apr 1999 19:20:03 -0400 To: Moshe Litvin <moshe@cale.checkpoint.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moshe, >If PKIX mandated inclusion of basicConstraint then PKIX CA would issue >certificates that are unambiguous to every X.509v3 verifier. The verifier need >to know that the CA is a PKIX only if the certificate doesn't contain the >extension. Once the extension is in the certificate the ambiguity disappear. Yes, all of our certs would be unambiguous, but, as I have said several times before, the problem would exist for PKIX-compliant verifiers. So, I am not pursuing a partial solution. >PKIX chose to signal EE certificate by the absence of the extension, a way >that >require out of band knowledge. > >Based on this analyses I call PKIX broken. You can tell that it is X.509 >fault, >but PKIX failed to fix it, when it could easily make things much better. But, that would be a wrong conclusion. remember, what a verifier needs is an ability to unambiguously identify CA certs, not EE certs, and we did that. PKIX fixed the problem that X.509 presented in so far as making CA certs unambiguous. >Mandating a basicConstraint is not the only way for removing that ambiguity. >PKIX can mandate inclusion of a keyUsage extension or of a policy OID that >specify that this is a PKIX certificate. Both of this solutions allows >processing of the certificate without out of band knowledge, but I think that >the basicConstraint way is simpler. Yes, we could trigger on other extensions, but I think that misses the point, i.e., X.509 needs to be fixed. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA03494 for ietf-pkix-bks; Wed, 14 Apr 1999 06:31:13 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA03490 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 06:31:11 -0700 (PDT) Received: from [128.33.238.50] (TC050.BBN.COM [128.33.238.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA01702; Wed, 14 Apr 1999 09:31:17 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a01b33978524f43@[128.33.238.70]> In-Reply-To: <3711BD91.966B976@cale.checkpoint.com> References: <v04020a17b331af2ed303@[128.33.238.98]> <v04020a0bb332fcbd7733@[128.33.238.98]> Date: Wed, 14 Apr 1999 09:26:12 -0400 To: Moshe Litvin <moshe@cale.checkpoint.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moshe, <snip> >> I agree that a CA could put the extension in all certs and thus be able to >> say "not my fault; I did what I could." But this does not address the >> verifier problem in other than a heuristic fashion. > >Why? If a certificate contain the extension no heuristics are necessary for >validating this certificate. If a CA put the basicConstraint extension in >all the >certificate that it issues than no certificate that the CA issues needs >heuristics >to process it. I think you're veering away from the core problem here. If we assume a PKIX-only environment, then we have no ambiguity. if we assume a mixed 2459 and X.509 environment, then we have ambuguity and a 2459 change cannot unilaterally fix it. (By the way, your last sentence should read "then the certificate verifier ..." not "then the CA ...") >> I want to >> deterministic solution to the problem, and the suggested change to 2459 >> does not yield that. > >The suggested solution is not complete but it is very deterministic. If it >will be >accepted in its strongest form (MUST put basicConstraint in all the >certificate) >then no PKIX CA will issue a certificate that needs heuristics by X.509 >verifier >(be it PKIX, other profile or raw X.509). > >A CA can create unambiguous certificates. We should encourage them to do so. Again, we seem to be loosing track on the context. Certs issued in compliance with 2459 are unambiguous, relative to that standard. <snip> > >The verifier has the ambiguity, but the CA can help him solve it. The >verifier code >will have some kind of heuristics but they won't be triggered if the CA will >produce unambiguous certificates. It can help, but a partial solution is not very satisfying and I am not persuaded that we should change 2459 to address a problem that can be solved by a change to another, equally newly issued standard. <snip> >> If we were willing to posit that no such >> CAs will exist, then we would not have a problem, because in a purely >> 2459-compliant system (CAs and verifiers) there is not ambiguity. You seem >> to be switching perspectives in analyzing this issue. > >No my perspective is fixed. I think that a CA should assume as little as >possible >of a possible verifier namely: > >1. Correct DER decoding >2. Correct handling of the basic X.509 fields. >3. Considering a certificate as invalid if it cannot correctly handle a >critical >extension. > >A CA is not limited to creating certificates that can be validated by the >minimal >verifier but it should try to make sure that if the minimal verifier cannot >correctly validate the certificate it will fail validation. X.509 >provides the >mechanism for doing so in the critical flag. > >With this model we can compare both options for basicConstraint. We have 3 >types of >minimal verifiers with respect to the basicConstraint: > >A. Verifier that does not understand basicConstraint. >B. A verifier that understand basicConstraint. >C. A verifier that is PKIX compliant and knows by out of band means that >so is the >CA > >We also have 3 types of EE certificate: > >i. Without basicConstraint >ii. With non-critical basicConstraint >iii. With critical basicConstraint > >You can complete the table and see in which combination the verifier can >identify >the certificate as EE certificate and where it could have accepted it as a CA >certificate. As David pointed out, this analysis focuses on the wrong cert. The problem is NOT for EE certs, but for CA certs. We need to determine if a cert is or is not a CA cert when we encounter it along a path prior to the terminal cert. <snip> >> X.509 failed to solve this problem because it permits compliant CAs to >> never include basicConstraints, thus creating the ambiguity. The notes >> fail to fix the problem, because they just "recommend" what to do. In the >> IETF we try to be very careful in our use of the magir words >> MUST/SHOULD/MAY to avoid these problems. >> > >I think that recommended is a similar to SHOULD, maybe to MAY. I don't >think that >it is "SHOULD NOT", but english isn't my mother's tongue. > >My question is still open - why PKIX chose to ignore the recommendation and >invented private semantics? > >X.509 offered a standard syntax , if that wasn't enough we could use private >syntax. But using private semantics is the worse option. You are criticising PKIX for not following a recommendation of X.509, but if 2459 had done so, and merely recommended inclusion of the extension in EE certs, there would still be ambiguity because a compliant implementation could still choose to not to include the extenstion for EE certs. 2459 fixed part of the ambiguity created in X.509, by mandating the extension in CA certs, which are the certs that we have to establish are authorized to be the issuer in subordinate certs. X.509 created the ambiguity; this fact is not debatable and I do not plan to spend any more time on arguments of this form. steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA02117 for ietf-pkix-bks; Wed, 14 Apr 1999 05:42:51 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA02111 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 05:42:49 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id MAA09715 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 12:57:36 +0200 Message-Id: <3.0.32.19990414125735.00adf960@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 Apr 1999 12:57:35 +0200 To: ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: New proposed solution to the QC biometric issue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id FAA02113 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> All, The long debate regarding biometric data in Qualified certificates ended with the conclusion: "For bio-metric data to be included in the QC, the list has to provide an agreeable solution that can enhance interoperability in some meaningful way. Until then this issue will not be addressed in the profile." Well, since then I have had a lot of off list discussions ending up in a new conclusion: 1) It could be valuable to include support for biometric data aimed for human verification (not machine verification), e.g. human verification of picture image or signature image. In fact face recognition and signature recognition are regarded as the two major implementations which justify this proposed expansion of the draft. 2) The supported solution should only address storage of a hash value of biometric data. This would provide all necessary functionality for authenticating bio-data without loading the certificates to much. 3) Storage of bio-data-hash should NOT be done in the PersonalData field since this data is conceptually different from id-attributes. Further, since bio-data need storage of 2 parameters (OID + hash), those values can't be stored in a single predefined attribute. Instead a new optional extension should be defined for this purpose. Petra Glöckner has prepared a proposal for this new extension in QC as follows: Extension ::= SEQUENCE { extnId OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING } biometric EXTENSION ::= { SYNTAX BiometricSyntax IDENTIFIED BY id-qext-biometric } id-qext-biometric OBJECT IDENTIFIER ::= {id-qext xx} BiometricSyntax ::= SEQUENCE OF BiometricData BiometricData ::= SEQUENCE { typeOfBiometricData OBJECT IDENTIFIER biometricDataHash OCTET STRING } So with this concrete proposal I would like to reopen the issue for comments on this. Consequently I will move this issue to the unsettled topics on the QC web ( http://www.accurata.se/QC/ ) /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA00142 for ietf-pkix-bks; Wed, 14 Apr 1999 04:00:45 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA00137 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 04:00:37 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <26MCL9FN>; Wed, 14 Apr 1999 21:00:38 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0E2B5C@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'John_Wray@iris.com '" <John_Wray@iris.com>, "'Stephen Kent '" <kent@po1.bbn.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: CA vs. EE cert processing Date: Wed, 14 Apr 1999 21:00:37 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Comments Steve wrote: Itoo am surprised that there is disagreement, but about the need to change X.509, not to change 2459. PKIX is new, but X.509 for v3 is essentially just as new. an argument based on deployed PKIX vs. X.509 v3 compliant systems does not hold water. I object to the notion that we should change 2459 to compensate for what strikes me as an oversight in X.509. Steve I am also surprised that with the number of X.500 specialists on this list that they are not saying that X.509 has errors. I think most of think that X.509 is a standard that provides a transition strategy to the use of extensions. And RFC 2450 is a profile (hence its title) that determines how (repeat HOW) that standard is used. If the profile reflects an ambiguity (which is deemed by a few) in the standard, then the profile document has failed. Simple isnt it. regards alan Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA24881 for ietf-pkix-bks; Wed, 14 Apr 1999 02:02:37 -0700 (PDT) Received: from marcellus.cost.se (marcellus.cost.se [195.100.88.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA24877 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 02:02:33 -0700 (PDT) Received: from roger ([10.0.0.20]) by marcellus.cost.se (8.9.3/8.9.3) with SMTP id KAA11027; Wed, 14 Apr 1999 10:59:15 +0200 (MET DST) Message-Id: <3.0.32.19990414110312.010c3490@mail.cost.se> X-Sender: martin@mail.cost.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 Apr 1999 11:03:13 +0200 To: ietf-pkix@imc.org From: Martin =?iso-8859-1?Q?Lindstr=F6m?= <martin@cost.se> Subject: Double quotes in DNs Cc: daniel@cost.se, dpn@bbn.com, rmasters@bbn.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id CAA24878 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I've got a concrete question about using double quotes '"' as parts of a distinguished name. Suppose I want my Organization to be: Martin Lindstrom, Creative Computing. Since the attribute value contains a ',' character i put the string within quotes (as stated in RFC1779). O="Martin Lindstrom, Creative Computing". RFC2459 has a rule (4.1.2.4) of how to choose which ASN.1 string to use from the CHOICE structure DirectoryString, and I start trying to use a PrintableString. If the double quotes were to be part of the coding I can't use a PrintableString (since '"' characters are not part of the PrintableString set according to X.680), but would have to use a BMPString. On the other hand, I could remove the double quotes before I encode the DN and encode the Organization attribute as a PrintableString. But this leads to that I have to, when I decode, parse the names in the DN to find out if I have to put back any removed double quotes. If I didn't put back the double quotes, I would not have a DN which is valid according to RFC1779 anymore. OK, the question would be: "Should double quotes be part of an encoding or not?". Regards Martin Lindström ______________________________________ Entegrity Solutions Martin Lindström Senior Systems Engineer Finlandsgatan 60 S-164 74 Kista, Sweden Direct: +46-(0)8-477-7735 Fax: +46-(0)8-477-7731 Cell: +46-(0)70-483-0024 ______________________________________ Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA24802 for ietf-pkix-bks; Wed, 14 Apr 1999 01:58:56 -0700 (PDT) Received: from nexus.webmatic.de (nexus.webmatic.de [195.206.76.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA24798 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 01:58:55 -0700 (PDT) Received: from chappi.deh.de (chappi.deh.de [195.206.79.60]) by nexus.webmatic.de (Postfix) with ESMTP id E59194D; Wed, 14 Apr 1999 10:59:16 +0200 (CEST) Received: from deh.de (juergen.deh.de [195.206.79.54]) by chappi.deh.de (8.9.0/8.9.0) with ESMTP id KAA24457; Wed, 14 Apr 1999 10:59:22 +0200 Message-ID: <371458FF.A0E3AD73@deh.de> Date: Wed, 14 Apr 1999 10:59:43 +0200 From: Juergen Walter <walter@deh.de> Reply-To: walter@deh.de Organization: DEH information systems GmbH X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com>, Carlisle Adams <carlisle.adams@entrust.com>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: Re: New CMC Draft available - Confirmation Message References: <2FBF98FC7852CF11912A0000000000010ECB5E54@DINO> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Carlisle, Jim Comments in line. "Jim Schaad (Exchange)" wrote: > > Juergen, > > The problem that I have with this approach is that there is no way of > knowing what the delay is going to be on the acceptance showing up on at the > CA. (Nor do all transport mechinisms guantee delivery.) Thus a client can > think it did accept a certificate and the CA can reach an opposite > conclusion. If the client asks for revocation, it can later check to make > sure that this operation occured. As Carlisle mentioned I prefer to publish the certificate in a repository (database, directory, OCSP server) after the client had explicitly confirmed when required. Whether the repository is public or intended for a closed user group it doesn´t matter, at least the client itself should have access to its own certificate (status information). In PKIs there no repository exists one may use the certification announcement message for that purpose. In both cases the client may check its confirmation. I agree with Jim that a rejected certificate has to be revoked even if has not been published yet when it was sent to the client. The revocation request message is sufficiently, when we consider PKIs where no confirmation message is required. But if this explicite confirmation is required, no message format is available in the current CMP draft. The first application of the issued certificate e. g. in a signned S/MIME message may indicate clients confirmation why the certificate is enclosed in the S/MIME message. Is this an explicite confirmation? I am not sure. Alternatively, the client may send its certificate to a repository. If the repository is triggered by clients "publication request" then it may be an explicite confirmation. Have we specified or planned an appropriate message yet? The current publication info is contained in the certification request before the certificate is issued, isn´t it? I would like to propose that the confirmation message in CMP should be replaced by a message that allows the client to confirm explicitly or to reject its certificate if appropriate. I believe that the current protocol design of CMP: 1: initial request: EE -> CA 2: initial response: CA -> EE 3: confirmation: EE -> CA when confirmed, 3´: revocation request: CA -> EE when rejected ... may be improved by the proposed new message. Last but not least. Have we already specified an appropriate revocation reason that may occur after certificate issuing when the revocation request is applied? Juergen [snip] Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA21521 for ietf-pkix-bks; Wed, 14 Apr 1999 00:03:34 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA21513 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 00:03:24 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id JAA20142 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 09:03:43 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id JAA30028 for <ietf-pkix@imc.org>; Wed, 14 Apr 1999 09:03:37 +0200 (DFT) Message-ID: <37143DE3.FD7B8F1B@bull.net> Date: Wed, 14 Apr 1999 09:04:03 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Time-Stamp: Why not use several hashes? References: <01E1D01C12D7D211AFC70090273D20B112BDBE@sothmxs06> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > I think that if a common hash function is broken (for example SHA-1) then no > signature created within that infrastructure, with that hash function can be > trusted, including the TSA's. I concur with Robert. > Thus, I am reluctant to include multiple > hashes within the message imprint. Me too. Regards, Denis > It will not actually help if the hash > algorithm used to sign the token is broken. Also, as I stated earlier, if > certain individuals really want to do this, they can do it by defining a new > OID. > > > ---------- > > From: Jose A. Manas[SMTP:jmanas@dit.upm.es] > > Sent: Monday, April 12, 1999 4:24 AM > > To: Denis Pinkas > > Cc: Manuel Heras Gilsanz; ietf-pkix@imc.org; afd@fnmt.es > > Subject: Re: Time-Stamp: Why not use several hashes? > > > > Denis, > > I feel uneasy with both arguments. > > > > If a guy finds out how to provoke collisions on a hash functions, > > there is a serious temptation to exploit the hole before > > publishing it. Breaking a time-stamp infrastructure is a nice > > goal: you break it before anybody knows it can be broken, > > and then there is a difficult question about when the TSA was > > no longer to be trusted. > > > > I have some concern as well with respect to breaking a digital > > signature. If broken but time-stamped, > > a TSA can still prove that it was signed > > before it was breakable. But if you break the TSA itself, then > > there is no help. That about breaking the hash. > > > > Still, if you break the TSA signature, you have audit records > > (stored evidence in the TSA) to help you (as far as there are > > no collisions in the hash). > > > > Alltogether, I aim to say that breaking a hash does break down > > everything, and it sounds interesting to foresee the case. > > Allowing for several messageimprints sounds as a cheap end > > effective countermeasure. > > > > pp > > > > Denis Pinkas wrote: > > > > > > Manuel, > > > > > > We want to keep the protocol simple. The threat you mention can be > > countered > > > by another way: re-time-stamp later on with a new hash function. If > > SHA-1 > > > gets broken one day, this will not happen in just one day. Some > > > cryptographer will first find some weaknesses before you can really > > forge a > > > meaningfull message that has the same hash. So you get some time for > > > re-stamping. > > > > > > If this argument were used, then we should sign TWICE, i.e. in case one > > > digital signature algorithm was broken. We do not do that. There is no > > > reason to do it for the hash function. > > > > > > Regards, > > > > > > Denis > > > > > > > Hi. > > > > > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > > > Sept. 23, 1998, time-stamp requests and tokens support the insertion > > of > > > > a single message imprint. > > > > > > > > I think several message imprints should be supported. If a hash > > > > algorithm were broken, time-stamp tokens using it (as the single > > message > > > > imprint) would have to be regarded invalid (even if some kind of > > linking > > > > mechanism were implemented!). If several hashes had been used, the > > token > > > > would still be valid, and it could be promptly renewed in order to > > > > prevent invalidation should further advances in cryptography render > > > > other hashes obsolete! > > > > > > > > (One must be careful here: there are different extents to which a hash > > > > algorithm could be broken; in Appendix A of PKITS-D3 > > > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > > > implications that the different kinds of hash failures would have on > > the > > > > time-stamping process.) > > > > > > > > Of course the requirements on the time-stamp verification process > > would > > > > also have be modified to require ("MUST" level) *all* the hashes to > > > > correctly verify in order to regard the corresponding time-stamp token > > > > valid. > > > > > > > > Best regards, > > > > > > > > - Manuel - > > > > > > > > ---- > > > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > > > Independent Security Consultant > > > > Phone: +34-629 07 53 31 > > > > -- -------------------------------------------------------- > > Prof. Jose A. Manas <jmanas@dit.upm.es> > > Dpt. Telematica http://www.dit.upm.es/~pepe > > E.T.S.I. Telecomunicacion tel: [+34] 91 336 73 25 > > Ciudad Universitaria gsm: [+34] 607 73 38 94 > > E-28040 Madrid, SPAIN fax: [+34] 91 336 73 33 > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA25129 for ietf-pkix-bks; Tue, 13 Apr 1999 13:52:15 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA25125 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 13:52:14 -0700 (PDT) Received: from [128.33.238.70] (TC070.BBN.COM [128.33.238.70]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA16117; Tue, 13 Apr 1999 16:52:26 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a10b3394883ec69@[128.33.238.189]> In-Reply-To: <OFB6F77F37.22E554F4-ON8525674E.004612C7@iris.com> Date: Tue, 13 Apr 1999 16:51:18 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> John, <snip> >>I agree that a CA could put the extension in all certs and thus be able to >>say "not my fault; I did what I could." But this does not address the >>verifier problem in other than a heuristic fashion. I want to >>deterministic solution to the problem, and the suggested change to 2459 >>does not yield that. > >It's purely deterministic. If PKIX mandated the presence of the >basicConstraints extension, then a verifier could, without any >outside knowledge, immediately categorize a certificate as >"CA cert", "EE cert" or "Unknown (and not PKIX-compliant)". For >certificates that fall into one of the first two categories, >the certificate would be processed accordingly; for a >certificate in the "unknown" category, the verifier gets to >chose whether to consider the cert as an EE or CA cert, possibly >based on out-of-band information, but may also chose to reject >it (if it is only interested in talking with PKIX-compliant >systems). we define determinism differently. the "else" at the end of your decision tree is still where the problem arises. >If PKIX doesn't mandate the presence of the basicConstraints extension, >then a verifier can't distinguish between a PKIX-complaint EE cert and >a non-PKIX compliant CA cert that has chosen not to use the extension. or an X.509 compliant CA that has chosen not to innclue the extension; we can't fix CAs that are non-compliant witgh both PKIX and X.509, and so I don't worry about them in analyzing these problems; but it is X.509 that creates the problem, all by itself, in the realm of compliant CAs. > >Assuming that we file a DR against X.509, then as I see it the X.509 >committee has several choices: > >i) Decide that X.509 is fine as-is, and make no change. > >ii) Add clarifying text that defines that certificates without a > basicConstraints extension should be considered to be EE certs. > >iii) Mandate that EE certs omit the basicConstraints extension and that > it is present and critical in CA certs. > >iv) Mandate that the basicContraints extension be present in all certs. > > > >If they pick (i), then changing PKIX to require the extension is the >only way to generate certs that are unambiguous to a verifier. >Reducing the impact of the ambiguity is progress, even if it can't >be eliminated altogether, and at least PKIX-compliant certificates >won't trigger it. yes, it would be progress, but it is not a desirable end state. >If they pick (ii), then PKIX would be fine whether or not we required >basicConstraints in EE certs, and the ambiguity would slowly vanish as >systems that generate un-extended CA certs come into compliance with >X.509. However, even V1 certs haven't yet vanished from the world, >so I imagine this process is likely to take a long time, so having all >PKIX certs contain the extension is still a win as it eliminates the >ambiguity immediately. yes, but our focus in PKIX is on v3 certs, as discussed before, and nothing we can do in 2459 will fix that legacy problem. >If they pick (iii), the current PKIX spec will be fine (once newly >non-complaint X.509 certs vanish from the world), and a PKIX spec >that mandated the use of basicConstraints in EE certs would be >non-compliant. However, this would be a non-backwards-compatible >change to X.509, and so if this option were taken, then it would >probably require an accompanying change to the certificate version >number. For this reason alone, I think this option is unlikely to >be chosen. A half-way position would be to recommend that EE certs >omit the extension, but to permit verifiers to accept EE certs with >the extension set. In this case, either flavor of PKIX would be >fine, although having all PKIX certs contain the extension is still >a win as it eliminates the ambiguity immediately. OK, let's igine this one. >If they pick (iv), then the current PKIX profile will be non-compliant, >and PKIX will continue to generate certificates that X.509 deems to >be ambiguous. The proposed change to PKIX would generate certificates >that are compliant with both current X.509 and the new X.509. > yes. > >It seems that in all cases, having PKIX generate certificates >that are unambiguous under today's X.509 is worthwhile. > we don't reach the same conclusion, probably because "worthwhile" is subjective and we've already determined that we have different values wrt this debate. >I must say, I'm suprised that there is disagreement over this, since >writing a profile to avoid ambiguous areas of its parent spec seems >so fundamental that I must be missing something. The only down-side >I can see to requiring the extension in all certs is that it costs >a few extra bytes. There's no significant number of deployed PKIX >systems, so compatibility isn't a major issue (and the proposed >change wouldn't break compatibility anyway, as verifiers would >still have the option of treating non-extended certs as EE certs). Itoo am surprised that there is disagreement, but about the need to change X.509, not to change 2459. PKIX is new, but X.509 for v3 is essentially just as new. an argument based on deployed PKIX vs. X.509 v3 compliant systems does not hold water. I object to the notion that we should change 2459 to compensate for what strikes me as an oversight in X.509. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA25017 for ietf-pkix-bks; Tue, 13 Apr 1999 13:49:06 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA25011 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 13:49:04 -0700 (PDT) Received: id QAC12699; Tue, 13 Apr 1999 16:29:34 -0400 Received: by gateway id <269J4MKJ>; Tue, 13 Apr 1999 16:31:36 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B104F067@sothmxs06> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'walter@deh.de'" <walter@deh.de>, "'Jim Schaad (Exchange)'" <jimsch@exchange.microsoft.com> Cc: "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: RE: New CMC Draft available - Confirmation Message Date: Tue, 13 Apr 1999 15:58:23 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Jim, > ---------- > From: Jim Schaad (Exchange)[SMTP:jimsch@exchange.microsoft.com] > Sent: Tuesday, April 13, 1999 3:01 PM > To: 'walter@deh.de'; IETF-PKIX (E-mail) > Subject: RE: New CMC Draft available - Confirmation Message > > Juergen, > > The problem that I have with this approach is that there is no way of > knowing what the delay is going to be on the acceptance showing up on at > the > CA. (Nor do all transport mechinisms guantee delivery.) Thus a client > can > think it did accept a certificate and the CA can reach an opposite > conclusion. If the client asks for revocation, it can later check to make > sure that this operation occured. Note that if client acceptance is the trigger for CA publication of the certificate, it is still the case that the client can later check to make sure that its confirmation message was received (i.e., by looking wherever certs get posted). Uncertainties on the client end notwithstanding, Juergen makes a good point (which I forgot to mention in my previous posting on CMC comments): some environments require the CA to receive an explicit acceptance from the client in order to treat the certificate as "ready for use" and to issue it publicly. (This may be for legal, liability, or other reasons.) A confirmation message is a useful way to satisfy that requirement within the protocol. Carlisle. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA21311 for ietf-pkix-bks; Tue, 13 Apr 1999 12:18:31 -0700 (PDT) Received: from doggate.exchange.microsoft.com (doggate.exchange.microsoft.com [131.107.88.55]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA21307 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 12:18:30 -0700 (PDT) Received: by doggate.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <2TW7ZPVV>; Tue, 13 Apr 1999 12:18:15 -0700 Message-ID: <2FBF98FC7852CF11912A0000000000010ECB5E54@DINO> From: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> To: "'walter@deh.de'" <walter@deh.de>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: RE: New CMC Draft available - Confirmation Message Date: Tue, 13 Apr 1999 12:01:31 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="windows-1252" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Juergen, The problem that I have with this approach is that there is no way of knowing what the delay is going to be on the acceptance showing up on at the CA. (Nor do all transport mechinisms guantee delivery.) Thus a client can think it did accept a certificate and the CA can reach an opposite conclusion. If the client asks for revocation, it can later check to make sure that this operation occured. jim -----Original Message----- From: Juergen Walter [mailto:walter@deh.de] Sent: Tuesday, April 13, 1999 1:32 AM To: Jim Schaad (Exchange); IETF-PKIX (E-mail) Subject: Re: New CMC Draft available - Confirmation Message Jim, [snip] > > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't know > of any reason for the oppositite to be required in a general protocal. That > is the client must positively accept a certificate. > When I remember right e. g. ABA Guidelines requires that an EE explicitly confirms an issued certificate. This may be not a protocol requirement in pure PKI implementations. But I know environments where a certificate receipt is at least an operational requirement. I think that an appropriate message (optional) would be an improvement. When the rejection (i. e. sending of revocation request) stays away we have no explicite confirmation of the certificate (may be a legal issue). The time-frame of such stay away process may cause complicated validation issues. I prefer a message that indicates the fact whether an EE accept his certificate or not. This may replace the revocation request on the one hand and the pure revocation request on the other hand. Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA18240 for ietf-pkix-bks; Tue, 13 Apr 1999 10:43:21 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id KAA18232 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 10:43:12 -0700 (PDT) Received: id NAA20412; Tue, 13 Apr 1999 13:34:58 -0400 Received: by gateway id <G4CA5SWQ>; Tue, 13 Apr 1999 13:37:19 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BDBE@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, "'Jose A. Manas'" <jmanas@dit.upm.es> Cc: Manuel Heras Gilsanz <mherasg@nexo.es>, ietf-pkix@imc.org, afd@fnmt.es Subject: RE: Time-Stamp: Why not use several hashes? Date: Tue, 13 Apr 1999 13:30:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I think that if a common hash function is broken (for example SHA-1) then no signature created within that infrastructure, with that hash function can be trusted, including the TSA's. Thus, I am reluctant to include multiple hashes within the message imprint. It will not actually help if the hash algorithm used to sign the token is broken. Also, as I stated earlier, if certain individuals really want to do this, they can do it by defining a new OID. > ---------- > From: Jose A. Manas[SMTP:jmanas@dit.upm.es] > Sent: Monday, April 12, 1999 4:24 AM > To: Denis Pinkas > Cc: Manuel Heras Gilsanz; ietf-pkix@imc.org; afd@fnmt.es > Subject: Re: Time-Stamp: Why not use several hashes? > > Denis, > I feel uneasy with both arguments. > > If a guy finds out how to provoke collisions on a hash functions, > there is a serious temptation to exploit the hole before > publishing it. Breaking a time-stamp infrastructure is a nice > goal: you break it before anybody knows it can be broken, > and then there is a difficult question about when the TSA was > no longer to be trusted. > > I have some concern as well with respect to breaking a digital > signature. If broken but time-stamped, > a TSA can still prove that it was signed > before it was breakable. But if you break the TSA itself, then > there is no help. That about breaking the hash. > > Still, if you break the TSA signature, you have audit records > (stored evidence in the TSA) to help you (as far as there are > no collisions in the hash). > > Alltogether, I aim to say that breaking a hash does break down > everything, and it sounds interesting to foresee the case. > Allowing for several messageimprints sounds as a cheap end > effective countermeasure. > > pp > > Denis Pinkas wrote: > > > > Manuel, > > > > We want to keep the protocol simple. The threat you mention can be > countered > > by another way: re-time-stamp later on with a new hash function. If > SHA-1 > > gets broken one day, this will not happen in just one day. Some > > cryptographer will first find some weaknesses before you can really > forge a > > meaningfull message that has the same hash. So you get some time for > > re-stamping. > > > > If this argument were used, then we should sign TWICE, i.e. in case one > > digital signature algorithm was broken. We do not do that. There is no > > reason to do it for the hash function. > > > > Regards, > > > > Denis > > > > > Hi. > > > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > > Sept. 23, 1998, time-stamp requests and tokens support the insertion > of > > > a single message imprint. > > > > > > I think several message imprints should be supported. If a hash > > > algorithm were broken, time-stamp tokens using it (as the single > message > > > imprint) would have to be regarded invalid (even if some kind of > linking > > > mechanism were implemented!). If several hashes had been used, the > token > > > would still be valid, and it could be promptly renewed in order to > > > prevent invalidation should further advances in cryptography render > > > other hashes obsolete! > > > > > > (One must be careful here: there are different extents to which a hash > > > algorithm could be broken; in Appendix A of PKITS-D3 > > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > > implications that the different kinds of hash failures would have on > the > > > time-stamping process.) > > > > > > Of course the requirements on the time-stamp verification process > would > > > also have be modified to require ("MUST" level) *all* the hashes to > > > correctly verify in order to regard the corresponding time-stamp token > > > valid. > > > > > > Best regards, > > > > > > - Manuel - > > > > > > ---- > > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > > Independent Security Consultant > > > Phone: +34-629 07 53 31 > > -- -------------------------------------------------------- > Prof. Jose A. Manas <jmanas@dit.upm.es> > Dpt. Telematica http://www.dit.upm.es/~pepe > E.T.S.I. Telecomunicacion tel: [+34] 91 336 73 25 > Ciudad Universitaria gsm: [+34] 607 73 38 94 > E-28040 Madrid, SPAIN fax: [+34] 91 336 73 33 > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA27745 for ietf-pkix-bks; Tue, 13 Apr 1999 01:31:41 -0700 (PDT) Received: from nexus.webmatic.de (nexus.webmatic.de [195.206.76.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA27737 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 01:31:39 -0700 (PDT) Received: from chappi.deh.de (chappi.deh.de [195.206.79.60]) by nexus.webmatic.de (Postfix) with ESMTP id 5CD7E4D; Tue, 13 Apr 1999 10:31:56 +0200 (CEST) Received: from deh.de (juergen.deh.de [195.206.79.54]) by chappi.deh.de (8.9.0/8.9.0) with ESMTP id KAA19442; Tue, 13 Apr 1999 10:32:01 +0200 Message-ID: <37130115.FB3EB9D4@deh.de> Date: Tue, 13 Apr 1999 10:32:21 +0200 From: Juergen Walter <walter@deh.de> Reply-To: walter@deh.de Organization: DEH information systems GmbH X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: Re: New CMC Draft available - Confirmation Message References: <2FBF98FC7852CF11912A0000000000010ECB5E49@DINO> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Jim, [snip] > > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't know > of any reason for the oppositite to be required in a general protocal. That > is the client must positively accept a certificate. > When I remember right e. g. ABA Guidelines requires that an EE explicitly confirms an issued certificate. This may be not a protocol requirement in pure PKI implementations. But I know environments where a certificate receipt is at least an operational requirement. I think that an appropriate message (optional) would be an improvement. When the rejection (i. e. sending of revocation request) stays away we have no explicite confirmation of the certificate (may be a legal issue). The time-frame of such stay away process may cause complicated validation issues. I prefer a message that indicates the fact whether an EE accept his certificate or not. This may replace the revocation request on the one hand and the pure revocation request on the other hand. Juergen Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA06034 for ietf-pkix-bks; Mon, 12 Apr 1999 20:08:27 -0700 (PDT) Received: from www.eci.com.cn ([159.226.41.14]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA06030 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 20:08:23 -0700 (PDT) Received: from eci.com.cn ([10.226.41.80]) by www.eci.com.cn (Netscape Messaging Server 3.5) with ESMTP id 296 for <ietf-pkix@imc.org>; Tue, 13 Apr 1999 11:07:16 +0100 Message-ID: <3712B526.9F58828A@eci.com.cn> Date: Tue, 13 Apr 1999 11:08:22 +0800 From: "gang cao" <cg@eci.com.cn> X-Mailer: Mozilla 4.06 [en] (Win98; I) MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: cross-certify? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> hi, I want to know something about cross-certify. I read some RFC and draft ,but found few about this.who could tell me some information about cross-certify and where can i find paper about cross-certify? thanks for help. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA24173 for ietf-pkix-bks; Mon, 12 Apr 1999 18:59:00 -0700 (PDT) Received: from mail.rdc1.md.home.com (imail@ha1.rdc1.md.home.com [24.2.2.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA24169 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 18:58:58 -0700 (PDT) Received: from home.com ([24.4.133.54]) by mail.rdc1.md.home.com (InterMail v4.00.03 201-229-104) with ESMTP id <19990413015912.VMDR29499.mail.rdc1.md.home.com@home.com> for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 18:59:12 -0700 Message-ID: <3712A456.5F33E2F0@home.com> Date: Mon, 12 Apr 1999 21:56:38 -0400 From: Alfred Arsenault <awa1@home.com> Organization: @Home Network X-Mailer: Mozilla 4.5 [en]C-AtHome0405 (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Changes to RFC 2459 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Folks, As long as we're talking about changes that can be made to RFC 2459 when it progresses to Draft Standard, I'd like to throw out this suggestion: can section 6 be reworded to be consistent in the use of the term "root CA" with the rest of the PKIX documents? For example, in the following paragraph: The "most-trusted CA" is a matter of policy: it could be a root CA in a hierarchical PKI; the CA that issued the verifier's own certificate(s); or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of "most-trusted CA." If "most-trusted CA" is replaced with "root CA"; and root CA is replaced with some other term (like "top CA" or something), then we could get rid of a paragraph in the Roadmap that I really don't like. Al Arsenault - my views are my own, and do not necessarily represent those of my employer or of any other organization with which I might have a relationship. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA23529 for ietf-pkix-bks; Mon, 12 Apr 1999 17:57:14 -0700 (PDT) Received: from ns.cmbchina.com ([202.96.161.112]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA23523 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 17:57:09 -0700 (PDT) Received: from cmbchina.com ([10.1.4.27]) by ns.cmbchina.com (Netscape Messaging Server 3.01) with ESMTP id AAA25622; Tue, 13 Apr 1999 08:55:59 -0800 Message-ID: <37129672.CCDC7AD8@cmbchina.com> Date: Tue, 13 Apr 1999 08:57:22 +0800 From: "Xiong Shao Jun" <xsj@cmbchina.com> Organization: China Merchants Bank X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Carlisle Adams <carlisle.adams@entrust.com>, Russ Housley <housley@spyrus.com> CC: ietf-pkix@imc.org Subject: Re: About Diffie-Hellman algorithm and Shamir threshold References: <01E1D01C12D7D211AFC70090273D20B104F05F@sothmxs06> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Russ, Carlisle, thank you very much. How about Shamir threshold secret sharing, the OID, the parameter representation? Thanks again, Xiong Shaojun Carlisle Adams wrote: > Hi, > > Russ is right. When we were putting in the final edits to turn the Internet > Draft into an RFC, I remembered to update the OID to the correct value, but > forgot to update "DHParameter" to "DomainParameters". > > RFC 2459 has the proper parameter to correspond to the OID. RFC 2510 will > need to be updated whenever the opportunity arises. Thank you for catching > this! > > Some day all the PKIX documents will be perfect... :-) > > Carlisle. > > > ---------- > > From: Russ Housley[SMTP:housley@spyrus.com] > > Sent: Monday, April 12, 1999 10:05 AM > > To: Xiong Shao Jun > > Cc: ietf-pkix@imc.org > > Subject: Re: About Diffie-Hellman algorithm and Shamir threshold > > > > Xiong Shao Jun: > > > > The definition in RFC 2459 is aligned with the Draft ANSI X9.42 > > specification and the Draft IEEE P1363 speciification. > > > > I think that you uncovered a bug in RFC 2510. > > > > Russ > > > > > > At 01:17 PM 4/11/99 +0800, Xiong Shao Jun wrote: > > >Hi, I have two problems. The first is about Diffie-Hellman algorithm. In > > >PKIX part1, now > > >rfc2459, the algorithm is described as: > > > > > >OID: 1.2.840.10046.2.1 > > >DomainParameters ::= SEQUENCE { > > > p INTEGER, -- odd prime, p=jq+1 > > > g INTEGER, -- generator, g > > > q INTEGER, -- factor of p-1 > > > j INTEGER OPTIONAL, -- subgroup factor > > > validationParms ValidationParms OPTIONAL } > > > > > >ValidationParms ::= SEQUENCE { > > > seed BIT STRING > > > pgenCounter INTEGER } > > > > > >while in certificate management protocol, now rfc2510, the algorithms is > > >described as > > >below: > > >OID: 1.2.840.10046.2.1 > > >DHParameter ::= SEQUENCE { > > > prime INTEGER, -- p > > > base INTEGER -- g > > >} > > > > > >So which is the most up to date description, and which should I > > >implement? > > > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA22129 for ietf-pkix-bks; Mon, 12 Apr 1999 15:28:20 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA22125 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 15:28:19 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Mon, 12 Apr 1999 16:27:53 -0600 Message-Id: <s7121f09.060@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Mon, 12 Apr 1999 16:27:46 -0600 From: "Tolga Acar" <TACAR@novell.com> To: <ietf-pkix@imc.org> Subject: Diffie-Hellman DomainParameters Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id PAA22126 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> In RFC 2459, Section 7.3.2, two components of the DomainParameters are defined as: "g specifies the generator of the multiplicative subgroup of order g" "q specifies the prime factor of p-1" The order of the subgroup is the order of g, g is not the order; g is the multiplicative subgroup generator. The order of g is q, which is a large prime factor of p-1. I think the definitions would be correct and more clear if defined as: "g specifies the generator of the multiplicative subgroup of order q". "q specifies the prime factor of p-1, and the order of g in GF(p)". - Tolga Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA21972 for ietf-pkix-bks; Mon, 12 Apr 1999 15:11:05 -0700 (PDT) Received: from trustpoint.com (root@gandalf.trustpoint.com [216.100.231.61]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA21967 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 15:11:04 -0700 (PDT) Received: from mobile (mobile [192.168.42.7]) by trustpoint.com (8.8.7/8.8.7) with SMTP id PAA19701 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 15:11:17 -0700 From: "Amit Kapoor" <amit@trustpoint.com> To: "PKIX" <ietf-pkix@imc.org> Subject: PKIX CMP: Transaction Identifier in use Date: Mon, 12 Apr 1999 15:05:54 -0700 Message-ID: <000e01be8530$a256e240$072aa8c0@mobile.trustpoint.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> According to the CMP spec. (RFC2510) the CA is supposed to reject the initialization request (B8) if the transaction identifier is in use. Should there not be a bit in failure information in the error message indicating the same so the client programs can automatically recover and send the same request with a different identifier? Thanks. Amit Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA21959 for ietf-pkix-bks; Mon, 12 Apr 1999 15:10:20 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA21955 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 15:10:19 -0700 (PDT) Received: id SAA16352; Mon, 12 Apr 1999 18:06:52 -0400 Received: by gateway id <G4CA53VF>; Mon, 12 Apr 1999 18:09:14 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B104F064@sothmxs06> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'Michael_Shanzer@iris.com'" <Michael_Shanzer@iris.com> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Cross certification message protection (RFC2510) Date: Mon, 12 Apr 1999 18:02:51 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Mike, Sorry for the long delay in responding, but I was out of town for over a week when you posted your message and have been swamped with a number of things since I got back. > ---------- > From: Michael_Shanzer@iris.com[SMTP:Michael_Shanzer@iris.com] > Sent: Thursday, March 25, 1999 4:17 PM > To: Juergen.Walter@deh.de > Cc: ietf-pkix > Subject: Re: Cross certification message protection (RFC2510) > > Juergen, > I am not really questioning the benifits/differences between signing > and generating a MAC. My question is about what appears to be a > conflict > in the spec. In one place it says you must protect the message with a > MAC, > and in another place it says you must protect the message with a > digital > signature. I was wondering which section (B7 or 4.6.1) is correct. Note that in some sense the conflict is only an illusion: Section 4 describes mandatory functionality (i.e., every CMP-compliant entity MUST support these functions, such as cross-certification); and Appendix B describes the mandatory profile for those functions (i.e., these are the sorts of values that MUST appear in various fields in order to support the required functions). However, since 4.6.1 steps a bit over the line and talks about a particular mechanism to implement the function (i.e., the MAC), then the mechanism in 4.6.1 should really align with B7 to save confusion, even though technically it doesn't need to. Note, too, that it doesn't matter whether 4.6.1 and B7 use MAC or SIG: this is only the minimum profile for interoperability. In true IETF fashion, compliant implementations must support the mandatory set of things, but are perfectly free to never actually use them in day-to-day operation. Thus, Juergen need not be too concerned if the profile mandates MAC but he'd rather use a SIG. In any case, to keep confusion to a minimum, 4.6.1 and B7 should be aligned. It seemed to me that SIG might be easier in practice (since CAs wishing to cross-certify may already have trusted copies of each other's certificates), but I'm happy to put MAC in B7 if you prefer (I've heard a couple of other votes privately for MAC). In terms of actual editing, this requires slightly less typing than changing 4.6.1 to SIG... :-) I'm trying to collect a list of typos/issues/etc. that people have caught with respect to RFC 2510. Whenever there is an opportunity to update it (e.g., if the Working Group decides to consider progressing it to Draft, as it seems to be considering with RFC 2459), I will put these things in. Thanks for noticing this and bringing it to my attention! Carlisle. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA18493 for ietf-pkix-bks; Mon, 12 Apr 1999 09:52:35 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id JAA18489 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 09:52:33 -0700 (PDT) Received: id MAA08432; Mon, 12 Apr 1999 12:48:46 -0400 Received: by gateway id <G4CA5MYJ>; Mon, 12 Apr 1999 12:51:07 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B104F05F@sothmxs06> From: Carlisle Adams <carlisle.adams@entrust.com> To: Xiong Shao Jun <xsj@cmbchina.com>, "'Russ Housley'" <housley@spyrus.com> Cc: ietf-pkix@imc.org Subject: RE: About Diffie-Hellman algorithm and Shamir threshold Date: Mon, 12 Apr 1999 12:44:47 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi, Russ is right. When we were putting in the final edits to turn the Internet Draft into an RFC, I remembered to update the OID to the correct value, but forgot to update "DHParameter" to "DomainParameters". RFC 2459 has the proper parameter to correspond to the OID. RFC 2510 will need to be updated whenever the opportunity arises. Thank you for catching this! Some day all the PKIX documents will be perfect... :-) Carlisle. > ---------- > From: Russ Housley[SMTP:housley@spyrus.com] > Sent: Monday, April 12, 1999 10:05 AM > To: Xiong Shao Jun > Cc: ietf-pkix@imc.org > Subject: Re: About Diffie-Hellman algorithm and Shamir threshold > > Xiong Shao Jun: > > The definition in RFC 2459 is aligned with the Draft ANSI X9.42 > specification and the Draft IEEE P1363 speciification. > > I think that you uncovered a bug in RFC 2510. > > Russ > > > At 01:17 PM 4/11/99 +0800, Xiong Shao Jun wrote: > >Hi, I have two problems. The first is about Diffie-Hellman algorithm. In > >PKIX part1, now > >rfc2459, the algorithm is described as: > > > >OID: 1.2.840.10046.2.1 > >DomainParameters ::= SEQUENCE { > > p INTEGER, -- odd prime, p=jq+1 > > g INTEGER, -- generator, g > > q INTEGER, -- factor of p-1 > > j INTEGER OPTIONAL, -- subgroup factor > > validationParms ValidationParms OPTIONAL } > > > >ValidationParms ::= SEQUENCE { > > seed BIT STRING > > pgenCounter INTEGER } > > > >while in certificate management protocol, now rfc2510, the algorithms is > >described as > >below: > >OID: 1.2.840.10046.2.1 > >DHParameter ::= SEQUENCE { > > prime INTEGER, -- p > > base INTEGER -- g > >} > > > >So which is the most up to date description, and which should I > >implement? > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA18290 for ietf-pkix-bks; Mon, 12 Apr 1999 09:28:29 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id JAA18284 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 09:28:27 -0700 (PDT) Received: id MAA26690; Mon, 12 Apr 1999 12:23:21 -0400 Received: by gateway id <G4CA5M4G>; Mon, 12 Apr 1999 12:25:41 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B104F05E@sothmxs06> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'Jim Schaad (Exchange)'" <jimsch@exchange.microsoft.com> Cc: "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: RE: New CMC Draft available Date: Mon, 12 Apr 1999 12:19:23 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Jim, > ---------- > From: Jim Schaad (Exchange)[SMTP:jimsch@EXCHANGE.MICROSOFT.com] > Sent: Monday, April 12, 1999 12:47 AM > To: 'Carlisle Adams'; IETF-PKIX (E-mail) > Subject: RE: New CMC Draft available > > Carlisle, > > Sorry about taking so long on replying to this, but the few times that I > get > sick I really do a good job of getting sick. Comments are inline No problem. Thanks for getting back to me, and I hope you're feeling better. > > -----Original Message----- > > From: Carlisle Adams [mailto:carlisle.adams@entrust.com] > > Sent: Monday, March 15, 1999 3:42 PM > > To: IETF-PKIX (E-mail) > > Subject: RE: New CMC Draft available > > > > Abstract: there is not a *need* for an interface to PK certification > > products and services based on [CMS] and [PKCS10]; there is a > > *desire* for > > such an interface. Nothing *needs* to be based on CMS and PKCS10 > > (especially since, as noted in the conformance section, > > existing deployed > > software is not immediately compliant with this > > specification). However, > > there is great *desire* to base the protocols on CMS and > > PKCS10, since these > > are familiar. Please change "need" in bullet 1 to "desire" > > (and change > > "immediate needs" in the opening sentence to "immediate concerns", or > > similar). > > I don't really know what to say on this point. One person's desires are > another person's needs. Backward compatibility with a large installed base may partly justify the use of the word "need" here. However, it has already been admitted that the installed base is not immediately compliant with this protocol. Can you suggest one good reason why there is a "need" for such an interface rather than a "desire"? If not, please replace the word. > > > > Section 2: this may be obvious to many, but I think that stating the > > following underlying operational assumption will help to clarify the > > operational model for this protocol. "Underlying assumption: > > every PKI > > entity will have a signing key pair and will request a verification > > certificate in its initialization message (i.e., an entity > > will never ask > > for an encryption certificate _only_ in its initialization > > message)." [The > > reason that it might help to clarify this is that RFC 2510 > > does not have > > this restriction.] > > I am not sure that I agree with this statment. I believe that it is > possible in this model to obtain just an encryption certificate. There > are > no limits in the model that prevent this. The one-time shared secret can > be > used to identify the end user to the CA, and the request could just be for > an encryption certificate. There would be no way to renew such a > situation > as no proof of identity could easily be offered with just an encryption > certificate, but the initial request could easily be made. You say "There are no limits in the model that prevent this", but the operational model of CMC is that this initial request gets enveloped in a SignedData construct. How does an entity without a signature key pair sign this request for an encryption certificate? > > > > Also, "NoSignatureValue contains the hash of the > > certification request." -- > > why force the implementer to do an extra hash here for no > > purpose? Why not > > say that NoSignatureValue "contains the value 1234", or similar? > > This could easily be a constant value, I put the hash in for two reasons. > First, the code base that I was using computed the hash anyway so there > were > no reasons not to use it. Second, by including the hash the most obious > of > transmissions errors could potentially be found. Unless there are other > who > support using a constant value, I do not plan to change this. With respect to your first reason, I have to wonder how many people are using a code base identical to the one that you are using (and so whether this is really a strong enough reason to use the hash). As for your second reason, it seems to me that detection and handling of transmission errors should really have nothing whatsoever to do with this protocol (there's no reason to mix the functionality of different layers here), and so perhaps this is not a strong enough reason to use the hash either. Unless there are other, better, reasons for causing implementers to do the extra hash computation, I suggest removing it. > > > > Section 5.7: should note in first paragraph that PKCS10 > > cannot be used to > > provide this functionality. > > This is not correct. The correct statement, which I will pass by the > other > authors, is that simple enrollment messages cannot provide this > functionality. There is no reason that a PKCS10 included as part of a > full > enrollment request cannot provide the functionality needed. The section discusses POP for encryption-only keys. How, exactly, can PKCS #10 handle a request for an encryption-only key pair, even if it is included as part of a full enrollment request (i.e., what goes in the "signature" field of the PKCS #10)? > > > > Also, it appears (from the text in bullet 4a and the text in > > the second-last > > sentence of the section) that the DecryptedPOP structure > > should contain > > "request TaggedRequest" rather than "bodyPartID > > BodyPartID". That is, > > the decrypted POP needs to contain the actual request itself > > (not just an > > ID). > > I have changed the language on this slightly. What is placed here is the > body part id of the request. The request is included by reference and the > text now states this. I assume what you mean by this is that the request is included by reference *in the decryptedPOP structure*, but is included by value elsewhere in this message. Otherwise, the server still needs to keep state information. (...key recovery stuff...) > We will look at the comments on this section for a new draft. As I > anounced > at the IETF meeting we are pulling out all of the archiving text and > placing > it into a seperate draft. That draft will address both the archiving and > server side key generation issues. Sorry I was not able to attend the last IETF meeting due to other travel commitments. What was the justification for this decision? Given that these functions are very important for some environments, is there a good reason to delay their inclusion in this document? What time frame do you envision for this separate draft? Just curious. I suppose it is fortuitous that this functionality is addressed in RFC 2510 for those that need it now. > > > > Section 5.14: "The query pending attribute allows for a > > client to query a > > server about the state..." -- how does the client know when > > to do this? Is > > there a time-to-check-back value included somewhere in the server's > > response? > > This value is in the CMCStatusInfo structure. We will include a text > reference here to that fact. You're right; I missed this. Sorry. > > > > Finally, there is some functionality missing in this > > specification that > > will be very important for some environments. > > > > - there is currently no way for a CA/RA to provide a trust > > anchor (public > > key or self-signed cert) to the client during initialization. > > Given the number of ways that this can be done, and the impliciations > about > the fact that clients are going to start automatically accepting such > certificates as trust anchors, the author's are hesitant to include this > fucntionality. Please place on the list as a seperate topic of discussion > to see how much support exists for this. It is customary to mandate one mechanism (and allow others) for interoperability purposes, precisely when there are a number of ways that something can be done. There should be little reason for hesitancy with respect to at least specifying a mechanism; such functionality was included in RFC 2510 and received no objection whatever. > > - there is no confirmation message from the client to the > > CA/RA (thus, there > > is no way for a client to reject a certificate that it does > > not want (e.g., > > in the case where the CA has modified some of the fields in > > the request)). > > There is a simple way for a client to reject a certificate, it simply puts > in a revocation request on the certificates it just received. I don't > know > of any reason for the oppositite to be required in a general protocal. > That > is the client must positively accept a certificate. It seems much cleaner and simpler to me to be able to reject a certificate before it is publicly issued than to have to go through the hassle of issuing it and then revoking it (especially given the fact that revocation status is still not universally checked by browsers and other "certificate-aware" software). I thought this might have been an important consideration. > > > > - CA key rollover is not described. (This might be considered to be > > out-of-scope of the current document, but it is very much > > in-scope for a > > specification on how to do comprehensive certificate > > management, which is > > what the title of this document suggests.) > > There are really two different points that need to be addressed here and > they are seperate problems. The problem of rolling over a CA key is not > really a big issue from what I can tell. All you do is issue the new CA > certificate and start referencing it correctly using AIA and CDP > extensions. > I think the problem you really want to address here is the question of > trust > anchor roll-over. Before we addressed this we would need to address the > question of doing trust anchor issues at all. Trust anchor roll-over is certainly an important problem, and I agree that in some ways it is a separate issue. However, CA key roll-over is not simply a matter of issuing a new certificate and referencing it correctly. The sort of procedure described in RFC 2510 (OldWithNew, NewWithOld, etc.) is necessary so that certificate paths can be constructed automatically in all circumstances (i.e., cert is signed with new CA key but verifier has a cross-certificate for old CA key, etc.). This is not exclusively a trust anchor issue because it pertains to CAs in the middle of the path as well. Thanks again for your responses to my earlier comments! I appreciate your efforts to take my concerns into consideration... Carlisle. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA16782 for ietf-pkix-bks; Mon, 12 Apr 1999 07:09:31 -0700 (PDT) Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA16778 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 07:09:30 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id HAA11902; Mon, 12 Apr 1999 07:07:12 -0700 (PDT) Message-Id: <4.1.19990412100350.00a2c6e0@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 12 Apr 1999 10:05:42 -0400 To: "Xiong Shao Jun" <xsj@cmbchina.com> From: Russ Housley <housley@spyrus.com> Subject: Re: About Diffie-Hellman algorithm and Shamir threshold Cc: ietf-pkix@imc.org In-Reply-To: <37103055.1D41C0B0@cmbchina.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Xiong Shao Jun: The definition in RFC 2459 is aligned with the Draft ANSI X9.42 specification and the Draft IEEE P1363 speciification. I think that you uncovered a bug in RFC 2510. Russ At 01:17 PM 4/11/99 +0800, Xiong Shao Jun wrote: >Hi, I have two problems. The first is about Diffie-Hellman algorithm. In >PKIX part1, now >rfc2459, the algorithm is described as: > >OID: 1.2.840.10046.2.1 >DomainParameters ::= SEQUENCE { > p INTEGER, -- odd prime, p=jq+1 > g INTEGER, -- generator, g > q INTEGER, -- factor of p-1 > j INTEGER OPTIONAL, -- subgroup factor > validationParms ValidationParms OPTIONAL } > >ValidationParms ::= SEQUENCE { > seed BIT STRING > pgenCounter INTEGER } > >while in certificate management protocol, now rfc2510, the algorithms is >described as >below: >OID: 1.2.840.10046.2.1 >DHParameter ::= SEQUENCE { > prime INTEGER, -- p > base INTEGER -- g >} > >So which is the most up to date description, and which should I >implement? > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA16213 for ietf-pkix-bks; Mon, 12 Apr 1999 06:06:09 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id GAA16209 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 06:06:05 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id QAA21138; Mon, 12 Apr 1999 16:08:20 +0300 (IDT) Message-ID: <3711EF73.F3265621@cale.checkpoint.com> Date: Mon, 12 Apr 1999 16:04:51 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <199904091805.OAA02332@ara.missi.ncsc.mil> Content-Type: multipart/mixed; boundary="------------AB3A2DC0AE8F3831974FCFC2" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------AB3A2DC0AE8F3831974FCFC2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, "David P. Kemp" wrote: <snip> > > How much current software would be helped by changing the requirements > on EE certs (i.e. would magically start behaving differently if PKIX > were modified)? > > My answer: none. > > How would changing PKIX affect the development of new verifying software > (i.e. what would new software do differently if PKIX is changed vs. > not changed, recognizing that up to 3 types of certs - > non-RFC2459 X.509, RFC2459, and new-modified-PKIX - will be around > for a while)? > > My answer: nothing. You are asking the wrong questions. The correct questions are: How much current software would be helped by an EE certificate that contains the basicConstraint (i.e. won't consider it as a CA certificate in the path validation process) My answer: Every PKIX compliant software(*) and I guess a lot of non PKIX compliant X.509 software. How would changing PKIX affect the development of new issuing software (i.e. what would new software do differently if PKIX is changed vs. not changed) My answer: I guess that most CA vendor that consider the internet as their market would follow it. Change to PKIX won't change the verifying software, but its behavior will be changes as a result in the change of the certificate. Moshe (*) PKIX compliant verifier MUST recognize the basicConstraint extension. Section 4.2 says: At a minimum, applications conforming to this profile MUST recognize the extensions which must or may be critical in this specification. These extensions are: .... basic constraints (see sec. 4.2.1.10) .... --------------AB3A2DC0AE8F3831974FCFC2 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------AB3A2DC0AE8F3831974FCFC2-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA15827 for ietf-pkix-bks; Mon, 12 Apr 1999 05:12:03 -0700 (PDT) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA15809; Mon, 12 Apr 1999 05:11:25 -0700 (PDT) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id AAA21458; Tue, 13 Apr 1999 00:11:34 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92391909404745>; Tue, 13 Apr 1999 00:11:34 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, ietf-smime@imc.org Subject: Re: Possible ambiguities in encoding of signatures, encrypted keys Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Tue, 13 Apr 1999 00:11:34 (NZST) Message-ID: <92391909404745@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> William Whyte <wwhyte@baltimore.ie> writes: >>Currently both RFC 2459 and CMS refer to RFC 2313/2437 for the encoding of RSA >>signatures/encrypted data (RFC 2459, 7.2.1; CMS, 12.3.2.1 and 12.2.2 - what I'm >>about to describe applies to other algorithms as well, but I'll stick with RSA >>to keep it simple). These RFC's make the assumption that the encoded value >>will be of the same length as the modulus, zero-padding the value if required >>(RFC 2437, 7.2.1 and 8.1.1), however when this padding is used the encoded >>value doesn't follow the DER any more. >I'm not sure this is right. The signature is an octet string or a bit string, >not an integer, and it's perfectly legal to have an OCTET STRING or BIT STRING >with leading null bytes. Ah, of course! This only leaves the signatures which have internal structure (eg DSA, a SEQUENCE containing two INTEGER's), and they have their own rules which don't clash with RFC 2459/CMS. (Didn't PKIX at one point include a requirement for DH values, encoded as bit strings, to be shifted up so the MSB was the first nonzero bit in the string, thankfully this vanished soon after it appeared because it would've been a right pain to implement) Is anyone aware of any implementations which break if the signature/encrypted data value isn't padded out as required? You'd probably have to go out of your way to write code which does this, I'm wondering whether any code does actually complain if the data isn't exactly the right size. The reason I'm asking is that I've always encoded things in the minimum number of bytes (as if it was a DER INTEGER) rather than padding with zeroes which so far hasn't caused any problems. Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA12206 for ietf-pkix-bks; Mon, 12 Apr 1999 02:33:25 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA12202 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 02:33:21 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id MAA04325; Mon, 12 Apr 1999 12:35:34 +0300 (IDT) Message-ID: <3711BD91.966B976@cale.checkpoint.com> Date: Mon, 12 Apr 1999 12:32:01 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@po1.bbn.com> CC: ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <v04020a17b331af2ed303@[128.33.238.98]> <v04020a0bb332fcbd7733@[128.33.238.98]> Content-Type: multipart/mixed; boundary="------------9F90A261CB7FB330CF514ADF" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------9F90A261CB7FB330CF514ADF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, <snip> Stephen Kent wrote: > >We cannot remove the possibility of ambiguity but we can generate certificates > >that are not affected by it. > > I agree that a CA could put the extension in all certs and thus be able to > say "not my fault; I did what I could." But this does not address the > verifier problem in other than a heuristic fashion. Why? If a certificate contain the extension no heuristics are necessary for validating this certificate. If a CA put the basicConstraint extension in all the certificate that it issues than no certificate that the CA issues needs heuristics to process it. > I want to > deterministic solution to the problem, and the suggested change to 2459 > does not yield that. The suggested solution is not complete but it is very deterministic. If it will be accepted in its strongest form (MUST put basicConstraint in all the certificate) then no PKIX CA will issue a certificate that needs heuristics by X.509 verifier (be it PKIX, other profile or raw X.509). A CA can create unambiguous certificates. We should encourage them to do so. > > > >> > >> <snip> > > > >It is not probabilistic improvements. A CA that put the basicConstraints > >extension is 100% not ambiguous. What probablistic about that? > > > >Why discourage CA's from generating unambiguous certificates? > > See my comments above. I was referring to the verifier, not the CA. Sorry > for the ambiguity :-)! The CA doesn't have a problem; verifiers have the > problem we are trying to address. > The verifier has the ambiguity, but the CA can help him solve it. The verifier code will have some kind of heuristics but they won't be triggered if the CA will produce unambiguous certificates. > > <snip> > > > >Adding the extension is not a heuristic improvement, a certificate with the > >extension is certificate that doesn't need heuristics period. > > > >Admittedly the verifier will have heuristics but the CA can ensure that they > >won't be activated. > > No, it cannot! So long as there are CAs following X.509 but not the 2459 > profile, verifiers would need heuristics to process certs without > extensions issued by those CAs. This is exatclty what I wrote. > If we were willing to posit that no such > CAs will exist, then we would not have a problem, because in a purely > 2459-compliant system (CAs and verifiers) there is not ambiguity. You seem > to be switching perspectives in analyzing this issue. No my perspective is fixed. I think that a CA should assume as little as possible of a possible verifier namely: 1. Correct DER decoding 2. Correct handling of the basic X.509 fields. 3. Considering a certificate as invalid if it cannot correctly handle a critical extension. A CA is not limited to creating certificates that can be validated by the minimal verifier but it should try to make sure that if the minimal verifier cannot correctly validate the certificate it will fail validation. X.509 provides the mechanism for doing so in the critical flag. With this model we can compare both options for basicConstraint. We have 3 types of minimal verifiers with respect to the basicConstraint: A. Verifier that does not understand basicConstraint. B. A verifier that understand basicConstraint. C. A verifier that is PKIX compliant and knows by out of band means that so is the CA We also have 3 types of EE certificate: i. Without basicConstraint ii. With non-critical basicConstraint iii. With critical basicConstraint You can complete the table and see in which combination the verifier can identify the certificate as EE certificate and where it could have accepted it as a CA certificate. > > > >> > > > >X.509 already addresses the problem and suggests: > > > > It is recommended that it be flagged critical, otherwise an entity which is > >not > > authorized to be a CA may issue certificates and a certificate-using system > > may unwittingly use such a certificate. > > > >For some reason PKIX decided to ignore the recommendation and invent it's own > >private semantics. > > X.509 failed to solve this problem because it permits compliant CAs to > never include basicConstraints, thus creating the ambiguity. The notes > fail to fix the problem, because they just "recommend" what to do. In the > IETF we try to be very careful in our use of the magir words > MUST/SHOULD/MAY to avoid these problems. > I think that recommended is a similar to SHOULD, maybe to MAY. I don't think that it is "SHOULD NOT", but english isn't my mother's tongue. My question is still open - why PKIX chose to ignore the recommendation and invented private semantics? X.509 offered a standard syntax , if that wasn't enough we could use private syntax. But using private semantics is the worse option. Moshe --------------9F90A261CB7FB330CF514ADF Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------9F90A261CB7FB330CF514ADF-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA12145 for ietf-pkix-bks; Mon, 12 Apr 1999 02:25:48 -0700 (PDT) Received: from puma.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA12113; Mon, 12 Apr 1999 02:22:00 -0700 (PDT) Received: by puma.baltimore.ie; id KAA21213; Mon, 12 Apr 1999 10:44:58 +0100 (GMT/IST) Received: from ocelot.baltimore.ie(10.49.0.10) by puma.baltimore.ie via smap (4.1) id xma021196; Mon, 12 Apr 99 10:44:09 +0100 Received: from knuckle (knuckle.baltimore.ie [10.49.0.103]) by ocelot.baltimore.ie (8.8.7/8.8.5) with SMTP id KAA20706; Mon, 12 Apr 1999 10:12:07 +0100 Received: by localhost with Microsoft MAPI; Mon, 12 Apr 1999 10:20:56 +0100 Message-ID: <01BE84CE.26BA1010.wwhyte@baltimore.ie> From: William Whyte <wwhyte@baltimore.ie> To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "ietf-smime@imc.org" <ietf-smime@imc.org> Subject: RE: Possible ambiguities in encoding of signatures, encrypted keys Date: Mon, 12 Apr 1999 10:20:54 +0100 Organization: Baltimore Technologies X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Peter, > Currently both RFC 2459 and CMS refer to RFC 2313/2437 for the encoding of RSA > signatures/encrypted data (RFC 2459, 7.2.1; CMS, 12.3.2.1 and 12.2.2 - what I'm > about to describe applies to other algorithms as well, but I'll stick with RSA > to keep it simple). These RFC's make the assumption that the encoded value > will be of the same length as the modulus, zero-padding the value if required > (RFC 2437, 7.2.1 and 8.1.1), however when this padding is used the encoded > value doesn't follow the DER any more. I'm not sure this is right. The signature is an octet string or a bit string, not an integer, and it's perfectly legal to have an OCTET STRING or BIT STRING with leading null bytes. RFC 2313 says: 8.4 Integer-to-octet-string conversion The integer encrypted data y shall be converted to an octet string ED of length k, the encrypted data. and it's the octet string that's encoded. Cheers, William Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA11761 for ietf-pkix-bks; Mon, 12 Apr 1999 01:22:05 -0700 (PDT) Received: from selva.dit.upm.es (selva-gw.dit.upm.es [138.4.2.7]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA11751 for <ietf-pkix@imc.org>; Mon, 12 Apr 1999 01:21:55 -0700 (PDT) Received: from dit.upm.es (toro-3.dit.upm.es [138.4.21.3]) by selva.dit.upm.es (8.9.1a/8.9.1) with ESMTP id KAA00374; Mon, 12 Apr 1999 10:19:31 +0200 (MET DST) Message-ID: <3711ADCA.3CA2CAD1@dit.upm.es> Date: Mon, 12 Apr 1999 10:24:42 +0200 From: "Jose A. Manas" <jmanas@dit.upm.es> X-Mailer: Mozilla 4.51 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: Manuel Heras Gilsanz <mherasg@nexo.es>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>, afd@fnmt.es Subject: Re: Time-Stamp: Why not use several hashes? References: <370D157B.DBB661F0@nexo.es> <370DBD43.C1D1DC68@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, I feel uneasy with both arguments. If a guy finds out how to provoke collisions on a hash functions, there is a serious temptation to exploit the hole before publishing it. Breaking a time-stamp infrastructure is a nice goal: you break it before anybody knows it can be broken, and then there is a difficult question about when the TSA was no longer to be trusted. I have some concern as well with respect to breaking a digital signature. If broken but time-stamped, a TSA can still prove that it was signed before it was breakable. But if you break the TSA itself, then there is no help. That about breaking the hash. Still, if you break the TSA signature, you have audit records (stored evidence in the TSA) to help you (as far as there are no collisions in the hash). Alltogether, I aim to say that breaking a hash does break down everything, and it sounds interesting to foresee the case. Allowing for several messageimprints sounds as a cheap end effective countermeasure. pp Denis Pinkas wrote: > > Manuel, > > We want to keep the protocol simple. The threat you mention can be countered > by another way: re-time-stamp later on with a new hash function. If SHA-1 > gets broken one day, this will not happen in just one day. Some > cryptographer will first find some weaknesses before you can really forge a > meaningfull message that has the same hash. So you get some time for > re-stamping. > > If this argument were used, then we should sign TWICE, i.e. in case one > digital signature algorithm was broken. We do not do that. There is no > reason to do it for the hash function. > > Regards, > > Denis > > > Hi. > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > Sept. 23, 1998, time-stamp requests and tokens support the insertion of > > a single message imprint. > > > > I think several message imprints should be supported. If a hash > > algorithm were broken, time-stamp tokens using it (as the single message > > imprint) would have to be regarded invalid (even if some kind of linking > > mechanism were implemented!). If several hashes had been used, the token > > would still be valid, and it could be promptly renewed in order to > > prevent invalidation should further advances in cryptography render > > other hashes obsolete! > > > > (One must be careful here: there are different extents to which a hash > > algorithm could be broken; in Appendix A of PKITS-D3 > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > implications that the different kinds of hash failures would have on the > > time-stamping process.) > > > > Of course the requirements on the time-stamp verification process would > > also have be modified to require ("MUST" level) *all* the hashes to > > correctly verify in order to regard the corresponding time-stamp token > > valid. > > > > Best regards, > > > > - Manuel - > > > > ---- > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > Independent Security Consultant > > Phone: +34-629 07 53 31 -- -------------------------------------------------------- Prof. Jose A. Manas <jmanas@dit.upm.es> Dpt. Telematica http://www.dit.upm.es/~pepe E.T.S.I. Telecomunicacion tel: [+34] 91 336 73 25 Ciudad Universitaria gsm: [+34] 607 73 38 94 E-28040 Madrid, SPAIN fax: [+34] 91 336 73 33 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA10187 for ietf-pkix-bks; Sun, 11 Apr 1999 21:48:37 -0700 (PDT) Received: from doggate.exchange.microsoft.com (doggate.exchange.microsoft.com [131.107.88.55]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA10183 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 21:48:36 -0700 (PDT) Received: by doggate.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <2TW7YV9L>; Sun, 11 Apr 1999 21:48:03 -0700 Message-ID: <2FBF98FC7852CF11912A0000000000010ECB5E49@DINO> From: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> To: "'Carlisle Adams'" <carlisle.adams@entrust.com>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> Subject: RE: New CMC Draft available Date: Sun, 11 Apr 1999 21:47:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Carlisle, Sorry about taking so long on replying to this, but the few times that I get sick I really do a good job of getting sick. Comments are inline > -----Original Message----- > From: Carlisle Adams [mailto:carlisle.adams@entrust.com] > Sent: Monday, March 15, 1999 3:42 PM > To: IETF-PKIX (E-mail) > Subject: RE: New CMC Draft available > > Abstract: there is not a *need* for an interface to PK certification > products and services based on [CMS] and [PKCS10]; there is a > *desire* for > such an interface. Nothing *needs* to be based on CMS and PKCS10 > (especially since, as noted in the conformance section, > existing deployed > software is not immediately compliant with this > specification). However, > there is great *desire* to base the protocols on CMS and > PKCS10, since these > are familiar. Please change "need" in bullet 1 to "desire" > (and change > "immediate needs" in the opening sentence to "immediate concerns", or > similar). I don't really know what to say on this point. One person's desires are another person's needs. > > Section 2, Section 2.1, and elsewhere: the document sometimes uses > "certificate authority", sometimes uses "certification > authority", sometimes > uses "Certification Authority", and so on. Please be > consistent throughout. > [Note that "Certification Authority" is the official term in various > Standards.] Done --- Brian -- we need to decide on certificate request or certification request and use this consistantly as well. > > Section 2: this may be obvious to many, but I think that stating the > following underlying operational assumption will help to clarify the > operational model for this protocol. "Underlying assumption: > every PKI > entity will have a signing key pair and will request a verification > certificate in its initialization message (i.e., an entity > will never ask > for an encryption certificate _only_ in its initialization > message)." [The > reason that it might help to clarify this is that RFC 2510 > does not have > this restriction.] I am not sure that I agree with this statment. I believe that it is possible in this model to obtain just an encryption certificate. There are no limits in the model that prevent this. The one-time shared secret can be used to identify the end user to the CA, and the request could just be for an encryption certificate. There would be no way to renew such a situation as no proof of identity could easily be offered with just an encryption certificate, but the initial request could easily be made. > > Section 3.3.3.1: "D-H private keys cannot always be used..." > -- note that > is may also be true for RSA keys that are held in a > decrypt-only device, so > you need not restrict this section to D-H. You are quite correct, and we will modify the text to address this problem. > > Also, "NoSignatureValue contains the hash of the > certification request." -- > why force the implementer to do an extra hash here for no > purpose? Why not > say that NoSignatureValue "contains the value 1234", or similar? This could easily be a constant value, I put the hash in for two reasons. First, the code base that I was using computed the hash anyway so there were no reasons not to use it. Second, by including the hash the most obious of transmissions errors could potentially be found. Unless there are other who support using a constant value, I do not plan to change this. > > Section 5.2 (second paragraph): "Servers SHOULD provide this > method or have > a bilateral method..." -- I would prefer the following for > interoperability > reasons: "Servers MUST provide this method and MAY also have > a bilateral > method...". We have made this change. > > Section 5.7: should note in first paragraph that PKCS10 > cannot be used to > provide this functionality. This is not correct. The correct statement, which I will pass by the other authors, is that simple enrollment messages cannot provide this functionality. There is no reason that a PKCS10 included as part of a full enrollment request cannot provide the functionality needed. > > Also, it appears (from the text in bullet 4a and the text in > the second-last > sentence of the section) that the DecryptedPOP structure > should contain > "request TaggedRequest" rather than "bodyPartID > BodyPartID". That is, > the decrypted POP needs to contain the actual request itself > (not just an > ID). I have changed the language on this slightly. What is placed here is the body part id of the request. The request is included by reference and the text now states this. > > Section 5.9 (last paragraph): "the server responds with a > Key Recovery > Response containing the newly generated key." -- it doesn't > really make any > sense semantically to use a key recovery response to > implement off-client > key generation (since off-client key generation is not key > recovery). Why > not simply define a new message ("OffClientKeyGenRep") with > the same syntax > as Key Recovery Response? > > Also, "The details of the request control statement not > covered in this > document...". This will limit the use of this protocol in > some environments > (those that mandate central key gen.). A request message needs to be > defined for this purpose. > > Section 5.9.3: "The ContentInfo contains the requested private key > material." -- does it also contain the newly-created > recipient (i.e., EE) > certificate? If not, how can this response be used for off-client key > generation? [Note that according to CMS, it is not clear > that it's legal > for a CA to put the EE certificate in this construct....] > > Sections 5.9.4.1, 5.9.4.2, 5.9.4.3: in each section you need > to say that > the private key (DH-PrivateKey, DSA-PrivateKey, or RSAPrivateKey) must > subsequently be re-encoded as an OCTET STRING (in order to > fit within the > structure defined in Section 5.9.4). We will look at the comments on this section for a new draft. As I anounced at the IETF meeting we are pulling out all of the archiving text and placing it into a seperate draft. That draft will address both the archiving and server side key generation issues. > > Section 5.10: "low-end IP router that does not retain its > own certificate > in non-volatile memory". I might prefer "low-end IP router > that does not > retain in non-volatile memory the certificates of those > entities with whom > it needs to communicate". Entities certainly need to get the > certificates > of others in order to talk with them; do they really need to > keep their own > certificates for most of their activities? The original text on this issue is actually correct. THe problem is that router does not keep its own certificate during events such as power cycles. After obtaining its own certificate from some type of directory service, that certificate is presented as part of protocal to talk to the next router. Thus each router needs to get it's own certificate from a centeralized location, but gets the other router's certificate from the other router. > > Section 5.11: "The fields in a GetCRL have the following > meanings: -- > issuerName is the value of the Issuer DN in the subject > certificate." This > will not work for Indirect CRLs. Perhaps this field should > hold the name of > the CRL issuer instead... done > > Section 5.12: "it is impossible to produce a reliable > digital signature." > -- this should be clarified to "it is impossible to produce a reliable > digital signature (prior to the certification of a new > signature key pair)." We have a couple of different suggestions for cleaning up this wording and we will do so. > > Section 5.14: "The query pending attribute allows for a > client to query a > server about the state..." -- how does the client know when > to do this? Is > there a time-to-check-back value included somewhere in the server's > response? This value is in the CMCStatusInfo structure. We will include a text reference here to that fact. > > Section 6.1: "The request is placed in the cmsSequence if it > is a full pki > message and the reqSequence field for a simple enrollment > message." -- in > the latter case, is this still a nested message? (I.e., what is the > difference between a "non-nested" message with a PKCS10 in > the reqSequence > and a "nested" message with a simple enrollment message in > the reqSequence?) There are a couple of different opinions on this amoung the author's. We will argue this out and put in clarification text on this issue > > Sections 7.2, 7.3: replace "BER" with "DER" since signatures are > involved... What is being referenced here is a CMS SignedData object (since we are looking at full requests). CMS explicity states these may be BER encoded objects. > > Section 12: update the CRMF reference to RFC 2511 and the PKIXCERT > reference to RFC 2459. Also, was DH-SIG not updated to some > other draft > recently? In progress. > > > Finally, there is some functionality missing in this > specification that > will be very important for some environments. > > - there is currently no way for a CA/RA to provide a trust > anchor (public > key or self-signed cert) to the client during initialization. > Given the number of ways that this can be done, and the impliciations about the fact that clients are going to start automatically accepting such certificates as trust anchors, the author's are hesitant to include this fucntionality. Please place on the list as a seperate topic of discussion to see how much support exists for this. > - there is no confirmation message from the client to the > CA/RA (thus, there > is no way for a client to reject a certificate that it does > not want (e.g., > in the case where the CA has modified some of the fields in > the request)). There is a simple way for a client to reject a certificate, it simply puts in a revocation request on the certificates it just received. I don't know of any reason for the oppositite to be required in a general protocal. That is the client must positively accept a certificate. > > - cross-certification is not described. (It appears to be > possible to do > this with the existing messages, but without a prescribed method > interoperability is unlikely.) I don't understand why you think that interopability is a problem. If a CA generates a certificate request then it can get a cross-certificate. The real problem of interopability here is far more in the question of the procedures required to accept such a request not in the request itself. > > - as mentioned above, off-client key generation needs to be > specified (both > request and response). It would also be nice to be able to > ask for this as > part of the Full PKI Request message, rather than having to > use separate > req/rep messages. Will be addressed in a seperate draft. > > - CA key rollover is not described. (This might be considered to be > out-of-scope of the current document, but it is very much > in-scope for a > specification on how to do comprehensive certificate > management, which is > what the title of this document suggests.) There are really two different points that need to be addressed here and they are seperate problems. The problem of rolling over a CA key is not really a big issue from what I can tell. All you do is issue the new CA certificate and start referencing it correctly using AIA and CDP extensions. I think the problem you really want to address here is the question of trust anchor roll-over. Before we addressed this we would need to address the question of doing trust anchor issues at all. > > > > That's all. Aside from a few other typos, etc., the document > looks great! > > Carlisle. > Jim Schaad Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA09929 for ietf-pkix-bks; Sun, 11 Apr 1999 21:10:53 -0700 (PDT) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA09906; Sun, 11 Apr 1999 21:06:58 -0700 (PDT) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id QAA04716; Mon, 12 Apr 1999 16:07:02 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92389002120806>; Mon, 12 Apr 1999 16:07:01 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, ietf-smime@imc.org Subject: Possible ambiguities in encoding of signatures, encrypted keys Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Mon, 12 Apr 1999 16:07:01 (NZST) Message-ID: <92389002120806@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Currently both RFC 2459 and CMS refer to RFC 2313/2437 for the encoding of RSA signatures/encrypted data (RFC 2459, 7.2.1; CMS, 12.3.2.1 and 12.2.2 - what I'm about to describe applies to other algorithms as well, but I'll stick with RSA to keep it simple). These RFC's make the assumption that the encoded value will be of the same length as the modulus, zero-padding the value if required (RFC 2437, 7.2.1 and 8.1.1), however when this padding is used the encoded value doesn't follow the DER any more. Although neither RFC 2459 or CMS require this, the former does imply it when it says (Section 4) "the certificate is encoded with the ASN.1 distinguished encoding rules (DER)". Because the signature will be zero-padded a small portion of the time as per RFC 2313/2437, it's not a DER-encoded value. In addition I would suspect that most implementations don't perform the zero-padding (although it's hard to check because it occurs only about once every 256 times), so they wouldn't comply with RFC 2313/2437. The zero-padding requirement isn't something which is right or wrong one way or the other, not padding means you get DER-compliant encodings, but padding is necessary to allow one-pass encoding of CMS data (unless you use the indefinite encoding all the way down) since the signature at the end of an arbitrary amount of data could suddenly shrink by one (or more) bytes, requiring everything to be re-encoded from the start. To clear up this problem, I'd recommend the following: Change the text in RFC 2459, section 4, to read: "the tbsCertificate is encoded with the ASN.1 distinguished encoding rules (DER)" and add the following text wherever a reference to RFC 2313/2437 is made (I've listed the section numbers above): Although RFC 2313/2437 requires that the encoded values be zero-padded to match the size of the modulus, this padding doesn't comply with the ASN.1 distinguished encoding rules (DER) which allow at most one leading zero byte, and only if the MSB of the value is set. Some implementations may choose to pad the value as per the RFC's, others may choose to follow the DER. Both of these encoding forms are acceptable, and implementations should be able to process both zero-padded and non-padded values. If necessary I guess RFC 2459 could be a bit more strict (always require DER), but CMS should allow both forms since, as I've outlined above, requiring DER would make one-pass encoding impossible. Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA24884 for ietf-pkix-bks; Sun, 11 Apr 1999 16:22:13 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA24879 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 16:22:03 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <2XG6NQQ3>; Mon, 12 Apr 1999 09:22:06 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE97E@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Anders Rundgren'" <anders.rundgren@jaybis.com>, Stephen Kent <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: CyberPhone Trust Propagation Was: A $25,000,000,000 PKI Date: Mon, 12 Apr 1999 09:22:05 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, I think that the debate can and will go no where as do some simply because the profile work is based on purity of the PKI model and signed email messages over the internet. There are three major components (comms and messaging protocols aside) to the application of certificate systems for large scale use (I dont bother with bespoke ones) - and that is a directory infrastructure, a business and business entity information model that reflects the business transactions (between the relevant directory enities) and an overlaid PKI/CA model and functions that reflect the cost/trust/risk aspects of delivering these services - and these processes/interactions align to protected services one wants to deploy. In your case its domain agile telephone devices, but it could be toll tickets or tram fares. I think as time goes on - reality will set in and different architectures/models for PKI system will emerge ... nature and commercial effort has a way of doing this. Certainly my experience is showing that PKI on its own aint much use. It needs the operational bits too. regards alan > -----Original Message----- > From: Anders Rundgren > Sent: Sunday, April 11, 1999 2:30 PM > To: Stephen Kent > Cc: ietf-pkix@imc.org; list@seis.nc-forum.com > Subject: Re: CyberPhone Trust Propagation Was: A $25,000,000,000 > PKI > > Steve, > > >It is not the server that grants the user the right to purchase, it > is the > >company. The company can choose to do this in various ways, as > described > >in earlier messages. Your approach introduces added vulnerabilities > into > >the system, realtive to a model in which the purchasing agent > directly > >controls his/her private key. > > > But "your" model adds the following security problems when purchasers > that have their purchaser keys and certs in a smart card: > > 1) Key (card) distribution. Make sure the right person gets it > > 2) A need for trust in external software when purchasing outside of > the company > premises. If at all possible for SW reasons. And logging, what about > that? > > 3) As it probably can take days to get a new purchaser card in case of > loss you may have to "borrow" somebody else's. Normal human behavior > > 4) No control of use or abuse until it may be too late. Non-repudian > is useless if your purchaser made your company go bankrupt > > > > And then "your" model also adds the following PITAs > > 1) Slow and expensive issuing of cards > > 2) Hard to get a card if not physically close to the issuer > > > As I see it, massive issuing and distribution of private keys > introduce > security problems that (unlike secure PK-servers and "Thin PKI") do > not > have any real solutions. > > > But I will cease this debate as we are approaching "dead-lock" unless > there > are others who seems willing (and competent) to continue. > > Regards > Anders > > http://www.mobilephones-tng.com > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA24424 for ietf-pkix-bks; Sun, 11 Apr 1999 16:06:12 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA24394 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 16:05:41 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <2XG6NQQL>; Mon, 12 Apr 1999 09:05:14 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE97D@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: SEIS: RE: Certificates, Directories, and Distinguished Names Date: Mon, 12 Apr 1999 09:05:13 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen - in all your words you never seem to come to grips with the fact that X.509 is not ambigious in so far that it permits systems to be built without certificate extensions - and for those build such systems to determine by local means or imply what is a EE or a CA cert and what use that cert has (eg for message verification or cert verification).. X.509 - was written some years ago and it correctly (a a standard should) provided a transition path to the use of cert extensions. RFC 2459 came along some time later as a profile and just the fact that people are discussing the issue in 2459 and it is unclear - means there is a problem - in the Profile. Just the fact you added this to your response says something about the issue. Because 2459 requires inclusion of the extension in a CA cert, there is no ambiguity. If a CA chose to insert the extension in an EE cert, despite the RFC's admonition, it would be redundant in the 2459 context, but not cause an error. You should refer to RFC 2119 to gain a better understanding of the term "SHOULD" as used in RFCs. and as for 2119 the extract: who can understand this stuff when applied to a real system specification or profile? 4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. Work that one out if you can when building large scale trusted system in which many EE/clients will access many CA domains and do trusted processing .... Groan..............In my book Profiles have Musts (mandated), Conditionals with the condition applied, or Dont Use or Dont Care/Ignore shall, shall not or may or could ... mean an ambigious mess. Sorry Stephen - use all the words you like - even throw a dictionary at me -- but 2459 + 2119 = what?? in terms of trusted, consistent engineering ???? As said X.509 is a Standard that permits transition to using certificate extensions for CAs and EEs - and describes this as a local issue .. thats pretty clear in my mind. 2459 and 2119 its unclear and ambigious - and that is the last thing you want in an engineering PROFILE that will be used to make products with. regards alan PS why are the words different in 509 Basic Contsraints to that of 2459 Basic Constraints? as they do introduce the ambiguity about EEs and what they can do re cert validation? > -----Original Message----- > From: Stephen Kent > Sent: Saturday, April 10, 1999 6:29 AM > To: Alan Lloyd > Cc: ietf-pkix@imc.org; list@seis.nc-forum.com > Subject: RE: SEIS: RE: Certificates, Directories, and > Distinguished Names > > Alan, > > >Thats the same as 509 or near enough. Its not too informative as its > >abstract theory rather than operational policy. Oh well. > > indefinate antecedent, error ... > > > > >As a question on basic constrains why is the text in 509 different > from > >RFC 2459 > > > >X.509 - 12.4.2.1 Basic Constraints > >This field indicates if the subject may act as a CA, with the > certified > >public key being used to verify certificate signatures. If so, a > >certification path length constraint may also be specified. This > field > >is defined as follows.... > > > > > >rfc 2459 -4.2.1.10 Basic Constraints > > > > The basic constraints extension identifies whether the subject of > the > > certificate is a CA and how deep a certification path may exist > > through that CA. > >........ > > > > This extension MUST appear as a critical extension in all CA > > certificates. This extension SHOULD NOT appear in end entity > > certificates. > > > >It strikes me that 2459 is ambigious simply because it did not > embrase > >the X.509 text re "certificate using system" and the fact 2459 uses > >SHOULD NOT without actuallly defining the conditions if it is or is > not > >there in EE - as X.509 states. > > Because 2459 requires inclusion of the extension in a CA cert, there > is no > ambiguity. If a CA chose to insert the extension in an EE cert, > despite > the RFC's admonition, it would be redundant in the 2459 context, but > not > cause an error. You should refer to RFC 2119 to gain a better > understanding of the term "SHOULD" as used in RFCs. > > steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA17556 for ietf-pkix-bks; Sun, 11 Apr 1999 00:35:02 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id AAA17552 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 00:34:59 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id KAA22639; Sun, 11 Apr 1999 10:37:08 +0300 (IDT) Message-ID: <37105050.1C542DCE@cale.checkpoint.com> Date: Sun, 11 Apr 1999 10:33:36 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@po1.bbn.com>, ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <v04020a18b331b07b2125@[128.33.238.98]> <v04020a0ab332fc3d5915@[128.33.238.98]> Content-Type: multipart/mixed; boundary="------------8F3CCC50A7BE4CF10CB7B01D" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------8F3CCC50A7BE4CF10CB7B01D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, If PKIX mandated inclusion of basicConstraint then PKIX CA would issue certificates that are unambiguous to every X.509v3 verifier. The verifier need to know that the CA is a PKIX only if the certificate doesn't contain the extension. Once the extension is in the certificate the ambiguity disappear. PKIX chose to signal EE certificate by the absence of the extension, a way that require out of band knowledge. Based on this analyses I call PKIX broken. You can tell that it is X.509 fault, but PKIX failed to fix it, when it could easily make things much better. Mandating a basicConstraint is not the only way for removing that ambiguity. PKIX can mandate inclusion of a keyUsage extension or of a policy OID that specify that this is a PKIX certificate. Both of this solutions allows processing of the certificate without out of band knowledge, but I think that the basicConstraint way is simpler. Moshe Stephen Kent wrote: > Moshe, > > >RFC2459 IS broken in the since the it recommends generating EE certificate > >that > >require out of band information to to know that it not a CA certificate. > > I disagree. The ambiguity arises only because X.509 allows both EE and CA > certs to not have this extension, as my analysis shows, and because the > verifier does not know whether a PKIX or X.509 compliant CA issued the > cert. > > Steve --------------8F3CCC50A7BE4CF10CB7B01D Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------8F3CCC50A7BE4CF10CB7B01D-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA16770 for ietf-pkix-bks; Sat, 10 Apr 1999 22:17:03 -0700 (PDT) Received: from ns.cmbchina.com ([202.96.161.112]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA16762 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 22:17:00 -0700 (PDT) Received: from cmbchina.com ([10.1.4.27]) by ns.cmbchina.com (Netscape Messaging Server 3.01) with ESMTP id AAA24651 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 13:15:48 -0800 Message-ID: <37103055.1D41C0B0@cmbchina.com> Date: Sun, 11 Apr 1999 13:17:09 +0800 From: "Xiong Shao Jun" <xsj@cmbchina.com> Organization: China Merchants Bank X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: About Diffie-Hellman algorithm and Shamir threshold Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi, I have two problems. The first is about Diffie-Hellman algorithm. In PKIX part1, now rfc2459, the algorithm is described as: OID: 1.2.840.10046.2.1 DomainParameters ::= SEQUENCE { p INTEGER, -- odd prime, p=jq+1 g INTEGER, -- generator, g q INTEGER, -- factor of p-1 j INTEGER OPTIONAL, -- subgroup factor validationParms ValidationParms OPTIONAL } ValidationParms ::= SEQUENCE { seed BIT STRING pgenCounter INTEGER } while in certificate management protocol, now rfc2510, the algorithms is described as below: OID: 1.2.840.10046.2.1 DHParameter ::= SEQUENCE { prime INTEGER, -- p base INTEGER -- g } So which is the most up to date description, and which should I implement? Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA16253 for ietf-pkix-bks; Sat, 10 Apr 1999 20:31:39 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA16249 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 20:31:37 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id FAA20621 for <ietf-pkix@imc.org>; Sun, 11 Apr 1999 05:31:42 +0200 Received: from mega (t4o69p116.telia.com [62.20.145.236]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id FAA61885; Sun, 11 Apr 1999 05:31:37 +0200 Message-ID: <000601be83d3$ef054270$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@po1.bbn.com> Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Subject: Re: CyberPhone Trust Propagation Was: A $25,000,000,000 PKI Date: Sun, 11 Apr 1999 05:29:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id UAA16250 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, >It is not the server that grants the user the right to purchase, it is the >company. The company can choose to do this in various ways, as described >in earlier messages. Your approach introduces added vulnerabilities into >the system, realtive to a model in which the purchasing agent directly >controls his/her private key. But "your" model adds the following security problems when purchasers that have their purchaser keys and certs in a smart card: 1) Key (card) distribution. Make sure the right person gets it 2) A need for trust in external software when purchasing outside of the company premises. If at all possible for SW reasons. And logging, what about that? 3) As it probably can take days to get a new purchaser card in case of loss you may have to "borrow" somebody else's. Normal human behavior 4) No control of use or abuse until it may be too late. Non-repudian is useless if your purchaser made your company go bankrupt And then "your" model also adds the following PITAs 1) Slow and expensive issuing of cards 2) Hard to get a card if not physically close to the issuer As I see it, massive issuing and distribution of private keys introduce security problems that (unlike secure PK-servers and "Thin PKI") do not have any real solutions. But I will cease this debate as we are approaching "dead-lock" unless there are others who seems willing (and competent) to continue. Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11816 for ietf-pkix-bks; Sat, 10 Apr 1999 07:58:53 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11812 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 07:58:51 -0700 (PDT) Received: from [128.33.238.189] (tc238-189.bbn.com [128.33.238.189]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA17780; Sat, 10 Apr 1999 10:58:43 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a05b33412a03b9e@[128.33.238.86]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE978@DSG1> Date: Fri, 9 Apr 1999 16:29:10 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: SEIS: RE: Certificates, Directories, and Distinguished Names Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, >Thats the same as 509 or near enough. Its not too informative as its >abstract theory rather than operational policy. Oh well. indefinate antecedent, error ... > >As a question on basic constrains why is the text in 509 different from >RFC 2459 > >X.509 - 12.4.2.1 Basic Constraints >This field indicates if the subject may act as a CA, with the certified >public key being used to verify certificate signatures. If so, a >certification path length constraint may also be specified. This field >is defined as follows.... > > >rfc 2459 -4.2.1.10 Basic Constraints > > The basic constraints extension identifies whether the subject of the > certificate is a CA and how deep a certification path may exist > through that CA. >........ > > This extension MUST appear as a critical extension in all CA > certificates. This extension SHOULD NOT appear in end entity > certificates. > >It strikes me that 2459 is ambigious simply because it did not embrase >the X.509 text re "certificate using system" and the fact 2459 uses >SHOULD NOT without actuallly defining the conditions if it is or is not >there in EE - as X.509 states. Because 2459 requires inclusion of the extension in a CA cert, there is no ambiguity. If a CA chose to insert the extension in an EE cert, despite the RFC's admonition, it would be redundant in the 2459 context, but not cause an error. You should refer to RFC 2119 to gain a better understanding of the term "SHOULD" as used in RFCs. steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11810 for ietf-pkix-bks; Sat, 10 Apr 1999 07:58:51 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11806 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 07:58:49 -0700 (PDT) Received: from [128.33.238.189] (tc238-189.bbn.com [128.33.238.189]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA17769; Sat, 10 Apr 1999 10:58:35 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a03b334098020dc@[128.33.238.86]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE977@DSG1> Date: Fri, 9 Apr 1999 15:53:31 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, >When one builds a system comprising many CA functions for different >product domains, its likely that the key generation function is used to >generate keys for more than one of these CA functions - however this >approach is according to trust and operational requirements. Naturally >the theory in this process is that the root level CA function then in >fact signs the subordinate CA function certificate with its key and the >sub CA also signs its certs with its own key. However, we also expect in >this process - in terms of procedure that the root level CA could check >components of the certificate it is signing - such as the extensions >being applied - eg BC = CA .. and the client software used - the >certficate using system also checks this correctly.. No argument about what the CA and relying parties should do. Of course, in practice the latter tend not to do all of what is nominally required. >ie. one must also verify that if a CA is using BC = CA that the client >has in fact verified that - again the proof of doing that is in the >system design and implementation. ie what gives proof of path >processing. Its all part of the system verification process - that each >part of the PKI is coherent and trusted. Each part is trusted relative to its functions, yes. >My point was that X.509 states that this extension is set or not to let >the certificate using system determine if it can use the public key to >validate certficates .. However, the standard also permits non extended >certficates to be used in a system and the certificate using system to >verify certificates with the implicit knowledge that a cert chain does >equal an EE cert with superior CAs. Ah, now I see your point. You are suggesting that while X.509 was not in error for not requiring CAs to mark CA certs, even when they are v3 certs, because one might build a system that relied upon the CAs, and all EEs, not doing the wrong thing. Note that one has to rely on all CAs and EEs since otherwise an EE can take advantage of the lack of marking to pretend it is a CA. This is an unwise basis on which to build a system, from a security perspective, and thus I do fault X.509, despite your description of a context in which the ambuguity might be mitigated. >My last point is that 2459 can profile X.509 say all CA certs must have >this extension set. EE certs may have this extension set to null or not >be there. > >No ambiguity as far as I am concerned. Yes, that's right, and that's what 2459 already says. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11804 for ietf-pkix-bks; Sat, 10 Apr 1999 07:58:40 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11800 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 07:58:39 -0700 (PDT) Received: from [128.33.238.189] (tc238-189.bbn.com [128.33.238.189]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA17772; Sat, 10 Apr 1999 10:58:40 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a04b3340ff39ac8@[128.33.238.86]> In-Reply-To: <006c01be8250$6fe05540$020000c0@mega.vincent.se> Date: Fri, 9 Apr 1999 16:24:15 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CyberPhone Trust Propagation Was: A $25,000,000,000 PKI Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, <snip> >Now to the scenarios presented on my web (Shared Certificates >and Dynamic Certificates) that represent two much more complicated situations >that an open environment introduce. > >If those scenarious introduce trust propagation it would mean that the >intermediary >private key server performed something on behalf of the client. But, IT >IS THE >OTHER WAY AROUND! It is the intermediary server that grants a client the >right >to perform a purchase on the servers behalf. Yes, when you purchase for a >company >it is the company that buys. That the purchase was initiated by the >client does >not change this a single bit. A company assumes that you do your work - >not that it has >to screem and shout to make you perform! And you have in this role >obligations >only to your company (=server). It is not the server that grants the user the right to purchase, it is the company. The company can choose to do this in various ways, as described in earlier messages. Your approach introduces added vulnerabilities into the system, realtive to a model in which the purchasing agent directly controls his/her private key. >That is why CyberPhone does not break any (of the mostly unwritten) rules >regarding >key use and trust. > >It does though assume that a server and private keys stored on it can be >responsible >in the same way as a natural person. As I wrote in another posting this >is what is >happening all the time (except for signatures that are not yet >implemented) in automated >invoicing systems so there is "Nothing new under the Sun". Servers are not principles (a security term of art), i.e., they are not accountable entities. Only people are. Putting a collection of private keys on a server creates a new opportunity for someone other than the accountable entity (user) to cause objects to be signed on behalf of the user. yes, many automated systems in the current environemnt offer poor security, such as the one you describe. I hate to see the veneer of PKI applied to a system that retains the many of the security problems of these existing systems. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11795 for ietf-pkix-bks; Sat, 10 Apr 1999 07:57:58 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11791 for <ietf-pkix@imc.org>; Sat, 10 Apr 1999 07:57:57 -0700 (PDT) Received: from [128.33.238.189] (tc238-189.bbn.com [128.33.238.189]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA17564; Sat, 10 Apr 1999 10:57:46 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04020a02b334080dc9b0@[128.33.238.86]> In-Reply-To: <001801be8243$db209d40$020000c0@mega.vincent.se> Date: Fri, 9 Apr 1999 16:24:35 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, > >This is it! And I am not talking about Coca-Cola :-) I am talking about >current PKI >schemes. They PROMISE you a lot but when it comes to down-to-earth >specifications on how all this is going to be performed in a cost-efficient, >convenient and secure (handling-wise) way there is Zilch, Nada, Nothing. Our experiences differ. I have PKI clients who are much more positive about current technology capabilities. >If you do as I asked Stefan, convert the scenario presented in my paper >"Dynamic Certificates" ( >http://www.mobilephones-tng.com/v100/dynamiccerts.html ) >to the "classical" way of doing things you will for each design decision >create >a lot of new hard questions. A system that can only do "A-B" operations >is totally insufficient for 21st century usage. Why do SET support a >three-party operation? >Because an on-line account-based purchase involves (at least) three parties! Different forms of transactions embody different models for participants. Some are two party, some 3, some more. I do note that SET mamages to get by with X.509 certs under the current model. >Regarding CyberPhone's "unethical" use of digital signatures there seems >to be fairly >limited consensus on your and Stefan's views. I.e. digital signature laws >are not >in harmony with automated systems in any way. My guess is that the >lawyers will >have to go back to the "drawing board" some day. No doubt that more legal work is needed, but that does not mean that the approach you favor will necessarily fare better under revised laws. >As an example I can mention OBI that allows an order to be "Authorized" by >signing it and sending it to the selling organization. The authorizer can be >a person or an automated process. OBI is for REAL which makes a difference. > >Actually, CyberPhone (like SET ServerWallets and OBI) does not break away >from PKIX at all, it just uses current PKIX technology (+ a few new >protocols) in >a more or less novel way that is targeted at existing and future >commercial uses >and business processes. If CyberPhone does not break from the PKIX model, there cannot be a need for changes to that model to accommodate it. So, let's stop wasting the time of the folks on these mailing lists. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA00919 for ietf-pkix-bks; Fri, 9 Apr 1999 11:58:17 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA00915 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 11:58:16 -0700 (PDT) Received: id OAA22647; Fri, 9 Apr 1999 14:54:52 -0400 Received: by gateway id <G4CA5C9Z>; Fri, 9 Apr 1999 14:57:11 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B104F059@sothmxs06> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'mzolotarev@baltimore.com.au'" <mzolotarev@baltimore.com.au> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: CMP message format. A naive question Date: Fri, 9 Apr 1999 14:51:04 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Michael, Which of the three questions in your e-mail was the "naive question" referred to in the title? :-) > ---------- > From: Michael Zolotarev[SMTP:mzolotarev@baltimore.com.au] > Reply To: mzolotarev@baltimore.com.au > Sent: Wednesday, April 07, 1999 10:03 PM > To: 'PKIX mailing group' > Subject: CMP message format. A naive question > > The CMP message format can be very appropriately used for > non-cert-related > PKI services, such as TimeStamping, AttributeCertificates, DCS etc > > > Q1. Are there any reasons (technical, patent-related, religious,...) why > the CMP message structure can not or should not be used for non-CMP PKI > services? There are no reasons of which I am aware. In fact, the original intent was for this message structure to be generally useful to PKIX (rather than specific to CMP), which is why we called it "PKIMessage". > Q2. If the CMP format can be legitimately used for non-certificate > management protocol operations, then what would be the IDs for the new > PKIBody content? Has anybody sorted out or reserved the IDs above [23]? Nobody has mentioned / proposed using numbers above 23 to me. I therefore assume that such numbers are available for use within this message structure. > Q3. What would be the name to use, when it is not a Cert Mgm Prot-related > message any longer?. "Generic PKI Message Format" (GPMF)? Finding satisfactory names for things is sometimes the easiest, and sometimes the most difficult, part of such an exercise. Perhaps coming up with concrete proposals for other PKIBody contents first would be preferable. :-) As one example, now that PKIX is officially chartered to look at Attribute Certificates, the group may want to consider defining PKIBody contents to request that an Attribute Authority issue an AC containing some specific privileges, and to carry the appropriate response. Carlisle. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA00465 for ietf-pkix-bks; Fri, 9 Apr 1999 11:06:12 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA00461 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 11:06:10 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA09454 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 14:06:10 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id OAA09450 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 14:06:09 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id OAA17916 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 14:04:41 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id OAA02332 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 14:05:43 -0400 (EDT) Message-Id: <199904091805.OAA02332@ara.missi.ncsc.mil> Date: Fri, 9 Apr 1999 14:05:43 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: CA vs. EE cert processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: rMi3nWck4uB5FyofofayEw== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > From: John_Wray@iris.com > > It's purely deterministic. If PKIX mandated the presence of the > basicConstraints extension, then a verifier could, without any > outside knowledge, immediately categorize a certificate as > "CA cert", "EE cert" or "Unknown (and not PKIX-compliant)". A verifier doesn't need to categorize a particular certificate, it needs to validate a path. You are proposing to change the requirements on EE certs; CA certs are *unaffected* by the proposal. It doesn't make any difference to the verifier whether the last cert in a path is definitely an EE, definitely a CA, or unknown. All that matters is that every cert but the last is definitely a CA, and requiring a CA=false flag in every EE cert does not affect the validity of the path. Software which returns either "valid" or "invalid" when presented with a path containing ambiguous certs will not change its behavior, regardless of whether EE cert requirements are changed. > If they pick (ii), then PKIX would be fine whether or not we required > basicConstraints in EE certs, and the ambiguity would slowly vanish as > systems that generate un-extended CA certs come into compliance with > X.509. However, even V1 certs haven't yet vanished from the world, > so I imagine this process is likely to take a long time, so having all > PKIX certs contain the extension is still a win as it eliminates the > ambiguity immediately. Why do you assume that putting the extension into CA certs in response to a change in X.509 would take a long time, but that putting it into EE certs in response to a change in PKIX would happen immediately? There are a lot fewer of the former. And though we might not wish to believe it, there might be people out there who use X.509 but not the PKIX profile :-). Picking option (ii) would help everyone, not just those in the Internet universe. > It seems that in all cases, having PKIX generate certificates > that are unambiguous under today's X.509 is worthwhile. How much current software would be helped by changing the requirements on EE certs (i.e. would magically start behaving differently if PKIX were modified)? My answer: none. How would changing PKIX affect the development of new verifying software (i.e. what would new software do differently if PKIX is changed vs. not changed, recognizing that up to 3 types of certs - non-RFC2459 X.509, RFC2459, and new-modified-PKIX - will be around for a while)? My answer: nothing. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA27872 for ietf-pkix-bks; Fri, 9 Apr 1999 06:57:49 -0700 (PDT) Received: from epic.iris.com (epic.iris.com [198.112.211.21]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA27867 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 06:57:45 -0700 (PDT) From: John_Wray@iris.com Subject: Re: CA vs. EE cert processing To: Stephen Kent <kent@po1.bbn.com> Cc: Moshe Litvin <moshe@cale.checkpoint.com>, ietf-pkix@imc.org Date: Fri, 09 Apr 1999 13:58:10 GMT Message-ID: <OFB6F77F37.22E554F4-ON8525674E.004612C7@iris.com> X-Priority: 3 (Normal) X-MIMETrack: Serialize by Router on Epic/Iris(Daily Build (based on 166.1)|Apr 6 1999) at 04/09/99 10:00:02 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve Kent writes: >>> The ambiguity exists in ALL verifiers, PKIX or not. Thus pointing >>> the finger at PKIX is not rational. >>> >> >>The ambiguity does exist in ALL verifiers, but it doesn't exist in all CA's. A >>CA that follows PKIX creates ambiguous certificates. Only CA that does does >>something that it SHOULD NOT do create unambiguous certificates. Here pointing >>the finger at PKIX is very rational. >> >>We cannot remove the possibility of ambiguity but we can generate certificates >>that are not affected by it. > >I agree that a CA could put the extension in all certs and thus be able to >say "not my fault; I did what I could." But this does not address the >verifier problem in other than a heuristic fashion. I want to >deterministic solution to the problem, and the suggested change to 2459 >does not yield that. It's purely deterministic. If PKIX mandated the presence of the basicConstraints extension, then a verifier could, without any outside knowledge, immediately categorize a certificate as "CA cert", "EE cert" or "Unknown (and not PKIX-compliant)". For certificates that fall into one of the first two categories, the certificate would be processed accordingly; for a certificate in the "unknown" category, the verifier gets to chose whether to consider the cert as an EE or CA cert, possibly based on out-of-band information, but may also chose to reject it (if it is only interested in talking with PKIX-compliant systems). If PKIX doesn't mandate the presence of the basicConstraints extension, then a verifier can't distinguish between a PKIX-complaint EE cert and a non-PKIX compliant CA cert that has chosen not to use the extension. Assuming that we file a DR against X.509, then as I see it the X.509 committee has several choices: i) Decide that X.509 is fine as-is, and make no change. ii) Add clarifying text that defines that certificates without a basicConstraints extension should be considered to be EE certs. iii) Mandate that EE certs omit the basicConstraints extension and that it is present and critical in CA certs. iv) Mandate that the basicContraints extension be present in all certs. If they pick (i), then changing PKIX to require the extension is the only way to generate certs that are unambiguous to a verifier. Reducing the impact of the ambiguity is progress, even if it can't be eliminated altogether, and at least PKIX-compliant certificates won't trigger it. If they pick (ii), then PKIX would be fine whether or not we required basicConstraints in EE certs, and the ambiguity would slowly vanish as systems that generate un-extended CA certs come into compliance with X.509. However, even V1 certs haven't yet vanished from the world, so I imagine this process is likely to take a long time, so having all PKIX certs contain the extension is still a win as it eliminates the ambiguity immediately. If they pick (iii), the current PKIX spec will be fine (once newly non-complaint X.509 certs vanish from the world), and a PKIX spec that mandated the use of basicConstraints in EE certs would be non-compliant. However, this would be a non-backwards-compatible change to X.509, and so if this option were taken, then it would probably require an accompanying change to the certificate version number. For this reason alone, I think this option is unlikely to be chosen. A half-way position would be to recommend that EE certs omit the extension, but to permit verifiers to accept EE certs with the extension set. In this case, either flavor of PKIX would be fine, although having all PKIX certs contain the extension is still a win as it eliminates the ambiguity immediately. If they pick (iv), then the current PKIX profile will be non-compliant, and PKIX will continue to generate certificates that X.509 deems to be ambiguous. The proposed change to PKIX would generate certificates that are compliant with both current X.509 and the new X.509. It seems that in all cases, having PKIX generate certificates that are unambiguous under today's X.509 is worthwhile. I must say, I'm suprised that there is disagreement over this, since writing a profile to avoid ambiguous areas of its parent spec seems so fundamental that I must be missing something. The only down-side I can see to requiring the extension in all certs is that it costs a few extra bytes. There's no significant number of deployed PKIX systems, so compatibility isn't a major issue (and the proposed change wouldn't break compatibility anyway, as verifiers would still have the option of treating non-extended certs as EE certs). John Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA27517 for ietf-pkix-bks; Fri, 9 Apr 1999 06:11:21 -0700 (PDT) Received: from www.fnmt.es (www.fnmt.es [194.224.27.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id GAA27513 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 06:11:19 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id ya023762 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 15:06:22 +0100 Message-ID: <01c901be828a$4192f3c0$d801a8c0@dc-10.ceres.fnmt.es> From: "=?iso-8859-1?Q?Juan_Luis_L=F3pez?=" <jluis@fnmt.es> To: <mzolotarev@baltimore.com.au> Cc: <ietf-pkix@imc.org> Subject: RE: Time Stamp: tsa field in TSTInfo Date: Fri, 9 Apr 1999 15:09:47 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Michael, I am not sure about what you want to say. The core time stamp information (TSTInfo) needs to be signed by the tsa in order to have a proof of existence value otherwise is valueless and that information TSTInfo should not be trusted. If you are saying that some other authority interprets an originally signed time stamp token and extends its trust to its users by adding it to its own structures, then the later authority should verify the signed token and thus discovering in the process the identity of the former tsa. If that authority wished to include information about time-stamp's origin into its structures it could just retrieve that information from signature verification process and simply add it together with the TSTInfo, as a new field. Did I manage to understand you? Juan Luis ------------------------------------------------------------------------ ------------- Juan Luis López <jluis@fnmt.es> Project Engineer http://www.fnmt.es/pkits Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 C/ Juan de Mariana, 17 fax: [+34] 91 506 48 51 E-28045 Madrid, SPAIN -----Mensaje original----- De: Michael Zolotarev <mzolotarev@baltimore.com.au> Para: 'Robert Zuccherato' <robert.zuccherato@entrust.com>; 'Juan Luis Lopez' <jluis@fnmt.es> CC: 'ietf-pkix@imc.org' <ietf-pkix@imc.org> Fecha: jueves 8 de abril de 1999 2:28 Asunto: RE: Time Stamp: tsa field in TSTInfo >The core time stamp information can be used indirectly, as a field inside >some third party WhateverService (WS) structure. Even (!) if this WS >structure gets signed/ enveloped, the signer is not going to be the TSA. >DCS as it stands now may serve as an example. > >So, having tsa inside the TSTInfo may come as a useful thing - the WS >clients may still want to know the TimeStamp's origin. > >Michael Zolotarev >Technical Architect >Baltimore Technologies Limited (Australia) > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA19762 for ietf-pkix-bks; Fri, 9 Apr 1999 02:59:04 -0700 (PDT) Received: from smtp.bankinter.es (dns.bankinter.es [195.235.30.34]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA19753 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 02:59:01 -0700 (PDT) Received: from nexo.es (h028153.nexo.es [195.235.28.153]) by smtp.bankinter.es (8.8.8+Sun/8.8.8) with ESMTP id LAA26811; Fri, 9 Apr 1999 11:56:37 +0200 (MET DST) Message-ID: <370DCF52.F6DD0B54@nexo.es> Date: Fri, 09 Apr 1999 11:58:42 +0200 From: Manuel Heras Gilsanz <mherasg@nexo.es> X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, afd@fnmt.es Subject: Re: Time-Stamp: Why not use several hashes? References: <370D157B.DBB661F0@nexo.es> <370DBD43.C1D1DC68@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, Re-time-stamping *requires* cooperation from the user. Re-signing can be performed by the TSA without user cooperation. Therefore the document and the signature hashes do not demand the same "contingency planning". The thing is, most users will time-stamp their documents and then forget to keep track of the cryptographic advances. If the TSA finds itself unable to contact some user, it will be unable to re-time-stamp the document; on the other, if a new signature algorithm were needed, a renewed time-stamp could be obtained even if the user were having holidays in Bahamas, with the mobile phone switched off. On yet another hand, if the TSA implements some linking protocol in which several hashes are used, then there is no need to re-issue tokens whose signature hashes are broken. The TSA can again take appropriate measures without the user cooperation. Best regards, - Manuel - Denis Pinkas wrote: > Manuel, > > We want to keep the protocol simple. The threat you mention can be countered > by another way: re-time-stamp later on with a new hash function. If SHA-1 > gets broken one day, this will not happen in just one day. Some > cryptographer will first find some weaknesses before you can really forge a > meaningfull message that has the same hash. So you get some time for > re-stamping. > > If this argument were used, then we should sign TWICE, i.e. in case one > digital signature algorithm was broken. We do not do that. There is no > reason to do it for the hash function. > > Regards, > > Denis > > > Hi. > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > Sept. 23, 1998, time-stamp requests and tokens support the insertion of > > a single message imprint. > > > > I think several message imprints should be supported. If a hash > > algorithm were broken, time-stamp tokens using it (as the single message > > imprint) would have to be regarded invalid (even if some kind of linking > > mechanism were implemented!). If several hashes had been used, the token > > would still be valid, and it could be promptly renewed in order to > > prevent invalidation should further advances in cryptography render > > other hashes obsolete! > > > > (One must be careful here: there are different extents to which a hash > > algorithm could be broken; in Appendix A of PKITS-D3 > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > implications that the different kinds of hash failures would have on the > > time-stamping process.) > > > > Of course the requirements on the time-stamp verification process would > > also have be modified to require ("MUST" level) *all* the hashes to > > correctly verify in order to regard the corresponding time-stamp token > > valid. > > > > Best regards, > > > > - Manuel - > > > > ---- > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > Independent Security Consultant > > Phone: +34-629 07 53 31 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA19391 for ietf-pkix-bks; Fri, 9 Apr 1999 02:56:04 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA19384 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 02:56:03 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id LAA25965; Fri, 9 Apr 1999 11:55:52 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Fri, 9 Apr 1999 11:55:52 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id LAA16567; Fri, 9 Apr 1999 11:55:51 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id LAA06045; Fri, 9 Apr 1999 11:55:51 +0200 Date: Fri, 9 Apr 1999 11:55:51 +0200 Message-Id: <199904090955.LAA06045@emeriau.edelweb.fr> To: robert.zuccherato@entrust.com, Denis.Pinkas@bull.net Subject: Re: Time Stamp: tsa field in TSTInfo Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > Generally speaking, I am not found of too many OPTIONS. Whenever we can avoid > one, we should: this is much easier for interoperability testing. In that case I > would favour the mandatory support of the authenticated attribute from ESS and > suppress the name from the content of the token. > I second that; a value that can occur in two places has the tendancy to be misused. Someone might come up with the idea of both places with a different name. Somehow this reminds me to alternate names in certificates :-) Peter Sylvester Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA16741 for ietf-pkix-bks; Fri, 9 Apr 1999 02:02:29 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA16737 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 02:02:27 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id LAA23204; Fri, 9 Apr 1999 11:02:16 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Fri, 9 Apr 1999 11:02:15 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id LAA15790; Fri, 9 Apr 1999 11:02:14 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id LAA06001; Fri, 9 Apr 1999 11:02:14 +0200 Date: Fri, 9 Apr 1999 11:02:14 +0200 Message-Id: <199904090902.LAA06001@emeriau.edelweb.fr> To: Denis.Pinkas@bull.net, robert.zuccherato@entrust.com, jgonzalez@fnmt.es Subject: optional fields in time stamp responses. Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> It seems to me that a lot of fields in a time stamp response or dcs response can be avoided by using signed/authenticated attributes. For example the time can be replaced by a signing time attribute. In general I believe that an attribute that contains a cms document plus a description/pointer would be very useful: - The responses from TDAs are just signed documents. - You want to include DCS token cpkc for your signature cert and another for possession of data in the signature of the data. - In an ess three way signed/encrypted/signed structure, one might add a dcs validation response for the encryption cert to indicate that the recipients dcs server 'authorisation' to use the encryption key. Otherwise each application protocol like time stamping or dcs can define its own oid (which would be necessary anyway for oscp responses). Thoughts? PS Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA16571 for ietf-pkix-bks; Fri, 9 Apr 1999 01:41:41 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA16567 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 01:41:38 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id KAA19546; Fri, 9 Apr 1999 10:41:31 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id KAA42628; Fri, 9 Apr 1999 10:41:31 +0200 (DFT) Message-ID: <370DBD43.C1D1DC68@bull.net> Date: Fri, 09 Apr 1999 10:41:40 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Manuel Heras Gilsanz <mherasg@nexo.es> CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, afd@fnmt.es Subject: Re: Time-Stamp: Why not use several hashes? References: <370D157B.DBB661F0@nexo.es> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Manuel, We want to keep the protocol simple. The threat you mention can be countered by another way: re-time-stamp later on with a new hash function. If SHA-1 gets broken one day, this will not happen in just one day. Some cryptographer will first find some weaknesses before you can really forge a meaningfull message that has the same hash. So you get some time for re-stamping. If this argument were used, then we should sign TWICE, i.e. in case one digital signature algorithm was broken. We do not do that. There is no reason to do it for the hash function. Regards, Denis > Hi. > > In the (now expired) latest PKIX draft on time-stamping protocols from > Sept. 23, 1998, time-stamp requests and tokens support the insertion of > a single message imprint. > > I think several message imprints should be supported. If a hash > algorithm were broken, time-stamp tokens using it (as the single message > imprint) would have to be regarded invalid (even if some kind of linking > mechanism were implemented!). If several hashes had been used, the token > would still be valid, and it could be promptly renewed in order to > prevent invalidation should further advances in cryptography render > other hashes obsolete! > > (One must be careful here: there are different extents to which a hash > algorithm could be broken; in Appendix A of PKITS-D3 > [http://www.fnmt.es/pkits] there is an interesting analysis of the > implications that the different kinds of hash failures would have on the > time-stamping process.) > > Of course the requirements on the time-stamp verification process would > also have be modified to require ("MUST" level) *all* the hashes to > correctly verify in order to regard the corresponding time-stamp token > valid. > > Best regards, > > - Manuel - > > ---- > Manuel Heras-Gilsanz (mherasg@nexo.es) > Independent Security Consultant > Phone: +34-629 07 53 31 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA16251 for ietf-pkix-bks; Fri, 9 Apr 1999 01:12:21 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA16247 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 01:12:17 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id KAA15386; Fri, 9 Apr 1999 10:12:08 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id KAA41266; Fri, 9 Apr 1999 10:12:09 +0200 (DFT) Message-ID: <370DB661.732C4E69@bull.net> Date: Fri, 09 Apr 1999 10:12:17 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Robert Zuccherato <robert.zuccherato@entrust.com> CC: ietf-pkix@imc.org Subject: Re: Time Stamp: tsa field in TSTInfo References: <01E1D01C12D7D211AFC70090273D20B112BD90@sothmxs06> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Robert, > Okay, I will make the tsa name optional as well. However, it MUST be > present if the authenticated attribute from ESS is not included. I think > that since time stamp tokens will be used as evidence in support of > non-repudiation, there should be some identification of the TSA within the > signed part of the token. Generally speaking, I am not found of too many OPTIONS. Whenever we can avoid one, we should: this is much easier for interoperability testing. In that case I would favour the mandatory support of the authenticated attribute from ESS and suppress the name from the content of the token. Regards, Denis > > > ---------- > > From: Denis Pinkas[SMTP:Denis.Pinkas@bull.net] > > Sent: Thursday, April 08, 1999 6:16 AM > > To: Peter Sylvester > > Cc: ietf-pkix@imc.org; jluis@fnmt.es; robert.zuccherato@entrust.com > > Subject: Re: Time Stamp: tsa field in TSTInfo > > > > Peter, > > > > I concur with your proposal, ie. use an signed (also called > > "authenticated") > > attribute from ESS that indicates the certificate used by the TSA and > > suppress the > > name of the TSA from the signed structure. This "useful" attribute is > > indeed in > > ESS, not CMS - where it should have been. :-( > > > > Since the verifier will need anyway to get that certificate to verify the > > signature, then, at that time, it will get the name of the TSA. > > > > Regards, > > > > Denis > > > > > > > > > > > > Actually, I believe that when using CMS only the content (in this case > > > > TSTInfo) is signed along with any authenticated attributes. Thus, the > > > > distinguishing information for the TSA would not be signed if it was > > not > > > > included within the TSTInfo structure. > > > If the TST provider want to surely indicate its identity, one > > > can use an ess signing certificate attribute. > > > > > > This seems preferable to me (if the tendancy is avoid to reinvent > > things). > > > > > > The ess stuff was probably not avaiable at the time when > > > the tst draft was written for the first time. > > > > > > > > > > > > > > Robert. > > > > > > > > > ---------- > > > > > From: Juan Luis López[SMTP:jluis@fnmt.es] > > > > > Sent: Wednesday, April 07, 1999 5:25 AM > > > > > To: pkix > > > > > Subject: Time Stamp: tsa field in TSTInfo > > > > > > > > > > Hi everybody! > > > > > > > > > > I am involved in a Time Stamping project and we are analysing > > the PKIX > > > > > draft about this subject. > > > > > > > > > > I would like to give my opinion on an issue to the list: > > > > > It seems not appropriate to include a field in TSTInfo structure > > > > > related to the tsa identity, i.e. tsa field. I don't find this field > > > > > necessary because it is repeated when using a CMS or PKCS#7 envelope > > to > > > > > encapsulate the token information. This information would be > > redundant > > > > > since an identifier distinguishing the given tsa should be present > > in the > > > > > signerInfo structure. > > > > > > > > > > So, I recommend the deletion of this field. > > > > > > > > > > Regards, > > > > > Juan Luis López > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > > > > ----------- > > > > > Juan Luis López < > > > > > jluis@fnmt.es> > > > > > Project Engineer > > > > > http://www.fnmt.es/pkits > > > > > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 > > 40 > > > > > C/ Juan de Mariana, 17 fax: [+34] > > 91 506 > > > > > 48 51 > > > > > E-28045 Madrid, SPAIN > > > > > > > > > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA15192 for ietf-pkix-bks; Fri, 9 Apr 1999 00:46:59 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA15177 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 00:46:52 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQL99>; Fri, 9 Apr 1999 17:46:22 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE978@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: SEIS: RE: Certificates, Directories, and Distinguished Names Date: Fri, 9 Apr 1999 17:46:20 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thats the same as 509 or near enough. Its not too informative as its abstract theory rather than operational policy. Oh well. As a question on basic constrains why is the text in 509 different from RFC 2459 X.509 - 12.4.2.1 Basic Constraints This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. If so, a certification path length constraint may also be specified. This field is defined as follows.... rfc 2459 -4.2.1.10 Basic Constraints The basic constraints extension identifies whether the subject of the certificate is a CA and how deep a certification path may exist through that CA. ........ This extension MUST appear as a critical extension in all CA certificates. This extension SHOULD NOT appear in end entity certificates. It strikes me that 2459 is ambigious simply because it did not embrase the X.509 text re "certificate using system" and the fact 2459 uses SHOULD NOT without actuallly defining the conditions if it is or is not there in EE - as X.509 states. regards alan > -----Original Message----- > From: Stephen Kent > Sent: Friday, April 09, 1999 10:30 AM > To: Alan Lloyd > Cc: ietf-pkix@imc.org; list@seis.nc-forum.com > Subject: SEIS: RE: Certificates, Directories, and Distinguished > Names > > --- Message on the SEIS mailing list (list@seis.nc-forum.com) > > Alan, > > > > >In addition - who will own the root level key for all this PKIX > >compliant stuff? > > PKIX does not assume any single root CA in its model. See section 6.1 > of > 2459 for its discussion of starting points for cert path validation. > > Steve > > > ----------------- SEIS mailing list (list@seis.nc-forum.com) > Info about this list: http://www.nc-forum.com/seis > SEIS Contact: info@seis.se Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA12589 for ietf-pkix-bks; Fri, 9 Apr 1999 00:18:48 -0700 (PDT) Received: from www.fnmt.es (www.fnmt.es [194.224.27.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id AAA12585 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 00:18:47 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id va023551 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 09:13:51 +0100 Message-ID: <007001be8258$db187a60$b001a8c0@dc-07.ceres.fnmt.es> From: "Juan G. de la Vega" <jgonzalez@fnmt.es> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, "'Denis Pinkas'" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> Subject: RE: Time Stamping: comments on nonce field Date: Fri, 9 Apr 1999 09:16:15 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> That´s fine. -----Mensaje original----- De: Robert Zuccherato <robert.zuccherato@entrust.com> Para: Robert Zuccherato <robert.zuccherato@entrust.com>; 'Denis Pinkas' <Denis.Pinkas@bull.net> CC: ietf-pkix@imc.org <ietf-pkix@imc.org>; 'Juan G. de la Vega' <jgonzalez@fnmt.es> Fecha: jueves 8 de abril de 1999 17:30 Asunto: RE: Time Stamping: comments on nonce field Okay. I will make it optional in both the request and response. > ---------- > From: Denis Pinkas[SMTP:Denis.Pinkas@bull.net] > Sent: Thursday, April 08, 1999 6:10 AM > To: Robert Zuccherato > Cc: ietf-pkix@imc.org; 'Juan G. de la Vega' > Subject: Re: Time Stamping: comments on nonce field > > Robert, > > Some refinements to your response. > > The nonce is there for systems that do not have their own reliable clock > and > thus cannot test the freshness of the response by simply looking at the > signing > time. This is a replay protection. This has nothing to do whether a hash > of the > message is or is not present. > > I would make it OPTIONAL both in the request and in the response and > maintain > the current text that says: " ...must be present if the similar field in > TimeStampReq is present ..." > > Regards, > > Denis > > > > > ---------- > > > From: Juan G. de la Vega[SMTP:jgonzalez@fnmt.es] > > > Sent: Wednesday, April 07, 1999 5:39 AM > > > To: ietf-pkix@imc.org > > > Subject: Time Stamping: comments on nonce field > > > > > > First of all, the declaration of this field in the request and > > > token is somehow incoherent, while the nonce is mandatory in > TimeStapReq > > > (it is not declared OPTIONAL), the TimeStampToken´s nonce is OPTIONAL > but > > > it is stated that "...must be present if the similar field in > TimeStampReq > > > is present..." and hence the clause OPTIONAL is meaningless and > confusing > > > for this field shall always be present. > > > > > As I have said in the past, this was a mistake that I made because I did > not > > manage to fully include support for TSA production of a "signed time". > This > > would be a token which does not include a nonce or message imprint. > TSA's > > could produce these tokens and make them available (for example on a > > website) for anyone who wants to obtain them. This will be rectified in > the > > upcoming draft. > > > > > I would suggest this field to be declared OPTIONAL both in the request > and > > > token or better deleted if we take into account the following: > > > > > > As far as I understand, a nonce value is present in the request > and > > > token in order for the requester to be able to match the responses > from > > > the TSA with her requests when using an asynchronous transport. It can > be > > > argued that such functionality should be left to the transport layer > when > > > required, but furthermore I must say that the nonce is not necessary > since > > > matching can be performed using the "messageImprint" field. > > > > > Actually, the reason that the nonce is there and mandatory is to prevent > > replay attacks. Someone else could have obtained a time stamp on the > data > > before your request. Thus, it is possible that the time stamp you > received > > is not "fresh". Without a nonce, determining the freshness of the > timestamp > > is difficult. > > > > Robert. > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA11970 for ietf-pkix-bks; Fri, 9 Apr 1999 00:03:05 -0700 (PDT) Received: from www.fnmt.es ([193.149.2.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id AAA11966 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 00:03:03 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id ba023531 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 08:58:09 +0100 Message-ID: <005801be8256$aa206280$b001a8c0@dc-07.ceres.fnmt.es> From: "Juan G. de la Vega" <jgonzalez@fnmt.es> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Robert Zuccherato" <robert.zuccherato@entrust.com> Cc: <ietf-pkix@imc.org> Subject: RE: Time Stamping: comments on nonce field Date: Fri, 9 Apr 1999 09:00:33 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -----Mensaje original----- De: Denis Pinkas <Denis.Pinkas@bull.net> Para: Robert Zuccherato <robert.zuccherato@entrust.com> CC: ietf-pkix@imc.org <ietf-pkix@imc.org>; 'Juan G. de la Vega' <jgonzalez@fnmt.es> Fecha: jueves 8 de abril de 1999 13:06 Asunto: Re: Time Stamping: comments on nonce field >I would make it OPTIONAL both in the request and in the response and maintain >the current text that says: " ...must be present if the similar field in >TimeStampReq is present ..." Completely agreed. Juan. ____________________________________________ Juan González-de-la-Vega Software Engineer e-mail: <jgonzalez@fnmt.es> FNMT - Fábrica Nacional de Moneda y Timbre Phone: +34 (91) 506 48 40. Fax: +34 (91) 506 48 59 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA11911 for ietf-pkix-bks; Thu, 8 Apr 1999 23:58:51 -0700 (PDT) Received: from www.fnmt.es ([193.149.2.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id XAA11907 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 23:58:50 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id xa023527 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 08:53:54 +0100 Message-ID: <004f01be8256$12164400$b001a8c0@dc-07.ceres.fnmt.es> From: "Juan G. de la Vega" <jgonzalez@fnmt.es> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, <ietf-pkix@imc.org> Subject: RE: Time Stamping: comments on nonce field Date: Fri, 9 Apr 1999 08:56:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi again, -----Mensaje original----- De: Robert Zuccherato <robert.zuccherato@entrust.com> Para: ietf-pkix@imc.org <ietf-pkix@imc.org>; 'Juan G. de la Vega' <jgonzalez@fnmt.es> Fecha: miércoles 7 de abril de 1999 19:06 Asunto: RE: Time Stamping: comments on nonce field >Actually, the reason that the nonce is there and mandatory is to prevent >replay attacks. Someone else could have obtained a time stamp on the data >before your request. Thus, it is possible that the time stamp you received >is not "fresh". Without a nonce, determining the freshness of the timestamp >is difficult. Now, I have get it right. Freshness of a time stamp is a delicate issue. Theoretically, replay can be avoided by adding some information provided by the requester to the request, this added info must be processed by the server and the result returned in the response in a way that authenticates that server "at that moment" (with regard to the matching request). In our case the "server process" roughly consists of adding the actual time and signing the bunch, and the added information provided by the requester can be the hash value (one-way, collision resistant and 2^128 possibilities being a very large range). As I said in the prev. message, only when there is no hash value the nonce becomes neccessary to defeat replay. In relation to this, the scenario you depict seems odd to me; if someone else had my data before I want to time-stamp it, I already have a bigger problem, if the data are public and I still want to time-stamp it, a replay attack would mean that someone would provide me with a signed token that backdates (in regard to me) the data I possess (umm!, interesting in some cases... just kidding: I agree with you that an additional mechanism would fit in this case). If you mean that a previous message of mine could have been intercepted in transit and someone else has my hash value (not my data), we have a branch here: 1) Passive eavesdropping: I have the token returned from the TSA. The reason for me to restamp my data is token renewal, but in this case the messageImprints field will be different from the old request since the token should be tied to the document and hashed together in order to transitively extend the validity of the time stamp from the past to the present. 2)Interception: If I later try to stamp the data and replay-attacked I will get the original time when I first wanted to time stamp it. I woudn´t attack that way but simply would intercept all messages (An additional replay mechanism?). What I am trying to say is that freshness of a time stamp is not neccessarily related to the possibility of replay, i.e. we find the problem of "hostage messages" (someone intercepts your message, keeps it, and time stamps it at a much later time) that not even the nonce solves. Can we afford an intentionally produced delay in time stamping?. Sadly, the best way to determine the "freshness" of a time stamp is comparing its time to the local time and check if the interval request-response fits your local policy (the bad news are that you can do nothing "a posteriori"). regards, Juan. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA07130 for ietf-pkix-bks; Thu, 8 Apr 1999 22:17:59 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA07126 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 22:17:57 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id HAA03836 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 07:17:54 +0200 Received: from mega (t4o69p79.telia.com [62.20.145.199]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id HAA94903; Fri, 9 Apr 1999 07:17:48 +0200 Message-ID: <006c01be8250$6fe05540$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@po1.bbn.com>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Subject: CyberPhone Trust Propagation Was: A $25,000,000,000 PKI Date: Fri, 9 Apr 1999 07:15:58 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id WAA07127 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, Sorry for changing subject all the time but there are soo many issues to discuss. This is an explantation on a major issue regarding private keys and trust. Don't be fooled by the language or terminology that may suck a bit since neither English or this part of PKI is a speciality of mine. I am sort of a hands-on guy rather than a philosopher. Basically I feel that you and many others believe that CyberPhone with its intermediary key-server, propagates trust from the client to the end-RP. This is definitely possible and true if CyberPhone is used in the same context as Kerberos. I.e. for authentication and authorization WITHIN an organization (putting on my marketing hat I would say CyberPhone does this much better than Kerberos as the former is 100% based on PKI). Now to the scenarios presented on my web (Shared Certificates and Dynamic Certificates) that represent two much more complicated situations that an open environment introduce. If those scenarious introduce trust propagation it would mean that the intermediary private key server performed something on behalf of the client. But, IT IS THE OTHER WAY AROUND! It is the intermediary server that grants a client the right to perform a purchase on the servers behalf. Yes, when you purchase for a company it is the company that buys. That the purchase was initiated by the client does not change this a single bit. A company assumes that you do your work - not that it has to screem and shout to make you perform! And you have in this role obligations only to your company (=server). That is why CyberPhone does not break any (of the mostly unwritten) rules regarding key use and trust. It does though assume that a server and private keys stored on it can be responsible in the same way as a natural person. As I wrote in another posting this is what is happening all the time (except for signatures that are not yet implemented) in automated invoicing systems so there is "Nothing new under the Sun". Regards Anders http://www.mobilephones-tng.com <snip> >>So what is so fundamentally flawed in the CyberPhone concept with respect >>to digital >>signature laws? > >I won't comment on the question of the legality of CyberPhone, vis a vis, >the current hodge podge of digital signature laws. However, I was not >aware of SET wallte servers, e.g., in the corporate context you describe. >An employee using a cert issued for company purchasing, etc. may or may not >be the real "owner" of the private key. If the cert identifies the subject >as a role, and the user is the role occupant, then the company is >intentionally maintaining accountability on a purely internal basis. >Technicall, this can be done reasonably well by issuing the cert via a >smart card or PC card, so that the user has not (easy) access or knowledge >of the private key. However, if the subject of the cert is an >organizationl person (not role), then I think of the issue of ownership >differently. The company needs to revoke the cert when the employee leaves >of changes roles and no longer has the same purchasing authoirzation. (Of >course, this points out why an attribute cert might be better in this case >...) > >steve > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA06417 for ietf-pkix-bks; Thu, 8 Apr 1999 22:05:17 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA06403 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 22:05:05 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQL9D>; Fri, 9 Apr 1999 15:04:39 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE977@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org Subject: RE: CA vs. EE cert processing Date: Fri, 9 Apr 1999 15:04:38 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> When one builds a system comprising many CA functions for different product domains, its likely that the key generation function is used to generate keys for more than one of these CA functions - however this approach is according to trust and operational requirements. Naturally the theory in this process is that the root level CA function then in fact signs the subordinate CA function certificate with its key and the sub CA also signs its certs with its own key. However, we also expect in this process - in terms of procedure that the root level CA could check components of the certificate it is signing - such as the extensions being applied - eg BC = CA .. and the client software used - the certficate using system also checks this correctly.. ie. one must also verify that if a CA is using BC = CA that the client has in fact verified that - again the proof of doing that is in the system design and implementation. ie what gives proof of path processing. Its all part of the system verification process - that each part of the PKI is coherent and trusted. My point was that X.509 states that this extension is set or not to let the certificate using system determine if it can use the public key to validate certficates .. However, the standard also permits non extended certficates to be used in a system and the certificate using system to verify certificates with the implicit knowledge that a cert chain does equal an EE cert with superior CAs. My last point is that 2459 can profile X.509 say all CA certs must have this extension set. EE certs may have this extension set to null or not be there. No ambiguity as far as I am concerned. regards alan > -----Original Message----- > From: Stephen Kent > Sent: Friday, April 09, 1999 10:36 AM > To: Alan Lloyd > Cc: ietf-pkix@imc.org > Subject: RE: CA vs. EE cert processing > > Alan, > > >X.509 defines that Basic Constraints is used to indicate that the > public > >key in the cert is valid for testing certificate signatures - by a > >certificate using system eg. a client or EE. By definition it means > that > >in (eg.) a 3 tier CA model that the root level CA has granted a > private > >and public key ( in a cert with BC set to CA) to a middle level CA to > >issue certificates with and "advertise the fact (in its certificate) > >that the root trusts the middle CA to issue certs and for clients to > >validate such certs using the middle CAs public key. > > > >It strikes me that any PKIX compliant top level ROOT CA will set this > >extension to ensure that the correct PKeys are used to validate certs > >which point to itself. However, what the client software does with > this > >extension is another matter. Both have to be compatable. If an EE in > its > >validation path gets a cert with which it wants to validate a lower > >level certificate with and this extension is not set - it should give > up > >- if ideology is maintained. However, X.509 permits an exit to this > >process to enable a CA path to be built and validated without cert > >extensions - simply because that is what they are - optional > certificate > >extensions. > > This is a very muddled description that I have a bit of trouble > following. > For example, the root CA in your example would not, in general, grant > "a > private and public key" to another CA. Do you mean the root CA would > sign > a cert with the publci key of the middle CA? Please restate your > argument > using terms from X.509 and/or 2459 so I, and maybe others, can more > clearly > understand your point. > > Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA01614 for ietf-pkix-bks; Thu, 8 Apr 1999 20:47:58 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA01604 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 20:47:55 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id FAA03092 for <ietf-pkix@imc.org>; Fri, 9 Apr 1999 05:47:50 +0200 Received: from mega (t4o69p7.telia.com [62.20.145.127]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id FAA11639; Fri, 9 Apr 1999 05:47:45 +0200 Message-ID: <001801be8243$db209d40$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@po1.bbn.com>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Fri, 9 Apr 1999 05:45:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id UAA01608 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, <snip> >>CyberPhone does a LOT more than address devices with limited capabilities. >>It also addresses certificate management, traceability and transaction >>logging, business transaction models, and last but not least end-user security >>including resource loss, revocation, backup and recovery. >I believe that all of the other issues you cite here are addressable via >means that do not require creating a proxy private key agent. This is it! And I am not talking about Coca-Cola :-) I am talking about current PKI schemes. They PROMISE you a lot but when it comes to down-to-earth specifications on how all this is going to be performed in a cost-efficient, convenient and secure (handling-wise) way there is Zilch, Nada, Nothing. If you do as I asked Stefan, convert the scenario presented in my paper "Dynamic Certificates" ( http://www.mobilephones-tng.com/v100/dynamiccerts.html ) to the "classical" way of doing things you will for each design decision create a lot of new hard questions. A system that can only do "A-B" operations is totally insufficient for 21st century usage. Why do SET support a three-party operation? Because an on-line account-based purchase involves (at least) three parties! Regarding CyberPhone's "unethical" use of digital signatures there seems to be fairly limited consensus on your and Stefan's views. I.e. digital signature laws are not in harmony with automated systems in any way. My guess is that the lawyers will have to go back to the "drawing board" some day. As an example I can mention OBI that allows an order to be "Authorized" by signing it and sending it to the selling organization. The authorizer can be a person or an automated process. OBI is for REAL which makes a difference. Actually, CyberPhone (like SET ServerWallets and OBI) does not break away from PKIX at all, it just uses current PKIX technology (+ a few new protocols) in a more or less novel way that is targeted at existing and future commercial uses and business processes. Regards Anders PS No views on the bio stuff ( http://www.mobilephones-tng.com/papers/idcards.html )? DS Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA24439 for ietf-pkix-bks; Thu, 8 Apr 1999 19:19:17 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA24435 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 19:19:15 -0700 (PDT) Received: from [128.33.238.53] (TC053.BBN.COM [128.33.238.53]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA18254; Thu, 8 Apr 1999 22:18:30 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a08b332fb11127f@[128.33.238.98]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE96E@DSG1> Date: Thu, 8 Apr 1999 20:35:54 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, >X.509 defines that Basic Constraints is used to indicate that the public >key in the cert is valid for testing certificate signatures - by a >certificate using system eg. a client or EE. By definition it means that >in (eg.) a 3 tier CA model that the root level CA has granted a private >and public key ( in a cert with BC set to CA) to a middle level CA to >issue certificates with and "advertise the fact (in its certificate) >that the root trusts the middle CA to issue certs and for clients to >validate such certs using the middle CAs public key. > >It strikes me that any PKIX compliant top level ROOT CA will set this >extension to ensure that the correct PKeys are used to validate certs >which point to itself. However, what the client software does with this >extension is another matter. Both have to be compatable. If an EE in its >validation path gets a cert with which it wants to validate a lower >level certificate with and this extension is not set - it should give up >- if ideology is maintained. However, X.509 permits an exit to this >process to enable a CA path to be built and validated without cert >extensions - simply because that is what they are - optional certificate >extensions. This is a very muddled description that I have a bit of trouble following. For example, the root CA in your example would not, in general, grant "a private and public key" to another CA. Do you mean the root CA would sign a cert with the publci key of the middle CA? Please restate your argument using terms from X.509 and/or 2459 so I, and maybe others, can more clearly understand your point. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA24433 for ietf-pkix-bks; Thu, 8 Apr 1999 19:19:14 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA24429 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 19:19:13 -0700 (PDT) Received: from [128.33.238.53] (TC053.BBN.COM [128.33.238.53]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA18247; Thu, 8 Apr 1999 22:18:22 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a07b332f9dbc9cd@[128.33.238.98]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0DDB8A@DSG1> Date: Thu, 8 Apr 1999 20:29:37 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: Certificates, Directories, and Distinguished Names Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, > >In addition - who will own the root level key for all this PKIX >compliant stuff? PKIX does not assume any single root CA in its model. See section 6.1 of 2459 for its discussion of starting points for cert path validation. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA24422 for ietf-pkix-bks; Thu, 8 Apr 1999 19:19:02 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA24418 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 19:19:01 -0700 (PDT) Received: from [128.33.238.53] (TC053.BBN.COM [128.33.238.53]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA18269; Thu, 8 Apr 1999 22:18:50 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a0bb332fcbd7733@[128.33.238.98]> In-Reply-To: <370C7142.F9EB2664@cale.checkpoint.com> References: <v04020a17b331af2ed303@[128.33.238.98]> Date: Thu, 8 Apr 1999 20:47:47 -0400 To: Moshe Litvin <moshe@cale.checkpoint.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moseh, ><snip> > >> >the first one aside for the moment, PKIX would be a better player in the >> >broader X.509 world if it chose not to generate certificates that are >> >ambiguous to such a world. >> >> The ambiguity exists in ALL verifiers, PKIX or not. Thus pointing the >> finger at PKIX is not rational. >> > >The ambiguity does exist in ALL verifiers, but it doesn't exist in all CA's. A >CA that follows PKIX creates ambiguous certificates. Only CA that does does >something that it SHOULD NOT do create unambiguous certificates. Here pointing >the finger at PKIX is very rational. > >We cannot remove the possibility of ambiguity but we can generate certificates >that are not affected by it. I agree that a CA could put the extension in all certs and thus be able to say "not my fault; I did what I could." But this does not address the verifier problem in other than a heuristic fashion. I want to deterministic solution to the problem, and the suggested change to 2459 does not yield that. >> >> <snip> > >It is not probabilistic improvements. A CA that put the basicConstraints >extension is 100% not ambiguous. What probablistic about that? > >Why discourage CA's from generating unambiguous certificates? See my comments above. I was referring to the verifier, not the CA. Sorry for the ambiguity :-)! The CA doesn't have a problem; verifiers have the problem we are trying to address. <snip> > >Adding the extension is not a heuristic improvement, a certificate with the >extension is certificate that doesn't need heuristics period. > >Admittedly the verifier will have heuristics but the CA can ensure that they >won't be activated. No, it cannot! So long as there are CAs following X.509 but not the 2459 profile, verifiers would need heuristics to process certs without extensions issued by those CAs. If we were willing to posit that no such CAs will exist, then we would not have a problem, because in a purely 2459-compliant system (CAs and verifiers) there is not ambiguity. You seem to be switching perspectives in analyzing this issue. >> > >X.509 already addresses the problem and suggests: > > It is recommended that it be flagged critical, otherwise an entity which is >not > authorized to be a CA may issue certificates and a certificate-using system > may unwittingly use such a certificate. > >For some reason PKIX decided to ignore the recommendation and invent it's own >private semantics. X.509 failed to solve this problem because it permits compliant CAs to never include basicConstraints, thus creating the ambiguity. The notes fail to fix the problem, because they just "recommend" what to do. In the IETF we try to be very careful in our use of the magir words MUST/SHOULD/MAY to avoid these problems. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA24379 for ietf-pkix-bks; Thu, 8 Apr 1999 19:18:16 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA24371 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 19:18:15 -0700 (PDT) Received: from [128.33.238.53] (TC053.BBN.COM [128.33.238.53]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA17918; Thu, 8 Apr 1999 22:18:00 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a05b332f79941fe@[128.33.238.98]> In-Reply-To: <002501be8187$1cdd0f10$020000c0@mega.vincent.se> Date: Thu, 8 Apr 1999 20:22:59 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, <snip> Well, at least we agreed on much of the SET stuff. >>Since most of the purchases over the web are >>done from PCs, the thin n client argument is not relevant. > >That is true for the current situation - not for the mobile future though. Maybe I should call the cell phone an anexoric client, not just a thin client :-). Advocates of other approaches to mobility assumje more powerful computation bases, as we discussed earlier. The cell phone (PCS) is one, speculative approach. It may be just as successful as the VSAT technology that was poised to sweep the data networking industry in the mid-80s. >Hum, maybe you should take a look on GlobeSet's (a leader in SET) ServerWallet >and see why the developed it. I'll look into it. <snip> >>The solution you propose is definately NOT high quality. > >By design? I am fully convinced (not such a big surprise though :-)) that if >the CyberPhone concept and associated server technology is developed by >the best brains >in the industry it could match any quality standards. Regarding the >security model >it is not so far from a PKI-only version of Kerberos which seems to be higly >regarded by security people. Kerberos is not used for applications requiring non-repudiation, whereas a primary motivator for PKI use is NR.. >>It is an effort to >>take advantage of devices with limited capabilities, and skew security >>design principles to accommodate these limitations. > >CyberPhone does a LOT more than address devices with limited capabilities. >It also addresses certificate management, traceability and transaction >logging, >business transaction models, and last but not least end-user security >including >resource loss, revocation, backup and recovery. I believe that all of the other issues you cite here are addressable via means that do not require creating a proxy private key agent. Stve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA24363 for ietf-pkix-bks; Thu, 8 Apr 1999 19:18:04 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA24359 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 19:18:03 -0700 (PDT) Received: from [128.33.238.53] (TC053.BBN.COM [128.33.238.53]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA17897; Thu, 8 Apr 1999 22:17:49 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a03b332f5f7dff4@[128.33.238.98]> In-Reply-To: <002401be8187$1a0d4d40$020000c0@mega.vincent.se> Date: Thu, 8 Apr 1999 20:16:41 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, >May I ask a question regarding signature laws which I am pretty ignorant of? > >If a company runs a SET Wallet Server for their employees to use, is not >the company >responsible for signatures produced by the certificate and keys stored on that > server? > >Legally as well as technically. > >Now to the users (with their CyberPhones) that initiates transactions: >They are responsible to >their company that as a minimum records all transations with user >identity. Or >it could require a sign op as well. > >Looks OK to me. > >So what is so fundamentally flawed in the CyberPhone concept with respect >to digital >signature laws? I won't comment on the question of the legality of CyberPhone, vis a vis, the current hodge podge of digital signature laws. However, I was not aware of SET wallte servers, e.g., in the corporate context you describe. An employee using a cert issued for company purchasing, etc. may or may not be the real "owner" of the private key. If the cert identifies the subject as a role, and the user is the role occupant, then the company is intentionally maintaining accountability on a purely internal basis. Technicall, this can be done reasonably well by issuing the cert via a smart card or PC card, so that the user has not (easy) access or knowledge of the private key. However, if the subject of the cert is an organizationl person (not role), then I think of the issue of ownership differently. The company needs to revoke the cert when the employee leaves of changes roles and no longer has the same purchasing authoirzation. (Of course, this points out why an attribute cert might be better in this case ...) steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA22556 for ietf-pkix-bks; Thu, 8 Apr 1999 17:59:31 -0700 (PDT) Received: from smtp.bankinter.es (dns.bankinter.es [195.235.30.34]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA22552 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 17:59:29 -0700 (PDT) Received: from nexo.es (h028125.nexo.es [195.235.28.125]) by smtp.bankinter.es (8.8.8+Sun/8.8.8) with ESMTP id CAA26409; Fri, 9 Apr 1999 02:57:13 +0200 (MET DST) Message-ID: <370D505A.504888A2@nexo.es> Date: Fri, 09 Apr 1999 02:56:58 +0200 From: Manuel Heras Gilsanz <mherasg@nexo.es> X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Robert Zuccherato <robert.zuccherato@entrust.com> CC: ietf-pkix@imc.org, afd@fnmt.es Subject: Re: Time-Stamp: Why not use several hashes? References: <01E1D01C12D7D211AFC70090273D20B112BD97@sothmxs06> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Robert, what you propose would seem a very reasonable solution to deal with an *existing*, closed protocol that one would wish to stretch (via "syntax abuse"), but in my opinion such a proliferation of OIDs should not be enforced (or strongly promoted) from the very standard definition. Regards, - Manuel - Robert Zuccherato wrote: > Manuel; > > This is presently supported. Since a MessageImprint is a hashAlgorithm > (AlgorithmIdentifier) followed by the hashedMessage (an OCTET STRING) all > you have to do is define an AlgorithmIdentifier which means "the SHA-1 hash > concatenated with the MD5 hash" for example and then include the SHA-1 hash > of the message concatenated with the MD5 hash in the hashedMessage field. > > Robert. > > > ---------- > > From: Manuel Heras Gilsanz[SMTP:mherasg@nexo.es] > > Sent: Thursday, April 08, 1999 4:45 PM > > To: ietf-pkix@imc.org; afd@fnmt.es > > Subject: Time-Stamp: Why not use several hashes? > > > > Hi. > > > > In the (now expired) latest PKIX draft on time-stamping protocols from > > Sept. 23, 1998, time-stamp requests and tokens support the insertion of > > a single message imprint. > > > > I think several message imprints should be supported. If a hash > > algorithm were broken, time-stamp tokens using it (as the single message > > imprint) would have to be regarded invalid (even if some kind of linking > > mechanism were implemented!). If several hashes had been used, the token > > would still be valid, and it could be promptly renewed in order to > > prevent invalidation should further advances in cryptography render > > other hashes obsolete! > > > > (One must be careful here: there are different extents to which a hash > > algorithm could be broken; in Appendix A of PKITS-D3 > > [http://www.fnmt.es/pkits] there is an interesting analysis of the > > implications that the different kinds of hash failures would have on the > > time-stamping process.) > > > > Of course the requirements on the time-stamp verification process would > > also have be modified to require ("MUST" level) *all* the hashes to > > correctly verify in order to regard the corresponding time-stamp token > > valid. > > > > Best regards, > > > > - Manuel - > > > > ---- > > Manuel Heras-Gilsanz (mherasg@nexo.es) > > Independent Security Consultant > > Phone: +34-629 07 53 31 > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA20346 for ietf-pkix-bks; Thu, 8 Apr 1999 14:24:04 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA20342 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 14:24:03 -0700 (PDT) Received: id RAA15733; Thu, 8 Apr 1999 17:19:47 -0400 Received: by gateway id <G4CAZ9H6>; Thu, 8 Apr 1999 17:22:07 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD97@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: ietf-pkix@imc.org, afd@fnmt.es, "'Manuel Heras Gilsanz'" <mherasg@nexo.es> Subject: RE: Time-Stamp: Why not use several hashes? Date: Thu, 8 Apr 1999 17:15:59 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Manuel; This is presently supported. Since a MessageImprint is a hashAlgorithm (AlgorithmIdentifier) followed by the hashedMessage (an OCTET STRING) all you have to do is define an AlgorithmIdentifier which means "the SHA-1 hash concatenated with the MD5 hash" for example and then include the SHA-1 hash of the message concatenated with the MD5 hash in the hashedMessage field. Robert. > ---------- > From: Manuel Heras Gilsanz[SMTP:mherasg@nexo.es] > Sent: Thursday, April 08, 1999 4:45 PM > To: ietf-pkix@imc.org; afd@fnmt.es > Subject: Time-Stamp: Why not use several hashes? > > Hi. > > In the (now expired) latest PKIX draft on time-stamping protocols from > Sept. 23, 1998, time-stamp requests and tokens support the insertion of > a single message imprint. > > I think several message imprints should be supported. If a hash > algorithm were broken, time-stamp tokens using it (as the single message > imprint) would have to be regarded invalid (even if some kind of linking > mechanism were implemented!). If several hashes had been used, the token > would still be valid, and it could be promptly renewed in order to > prevent invalidation should further advances in cryptography render > other hashes obsolete! > > (One must be careful here: there are different extents to which a hash > algorithm could be broken; in Appendix A of PKITS-D3 > [http://www.fnmt.es/pkits] there is an interesting analysis of the > implications that the different kinds of hash failures would have on the > time-stamping process.) > > Of course the requirements on the time-stamp verification process would > also have be modified to require ("MUST" level) *all* the hashes to > correctly verify in order to regard the corresponding time-stamp token > valid. > > Best regards, > > - Manuel - > > ---- > Manuel Heras-Gilsanz (mherasg@nexo.es) > Independent Security Consultant > Phone: +34-629 07 53 31 > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA20001 for ietf-pkix-bks; Thu, 8 Apr 1999 13:45:23 -0700 (PDT) Received: from smtp.bankinter.es (dns.bankinter.es [195.235.30.34]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA19997 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 13:45:19 -0700 (PDT) Received: from nexo.es (h024055.nexo.es [195.235.24.55]) by smtp.bankinter.es (8.8.8+Sun/8.8.8) with ESMTP id WAA06655; Thu, 8 Apr 1999 22:43:32 +0200 (MET DST) Message-ID: <370D157B.DBB661F0@nexo.es> Date: Thu, 08 Apr 1999 22:45:47 +0200 From: Manuel Heras Gilsanz <mherasg@nexo.es> X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, afd@fnmt.es Subject: Time-Stamp: Why not use several hashes? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi. In the (now expired) latest PKIX draft on time-stamping protocols from Sept. 23, 1998, time-stamp requests and tokens support the insertion of a single message imprint. I think several message imprints should be supported. If a hash algorithm were broken, time-stamp tokens using it (as the single message imprint) would have to be regarded invalid (even if some kind of linking mechanism were implemented!). If several hashes had been used, the token would still be valid, and it could be promptly renewed in order to prevent invalidation should further advances in cryptography render other hashes obsolete! (One must be careful here: there are different extents to which a hash algorithm could be broken; in Appendix A of PKITS-D3 [http://www.fnmt.es/pkits] there is an interesting analysis of the implications that the different kinds of hash failures would have on the time-stamping process.) Of course the requirements on the time-stamp verification process would also have be modified to require ("MUST" level) *all* the hashes to correctly verify in order to regard the corresponding time-stamp token valid. Best regards, - Manuel - ---- Manuel Heras-Gilsanz (mherasg@nexo.es) Independent Security Consultant Phone: +34-629 07 53 31 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA18496 for ietf-pkix-bks; Thu, 8 Apr 1999 11:46:44 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA18492 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 11:46:42 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id UAA31854 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 20:47:29 +0200 Received: from mega (t1o69p19.telia.com [62.20.144.19]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id UAA114985; Thu, 8 Apr 1999 20:47:26 +0200 Message-ID: <00a001be81f8$5f75c9e0$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Simon Corell" <simon.corell@ID2TECH.COM>, "Stephen Kent" <kent@bbn.com>, "'Stefan Santesson'" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat &Q C-heavy-bio Date: Thu, 8 Apr 1999 20:45:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id LAA18493 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Simon, <snip> >It is a pity that the definitions used was based on the technology. I tried >hard to introduce the "digital stamp" as a termus tecnicus to digital >signatures produced by legal bodies. That sounds like a really good idea and considering the currently not so widely use of digital signatures, I would not bury this thing yet. BTW, "Digital Stamps" could not only be applied to legal bodies but could also be produced by machines like ticket automates where the ISSUER is a legal body and the SUBJECT (signer) is a particular unit. <snip> Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA18481 for ietf-pkix-bks; Thu, 8 Apr 1999 11:45:55 -0700 (PDT) Received: from mail01-ewr.pilot.net (mail-ewr-1.pilot.net [206.98.230.18]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA18477 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 11:45:54 -0700 (PDT) From: Lynn.Wheeler@firstdata.com Received: from mailgw.firstdata.com ([204.48.27.166]) by mail01-ewr.pilot.net with ESMTP id OAA23411; Thu, 8 Apr 1999 14:46:38 -0400 (EDT) Received: from lnsunr02.firstdata.com (lnsunr02.firstdata.com [192.168.247.16]) by mailgw.firstdata.com with SMTP id OAA10839; Thu, 8 Apr 1999 14:46:37 -0400 (EDT) Received: by lnsunr02.firstdata.com(Lotus SMTP MTA v4.6.3 (733.2 10-16-1998)) id 8525674D.00667C27 ; Thu, 8 Apr 1999 14:39:24 -0400 X-Lotus-FromDomain: FDC To: Stefan Santesson <stefan@accurata.se> cc: Denis Pinkas <Denis.Pinkas@bull.net>, IETF-PXIX <ietf-pkix@imc.org> Message-ID: <8525674D.00667907.00@lnsunr02.firstdata.com> Date: Thu, 8 Apr 1999 11:43:03 -0700 Subject: Re: Conclusion - Biometric inclusion in QC Mime-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=1S2azjQQRCdoVrZbv23XGtS6P2vwgYDaQtsStoN7HBYrysF4rM8zLsmG" Content-Disposition: inline Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --0__=1S2azjQQRCdoVrZbv23XGtS6P2vwgYDaQtsStoN7HBYrysF4rM8zLsmG Content-type: text/plain; charset=us-ascii Content-Disposition: inline somewhat related is the AADS work on parameterised risk management and certified assurance level of the various components (see various AADS discussion at http://www.garlic.com/~lynn/). There has been the suggestion that a consistent set of risk management & assurance level parameters be specified so that they might also be used in certificate extensions (like does an AADS authentication chipcard use pin activiation or biometric activation, what is the assurance level of the chipcard, what assurance level is the chip activiation, etc). an issue with regard to AADS biometric is whether or not the biometric and identification information is "public" .... much of AADS use in civilian and consumer scenerios worries about propogating identity information like names around the net ... i.e. being able to do digital signed transactions w/o having to divulge consumer name to parties involved. Stefan Santesson <stefan@accurata.se> on 03/31/99 04:06:39 AM To: Denis Pinkas <Denis.Pinkas@bull.net> cc: IETF-PXIX <ietf-pkix@imc.org> Subject: Re: Conclusion - Biometric inclusion in QC At 11:09 AM 3/31/99 +0200, Denis Pinkas wrote: <snip> >I do not believe you met any Dennis Pinkas, maybe you met a Denis Pinkas. Sorry for that ! <snip> >> And don't forget that putting a hash of a picture in a QC, is already a >> valid option. For example you can use this hash as a unique identifier >> (issued by the CA) and put it in the dNQualifier attribute. Then include an >> attributeSemantics OID defining this property. And you are all set !! > >If I understand correctly, you mean that we have some means to have an extension, >... but we still need to define that extension. >This is exactly what I am advocating for. > Not exactly an extension. We define a new "PersonalData" field stored in the otherName field in the subjectAltName extension. All this is found in section 3.2.1 of the draft. This field has the capability you are asking for. i.e. holding a hash of a photo, plus the fact that you can communicate to the relying party that it does. /Stefan >Regards, > >Denis ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systems --0__=1S2azjQQRCdoVrZbv23XGtS6P2vwgYDaQtsStoN7HBYrysF4rM8zLsmG Content-type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-transfer-encoding: quoted-printable =E4kerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malm=F6 Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- = --0__=1S2azjQQRCdoVrZbv23XGtS6P2vwgYDaQtsStoN7HBYrysF4rM8zLsmG-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA18347 for ietf-pkix-bks; Thu, 8 Apr 1999 11:35:00 -0700 (PDT) Received: from tomcat.sac.verio.net (root@tomcat.sac.verio.net [209.162.64.15]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA18343 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 11:34:46 -0700 (PDT) Received: from mcg.org.br (pm08-29.sac.verio.net [209.162.65.95]) by tomcat.sac.verio.net (8.9.1a/8.9.1) with ESMTP id LAA26462; Thu, 8 Apr 1999 11:33:33 -0700 (PDT) Message-ID: <370CF619.B31E82EB@mcg.org.br> Date: Thu, 08 Apr 1999 11:31:53 -0700 From: Ed Gerck <egerck@mcg.org.br> X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Patrik =?iso-8859-1?Q?F=E4ltstr=F6m?= <paf@swip.net> CC: Stefan Santesson <stefan@accurata.se>, Anders Rundgren <anders.rundgren@jaybis.com>, Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Trust, was Re: SEIS: Re: A $25,000,000,000 PKI References: <3.0.32.19990408165227.009221c0@mail.accurata.se> <v04204c07b332805eae80@[192.168.110.1]> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Patrik Fältström wrote: > It is also the case that if you also have a contract between the > parties exchanging information, or for example the party which hands > out the keys, things get extremely complicated -- and I have not seen > a single person being able to come with a formula for "TRUST" ever, > and I doubt anyone will. See: 1. Ed Gerck, "Towards Real-World Models of Trust: Reliance on Received Information", in http://www.mcg.org.br/trustdef.htm 2. Ed Gerck, "Trust Points" from http://www.mcg.org.br/trustdef.txt excerpted in "Digital Certificates: Applied Internet Security" by J. Feghhi, J. Feghhi and P. Williams, Addison-Wesley , ISBN 0-20-130980-7, p. 194-195, 1998. 3. John Gregory, "Electronic Legal Records: Pretty Good Authentication?", in http://www.callacbd.ca/summit/auth-johngregory.html 4. Lea Viljanen, with Web page at http://www.nixu.fi/~lea/ in a paper delivered in an Internet seminar in Finland, had the following excerpt which may well illustrate the usefulness of the approach in [1] above: "If we analyze the first case following Gerck's definition of trust being "[that which is] essential to a communication channel but which cannot be transferred from the source to a destination using that channel" (see 2.2 ), we must first analyze what is the communication channel in this case. Here we find that the certificates themselves are the channel/medium with which the data conveying some trust expressions are transmitted. So trust to the certificates themselves cannot be transferred using the certificates. To define trust in a communication system from this point of view also yields the interesting point that we can have several trust requirements for a communication system. Each observer can have a list of trust requirements for every level of the communication system, for example trust for the hardware, trust only data carried by operator X or only within our own corporate network, trust only data-origin-authenticated messages etc. For us to trust the information received from the communication all these trust conditions must be satisfied. The existence of these multiple layers of trust is usually ignored." Cheers, Ed Gerck Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA17720 for ietf-pkix-bks; Thu, 8 Apr 1999 10:27:18 -0700 (PDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA17716 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 10:27:17 -0700 (PDT) Received: from mailgate1.apple.com (A17-128-100-225.apple.com [17.128.100.225]) by mail-out1.apple.com (8.8.5/8.8.5) with ESMTP id KAA08898 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 10:23:08 -0700 Received: from scv1.apple.com (scv1.apple.com) by mailgate1.apple.com (mailgate1.apple.com- SMTPRS 2.0.15) with ESMTP id <B0005969965@mailgate1.apple.com>; Thu, 08 Apr 1999 10:23:03 -0700 Received: from [17.205.41.166] (aram1.apple.com [17.205.41.166]) by scv1.apple.com (8.9.3/8.9.3) with ESMTP id KAA28576; Thu, 8 Apr 1999 10:23:01 -0700 Message-Id: <199904081723.KAA28576@scv1.apple.com> X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Thu, 08 Apr 1999 10:23:01 -0700 Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio From: "Aram Perez" <aram@apple.com> To: Stefan Santesson <stefan@accurata.se>, Anders Rundgren <anders.rundgren@jaybis.com>, Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org, "'SEIS-List'" <list@seis.nc-forum.com> MIME-Version: 1.0 X-Priority: 3 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan Santesson wrote: > Anders, > > First of all - I'm not a lawyer. All I'm saying is just my opinion. Neither am I (but I'll give my opinion anyway :-). > > Second. The person responsible for a signature, regardless of type, is the > person who created it and whose intent it expresses. > > I.e. You are ALWAYS responsible for signatures created by YOU and you are > NEVER responsible for signatures created by someone else. I don't believe this is legally correct. I can give a "power of attorney" to someone else who can sign for me and I will be responsible for what that person signs. [snip] Regards, Aram Perez Apple Computer, Inc. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA17530 for ietf-pkix-bks; Thu, 8 Apr 1999 10:09:44 -0700 (PDT) Received: from nix.swip.net (nix.swip.net [192.71.220.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA17526 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 10:09:42 -0700 (PDT) Received: from [192.168.110.1] (workstation1.swip.net [130.244.254.1]) by nix.swip.net (8.8.8/8.8.8) with ESMTP id TAA25740; Thu, 8 Apr 1999 19:10:02 +0200 (MET DST) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" X-Sender: paf@nix.swip.net (Unverified) Message-Id: <v04204c07b332805eae80@[192.168.110.1]> In-Reply-To: <3.0.32.19990408165227.009221c0@mail.accurata.se> References: <3.0.32.19990408165227.009221c0@mail.accurata.se> Date: Thu, 8 Apr 1999 19:06:47 +0200 To: Stefan Santesson <stefan@accurata.se>, "Anders Rundgren" <anders.rundgren@jaybis.com>, "Stephen Kent" <kent@bbn.com> From: Patrik =?iso-8859-1?Q?F=E4ltstr=F6m?= <paf@swip.net> Subject: Re: SEIS: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id KAA17527 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 16.52 +0200 1999-04-08, Stefan Santesson wrote: >I.e. You are ALWAYS responsible for signatures created by YOU and you are >NEVER responsible for signatures created by someone else. > >Who owns the techiqe, keys, system, infrastructure etc. are totally >irrelevant to this fact. In this step, yes. BUT, the party which you, as the signer, is sending the signed data to, have to trust the data itself, and the proposed fact that you were the one sending it. I.e. you as a signer is signing data just because you want someone else to trust your information. The infrastructure, keys, system etc is something which can be used at a later stage (see below). >So, last, what remains is the problem of providing strong evidence if the >above fact is repudiated. I.e. if you deny that a signature was created as >e result of your consious act, representing your intent. > >This however WILL be dependent on technique, keys, system, infrastructure etc. > >So when we are talking about law and technique, we are ONLY talking about >factors which effect the EVIDENCE VALUE. Not factors that decide whether a >signature is legal or not. > >ALL SIGNATURES ARE LEGAL. It's only the fact that some of them are harder >to prove in court than others. In legal systems like the one we have in Sweden, any party can to the court use any kind of evidence. In Swedish we call it "fri bevisprövning". I have been told, that in other legal systems, other rules can exist. It is also the case that if you also have a contract between the parties exchanging information, or for example the party which hands out the keys, things get extremely complicated -- and I have not seen a single person being able to come with a formula for "TRUST" ever, and I doubt anyone will. paf Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA16655 for ietf-pkix-bks; Thu, 8 Apr 1999 09:04:56 -0700 (PDT) Received: from aunt15.ausys.se (void1.ausys.se [62.20.78.253]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA16647 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 09:04:51 -0700 (PDT) Received: by aunt15.ausys.se with Internet Mail Service (5.5.1960.3) id <2NB2THYT>; Thu, 8 Apr 1999 18:05:01 +0200 Message-ID: <41ACC8CF2BF1D011AEDD00805F31E54C0283D93D@aunt15.ausys.se> From: Simon Corell <simon.corell@ID2TECH.COM> To: "'Anders Rundgren'" <anders.rundgren@jaybis.com>, Stephen Kent <kent@bbn.com>, "'Stefan Santesson'" <stefan@accurata.se> Cc: ietf-pkix@imc.org, "'SEIS-List'" <list@seis.nc-forum.com> Subject: RE: SEIS: RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat &Q C-heavy-bio Date: Thu, 8 Apr 1999 18:05:00 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id JAA16652 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thank you Stefan for this straight forward remark - you are quite right but there are nevertheless exemptions and in some jurisdictions digital signatures is not even acknowledged unless defined in the law. That's why we had such problems with the EU Directive on this subject. Most of us don't want any specifications at all others want every bit specified, certified, sealed and signed and ..... The difference between legal and natural persons is a fact. Legal bodies cannot write and just because we are using the same technology doesn't change this fact. The old handwriting means so much more from a social and legal point of view and that's why it cannot be exchanged (without previous agreements) by automatically processes. The most important function of a document paper or electronic is the word "acknowledgement". If you don't know what your are doing an ever so good technical solution is worthless - also in the Nordic countries - as a proof. It is a pity that the definitions used was based on the technology. I tried hard to introduce the "digital stamp" as a termus tecnicus to digital signatures produced by legal bodies. Now you are going the other way and introduce Qualified certificates produced by natural persons. After ten years with this type of discussion I don't mind really but the big issue is still to implement TRUST and I have noticed since long that words and the meaning of words is essential and from an educational point of view we had won a lot by separating the definitions of the two types of usage already by the word. /Simon Simon Corell, Product Manager LL.B. iD2 Technologies, Liljeholmsvägen 14, P.O.Box 44055, 100 73 Sweden Phone: +46 8 7755219, Mobile: +46 706541470, Fax: +46 8 7267912 mail to: simon.corell@iD2tech.com, http://www.iD2tech.com IT Prize grand winner '98 iD2's forthcoming event - Netec '99, Stand E139A - 21-22 April Helsinki -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@jaybis.com] Sent: den 8 april 1999 17:19 To: Stephen Kent; 'Stefan Santesson' Cc: ietf-pkix@imc.org; 'SEIS-List' Subject: SEIS: RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat &QC-heavy-bio --- Message on the SEIS mailing list (list@seis.nc-forum.com) Stefan, >First of all - I'm not a lawyer. All I'm saying is just my opinion. >Second. The person responsible for a signature, regardless of type, is the >person who created it and whose intent it expresses. >I.e. You are ALWAYS responsible for signatures created by YOU and you are >NEVER responsible for signatures created by someone else. Now you hit a VERY interesting point that I would like to concentrate on as it seems to be the "stumbling block" for DS as required by CyberPhone: You talk about "you" and the "person" etc. signing things. How about let's say, automatically produced invoices like telephone bills wrt signing? <snip> Regards Anders http://www.mobilephones-tng.com ----------------- SEIS mailing list (list@seis.nc-forum.com) Info about this list: http://www.nc-forum.com/seis SEIS Contact: info@seis.se Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA16262 for ietf-pkix-bks; Thu, 8 Apr 1999 08:18:08 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA16258 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 08:18:06 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id RAA24080 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 17:18:51 +0200 Received: from HYDRA ([195.198.186.68]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id RAA46975; Thu, 8 Apr 1999 17:18:45 +0200 Received: by HYDRA with Microsoft Mail id <01BE81E3.E227C8D0@HYDRA>; Thu, 8 Apr 1999 17:18:56 +0200 Message-ID: <01BE81E3.E227C8D0@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: Stephen Kent <kent@bbn.com>, "'Stefan Santesson'" <stefan@accurata.se> Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat &QC-heavy-bio Date: Thu, 8 Apr 1999 17:18:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, >First of all - I'm not a lawyer. All I'm saying is just my opinion. >Second. The person responsible for a signature, regardless of type, is the >person who created it and whose intent it expresses. >I.e. You are ALWAYS responsible for signatures created by YOU and you are >NEVER responsible for signatures created by someone else. Now you hit a VERY interesting point that I would like to concentrate on as it seems to be the "stumbling block" for DS as required by CyberPhone: You talk about "you" and the "person" etc. signing things. How about let's say, automatically produced invoices like telephone bills wrt signing? <snip> Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA15998 for ietf-pkix-bks; Thu, 8 Apr 1999 07:56:51 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA15994 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 07:56:49 -0700 (PDT) Received: id KAA03423; Thu, 8 Apr 1999 10:49:27 -0400 Received: by gateway id <G4CAZ6S1>; Thu, 8 Apr 1999 10:51:46 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD90@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: Peter Sylvester <Peter.Sylvester@edelweb.fr>, "'Denis Pinkas'" <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org, jluis@fnmt.es Subject: RE: Time Stamp: tsa field in TSTInfo Date: Thu, 8 Apr 1999 10:45:47 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id HAA15995 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Okay, I will make the tsa name optional as well. However, it MUST be present if the authenticated attribute from ESS is not included. I think that since time stamp tokens will be used as evidence in support of non-repudiation, there should be some identification of the TSA within the signed part of the token. > ---------- > From: Denis Pinkas[SMTP:Denis.Pinkas@bull.net] > Sent: Thursday, April 08, 1999 6:16 AM > To: Peter Sylvester > Cc: ietf-pkix@imc.org; jluis@fnmt.es; robert.zuccherato@entrust.com > Subject: Re: Time Stamp: tsa field in TSTInfo > > Peter, > > I concur with your proposal, ie. use an signed (also called > "authenticated") > attribute from ESS that indicates the certificate used by the TSA and > suppress the > name of the TSA from the signed structure. This "useful" attribute is > indeed in > ESS, not CMS - where it should have been. :-( > > Since the verifier will need anyway to get that certificate to verify the > signature, then, at that time, it will get the name of the TSA. > > Regards, > > Denis > > > > > > > > Actually, I believe that when using CMS only the content (in this case > > > TSTInfo) is signed along with any authenticated attributes. Thus, the > > > distinguishing information for the TSA would not be signed if it was > not > > > included within the TSTInfo structure. > > If the TST provider want to surely indicate its identity, one > > can use an ess signing certificate attribute. > > > > This seems preferable to me (if the tendancy is avoid to reinvent > things). > > > > The ess stuff was probably not avaiable at the time when > > the tst draft was written for the first time. > > > > > > > > > > Robert. > > > > > > > ---------- > > > > From: Juan Luis López[SMTP:jluis@fnmt.es] > > > > Sent: Wednesday, April 07, 1999 5:25 AM > > > > To: pkix > > > > Subject: Time Stamp: tsa field in TSTInfo > > > > > > > > Hi everybody! > > > > > > > > I am involved in a Time Stamping project and we are analysing > the PKIX > > > > draft about this subject. > > > > > > > > I would like to give my opinion on an issue to the list: > > > > It seems not appropriate to include a field in TSTInfo structure > > > > related to the tsa identity, i.e. tsa field. I don't find this field > > > > necessary because it is repeated when using a CMS or PKCS#7 envelope > to > > > > encapsulate the token information. This information would be > redundant > > > > since an identifier distinguishing the given tsa should be present > in the > > > > signerInfo structure. > > > > > > > > So, I recommend the deletion of this field. > > > > > > > > Regards, > > > > Juan Luis López > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > > > ----------- > > > > Juan Luis López < > > > > jluis@fnmt.es> > > > > Project Engineer > > > > http://www.fnmt.es/pkits > > > > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 > 40 > > > > C/ Juan de Mariana, 17 fax: [+34] > 91 506 > > > > 48 51 > > > > E-28045 Madrid, SPAIN > > > > > > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA15945 for ietf-pkix-bks; Thu, 8 Apr 1999 07:51:04 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA15941 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 07:51:02 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id QAA25568; Thu, 8 Apr 1999 16:51:43 +0200 Message-Id: <3.0.32.19990408165227.009221c0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 08 Apr 1999 16:52:27 +0200 To: "Anders Rundgren" <anders.rundgren@jaybis.com>, "Stephen Kent" <kent@bbn.com> From: Stefan Santesson <stefan@accurata.se> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id HAA15942 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, First of all - I'm not a lawyer. All I'm saying is just my opinion. Second. The person responsible for a signature, regardless of type, is the person who created it and whose intent it expresses. I.e. You are ALWAYS responsible for signatures created by YOU and you are NEVER responsible for signatures created by someone else. Who owns the techiqe, keys, system, infrastructure etc. are totally irrelevant to this fact. So, last, what remains is the problem of providing strong evidence if the above fact is repudiated. I.e. if you deny that a signature was created as e result of your consious act, representing your intent. This however WILL be dependent on technique, keys, system, infrastructure etc. So when we are talking about law and technique, we are ONLY talking about factors which effect the EVIDENCE VALUE. Not factors that decide whether a signature is legal or not. ALL SIGNATURES ARE LEGAL. It's only the fact that some of them are harder to prove in court than others. /Stefan P.s. Th above should not be mixed with the fact that some authorities may require a minimum security level for signatures in order to accept them (e.g. for a signature to be in hand writing). This is an option open to all relying parties, i.e. to say - It has to be at least this good or I will reject it. At 07:14 AM 4/8/99 +0100, Anders Rundgren wrote: >Hi Stefan + Steve, > >May I ask a question regarding signature laws which I am pretty ignorant of? > >If a company runs a SET Wallet Server for their employees to use, is not the company >responsible for signatures produced by the certificate and keys stored on that server? > >Legally as well as technically. > >Now to the users (with their CyberPhones) that initiates transactions: They are responsible to >their company that as a minimum records all transations with user identity. Or >it could require a sign op as well. > >Looks OK to me. > >So what is so fundamentally flawed in the CyberPhone concept with respect to digital >signature laws? > >Regards >Anders >http://www.mobilephones-tng.com > > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA15758 for ietf-pkix-bks; Thu, 8 Apr 1999 07:34:20 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA15753 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 07:34:18 -0700 (PDT) Received: id KAA23252; Thu, 8 Apr 1999 10:30:18 -0400 Received: by gateway id <G4CAZ6NL>; Thu, 8 Apr 1999 10:32:39 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD8F@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: Robert Zuccherato <robert.zuccherato@entrust.com>, "'Denis Pinkas'" <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org, "'Juan G. de la Vega'" <jgonzalez@fnmt.es> Subject: RE: Time Stamping: comments on nonce field Date: Thu, 8 Apr 1999 10:26:40 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id HAA15755 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Okay. I will make it optional in both the request and response. > ---------- > From: Denis Pinkas[SMTP:Denis.Pinkas@bull.net] > Sent: Thursday, April 08, 1999 6:10 AM > To: Robert Zuccherato > Cc: ietf-pkix@imc.org; 'Juan G. de la Vega' > Subject: Re: Time Stamping: comments on nonce field > > Robert, > > Some refinements to your response. > > The nonce is there for systems that do not have their own reliable clock > and > thus cannot test the freshness of the response by simply looking at the > signing > time. This is a replay protection. This has nothing to do whether a hash > of the > message is or is not present. > > I would make it OPTIONAL both in the request and in the response and > maintain > the current text that says: " ...must be present if the similar field in > TimeStampReq is present ..." > > Regards, > > Denis > > > > > ---------- > > > From: Juan G. de la Vega[SMTP:jgonzalez@fnmt.es] > > > Sent: Wednesday, April 07, 1999 5:39 AM > > > To: ietf-pkix@imc.org > > > Subject: Time Stamping: comments on nonce field > > > > > > First of all, the declaration of this field in the request and > > > token is somehow incoherent, while the nonce is mandatory in > TimeStapReq > > > (it is not declared OPTIONAL), the TimeStampToken´s nonce is OPTIONAL > but > > > it is stated that "...must be present if the similar field in > TimeStampReq > > > is present..." and hence the clause OPTIONAL is meaningless and > confusing > > > for this field shall always be present. > > > > > As I have said in the past, this was a mistake that I made because I did > not > > manage to fully include support for TSA production of a "signed time". > This > > would be a token which does not include a nonce or message imprint. > TSA's > > could produce these tokens and make them available (for example on a > > website) for anyone who wants to obtain them. This will be rectified in > the > > upcoming draft. > > > > > I would suggest this field to be declared OPTIONAL both in the request > and > > > token or better deleted if we take into account the following: > > > > > > As far as I understand, a nonce value is present in the request > and > > > token in order for the requester to be able to match the responses > from > > > the TSA with her requests when using an asynchronous transport. It can > be > > > argued that such functionality should be left to the transport layer > when > > > required, but furthermore I must say that the nonce is not necessary > since > > > matching can be performed using the "messageImprint" field. > > > > > Actually, the reason that the nonce is there and mandatory is to prevent > > replay attacks. Someone else could have obtained a time stamp on the > data > > before your request. Thus, it is possible that the time stamp you > received > > is not "fresh". Without a nonce, determining the freshness of the > timestamp > > is difficult. > > > > Robert. > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA14208 for ietf-pkix-bks; Thu, 8 Apr 1999 04:49:59 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA14203 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 04:49:54 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id NAA29167 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 13:34:31 +0200 Received: from HYDRA ([195.198.186.68]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id NAA28169; Thu, 8 Apr 1999 13:34:25 +0200 Received: by HYDRA with Microsoft Mail id <01BE81C4.8B8EFE90@HYDRA>; Thu, 8 Apr 1999 13:34:36 +0200 Message-ID: <01BE81C4.8B8EFE90@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Low-fat leaf certificates Date: Thu, 8 Apr 1999 13:34:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, >Anders, >Your E-mail got burried under hundred of other E-mails. Sorry for the delay to respond. Nema Problema! >You misunderstood my talk. I am advocating against numerous extensions to >certificates that could be >handled generically by "administrative" certificates that contain information valid for a >large number of >leaf certificates. Unfortunately I did not had the opportunity to attend RSA99 so I did my own interpretation of low-fat leaf-certificates which obviously was wrong. No chance to get my hands on some kind of document on that? Regards Anders PS Below is my version/interpretation of low-fat DS http://www.mobilephones-tng.com/papers/idcards.html Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA13979 for ietf-pkix-bks; Thu, 8 Apr 1999 04:23:47 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA13975 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 04:23:45 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id NAA04521; Thu, 8 Apr 1999 13:24:16 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Thu, 8 Apr 1999 13:24:16 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id NAA25942; Thu, 8 Apr 1999 13:24:15 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id NAA05404; Thu, 8 Apr 1999 13:24:14 +0200 Date: Thu, 8 Apr 1999 13:24:14 +0200 Message-Id: <199904081124.NAA05404@emeriau.edelweb.fr> To: robert.zuccherato@entrust.com, jluis@fnmt.es, mzolotarev@baltimore.com.au Subject: RE: Time Stamp: tsa field in TSTInfo Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > The core time stamp information can be used indirectly, as a field inside > some third party WhateverService (WS) structure. Even (!) if this WS > structure gets signed/ enveloped, the signer is not going to be the TSA. > DCS as it stands now may serve as an example. I am not sure what you want to say: A TimeStampToken is a CMS document that contains the signature of the TSA, and a DCS provider can choose to include this in the DCS response to indicate the time. So you have all the signerinfo of the TSA, TDAs and DCS, etc. > > So, having tsa inside the TSTInfo may come as a useful thing - the WS > clients may still want to know the TimeStamp's origin. Agreed. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA13268 for ietf-pkix-bks; Thu, 8 Apr 1999 03:24:27 -0700 (PDT) Received: from www.fnmt.es ([193.149.2.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id DAA13264 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 03:24:26 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id wa023448 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 12:20:09 +0100 Message-ID: <014c01be81a9$e2bac660$d801a8c0@dc-10.ceres.fnmt.es> From: "=?iso-8859-1?Q?Juan_Luis_L=F3pez?=" <jluis@fnmt.es> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, "pkix" <ietf-pkix@imc.org> Subject: RE: Time Stamp: tsa field in TSTInfo Date: Thu, 8 Apr 1999 12:22:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Yes, you're right. But, the only thing that we should take into account is that the token is actually signed by the tsa. What tsa? the one signing the token. This information shall be present in the "sid" field of the SignerInfo structure. Optionally, the tsa certificate(s) could be incorporated in the SignedData structure. So, why should we use the tsa field in the TSTInfo structure when CMS Signed Data is used specifically for the purpose of authenticating the signer? I mean, why are you signing "who you are" if the signature itself (actually the process of verifying it) provides that information? Juan Luis ------------------------------------------------------------------------ ------------- Juan Luis López <jluis@fnmt.es> Project Engineer http://www.fnmt.es/pkits Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 C/ Juan de Mariana, 17 fax: [+34] 91 506 48 51 E-28045 Madrid, SPAIN -----Mensaje original----- De: Robert Zuccherato <robert.zuccherato@entrust.com> Para: pkix <ietf-pkix@imc.org>; 'Juan Luis López' <jluis@fnmt.es> Fecha: miércoles 7 de abril de 1999 18:47 Asunto: RE: Time Stamp: tsa field in TSTInfo Actually, I believe that when using CMS only the content (in this case TSTInfo) is signed along with any authenticated attributes. Thus, the distinguishing information for the TSA would not be signed if it was not included within the TSTInfo structure. Robert. > ---------- > From: Juan Luis López[SMTP:jluis@fnmt.es] > Sent: Wednesday, April 07, 1999 5:25 AM > To: pkix > Subject: Time Stamp: tsa field in TSTInfo > > Hi everybody! > > I am involved in a Time Stamping project and we are analysing the PKIX > draft about this subject. > > I would like to give my opinion on an issue to the list: > It seems not appropriate to include a field in TSTInfo structure > related to the tsa identity, i.e. tsa field. I don't find this field > necessary because it is repeated when using a CMS or PKCS#7 envelope to > encapsulate the token information. This information would be redundant > since an identifier distinguishing the given tsa should be present in the > signerInfo structure. > > So, I recommend the deletion of this field. > > Regards, > Juan Luis López > > > > -------------------------------------------------------------------------- > ----------- > Juan Luis López < > jluis@fnmt.es> > Project Engineer > http://www.fnmt.es/pkits > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 > C/ Juan de Mariana, 17 fax: [+34] 91 506 > 48 51 > E-28045 Madrid, SPAIN > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA13182 for ietf-pkix-bks; Thu, 8 Apr 1999 03:16:03 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA13178 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 03:15:58 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id NAA19166; Thu, 8 Apr 1999 13:16:10 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id NAA44874; Thu, 8 Apr 1999 13:18:15 +0200 (DFT) Message-ID: <370C8216.8E698664@bull.net> Date: Thu, 08 Apr 1999 12:16:54 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Peter Sylvester <Peter.Sylvester@edelweb.fr> CC: ietf-pkix@imc.org, jluis@fnmt.es, robert.zuccherato@entrust.com Subject: Re: Time Stamp: tsa field in TSTInfo References: <199904071714.TAA04926@emeriau.edelweb.fr> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, I concur with your proposal, ie. use an signed (also called "authenticated") attribute from ESS that indicates the certificate used by the TSA and suppress the name of the TSA from the signed structure. This "useful" attribute is indeed in ESS, not CMS - where it should have been. :-( Since the verifier will need anyway to get that certificate to verify the signature, then, at that time, it will get the name of the TSA. Regards, Denis > > > > Actually, I believe that when using CMS only the content (in this case > > TSTInfo) is signed along with any authenticated attributes. Thus, the > > distinguishing information for the TSA would not be signed if it was not > > included within the TSTInfo structure. > If the TST provider want to surely indicate its identity, one > can use an ess signing certificate attribute. > > This seems preferable to me (if the tendancy is avoid to reinvent things). > > The ess stuff was probably not avaiable at the time when > the tst draft was written for the first time. > > > > > > Robert. > > > > > ---------- > > > From: Juan Luis López[SMTP:jluis@fnmt.es] > > > Sent: Wednesday, April 07, 1999 5:25 AM > > > To: pkix > > > Subject: Time Stamp: tsa field in TSTInfo > > > > > > Hi everybody! > > > > > > I am involved in a Time Stamping project and we are analysing the PKIX > > > draft about this subject. > > > > > > I would like to give my opinion on an issue to the list: > > > It seems not appropriate to include a field in TSTInfo structure > > > related to the tsa identity, i.e. tsa field. I don't find this field > > > necessary because it is repeated when using a CMS or PKCS#7 envelope to > > > encapsulate the token information. This information would be redundant > > > since an identifier distinguishing the given tsa should be present in the > > > signerInfo structure. > > > > > > So, I recommend the deletion of this field. > > > > > > Regards, > > > Juan Luis López > > > > > > > > > > > > -------------------------------------------------------------------------- > > > ----------- > > > Juan Luis López < > > > jluis@fnmt.es> > > > Project Engineer > > > http://www.fnmt.es/pkits > > > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 > > > C/ Juan de Mariana, 17 fax: [+34] 91 506 > > > 48 51 > > > E-28045 Madrid, SPAIN > > > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA12773 for ietf-pkix-bks; Thu, 8 Apr 1999 03:10:18 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA12281 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 03:10:08 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id NAA14996; Thu, 8 Apr 1999 13:10:07 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id NAA24984; Thu, 8 Apr 1999 13:12:11 +0200 (DFT) Message-ID: <370C80AA.5DD33A74@bull.net> Date: Thu, 08 Apr 1999 12:10:50 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Robert Zuccherato <robert.zuccherato@entrust.com> CC: ietf-pkix@imc.org, "'Juan G. de la Vega'" <jgonzalez@fnmt.es> Subject: Re: Time Stamping: comments on nonce field References: <01E1D01C12D7D211AFC70090273D20B112BD84@sothmxs06> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Robert, Some refinements to your response. The nonce is there for systems that do not have their own reliable clock and thus cannot test the freshness of the response by simply looking at the signing time. This is a replay protection. This has nothing to do whether a hash of the message is or is not present. I would make it OPTIONAL both in the request and in the response and maintain the current text that says: " ...must be present if the similar field in TimeStampReq is present ..." Regards, Denis > > ---------- > > From: Juan G. de la Vega[SMTP:jgonzalez@fnmt.es] > > Sent: Wednesday, April 07, 1999 5:39 AM > > To: ietf-pkix@imc.org > > Subject: Time Stamping: comments on nonce field > > > > First of all, the declaration of this field in the request and > > token is somehow incoherent, while the nonce is mandatory in TimeStapReq > > (it is not declared OPTIONAL), the TimeStampToken´s nonce is OPTIONAL but > > it is stated that "...must be present if the similar field in TimeStampReq > > is present..." and hence the clause OPTIONAL is meaningless and confusing > > for this field shall always be present. > > > As I have said in the past, this was a mistake that I made because I did not > manage to fully include support for TSA production of a "signed time". This > would be a token which does not include a nonce or message imprint. TSA's > could produce these tokens and make them available (for example on a > website) for anyone who wants to obtain them. This will be rectified in the > upcoming draft. > > > I would suggest this field to be declared OPTIONAL both in the request and > > token or better deleted if we take into account the following: > > > > As far as I understand, a nonce value is present in the request and > > token in order for the requester to be able to match the responses from > > the TSA with her requests when using an asynchronous transport. It can be > > argued that such functionality should be left to the transport layer when > > required, but furthermore I must say that the nonce is not necessary since > > matching can be performed using the "messageImprint" field. > > > Actually, the reason that the nonce is there and mandatory is to prevent > replay attacks. Someone else could have obtained a time stamp on the data > before your request. Thus, it is possible that the time stamp you received > is not "fresh". Without a nonce, determining the freshness of the timestamp > is difficult. > > Robert. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA10236 for ietf-pkix-bks; Thu, 8 Apr 1999 02:22:08 -0700 (PDT) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA10232 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 02:22:05 -0700 (PDT) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id MAA15560; Thu, 8 Apr 1999 12:22:25 +0200 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id MAA22286; Thu, 8 Apr 1999 12:24:29 +0200 (DFT) Message-ID: <370C757C.396F9034@bull.net> Date: Thu, 08 Apr 1999 11:23:08 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@jaybis.com> CC: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: Re: Low-fat leaf certificates References: <01BE7B7E.2DB86EB0@HYDRA> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, Your E-mail got burried under hundred of other E-mails. Sorry for the delay to respond. You misunderstood my talk. I am advocating against numerous extensions to certificates that could be handled generically by "administrative" certificates that contain information valid for a large number of leaf certificates. So the topic you address is unrelated. Regards, Denis > David, > Just to make sure that you don't misunderstand me: > > I am VERY much in favor of your "Low-fat leaf certificates". > > That is what CyberPhone is all about. A CyberID SUBJECT is > supposed to consist of just two items: > > 1) "Name" (an alias/friendly name [as you are allowed to change name without changing "e"-identity]) > > 2) "dnQualifier" (a static [probably random] unique identifier in the domain) > > It is hard to get much slimmer than that! > > But a "low-fat" cert may have a "fat" cousin cert that does the dirty work in the > rare situations that requires it. And if they can share a common format life will > be simpler than if all "fat" data has to be handled "out-of-band" instead of in > nice "structured signed and certified containers of data" > > Regards > Anders > http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA10087 for ietf-pkix-bks; Thu, 8 Apr 1999 02:06:09 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA10082 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 02:06:06 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id LAA19238; Thu, 8 Apr 1999 11:08:44 +0200 (IST) Message-ID: <370C7142.F9EB2664@cale.checkpoint.com> Date: Thu, 08 Apr 1999 12:05:06 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@po1.bbn.com> CC: John_Wray@iris.com, Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <v04020a17b331af2ed303@[128.33.238.98]> Content-Type: multipart/mixed; boundary="------------AE38C6DF985690259B2AADF2" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------AE38C6DF985690259B2AADF2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Kent wrote: <snip> > >the first one aside for the moment, PKIX would be a better player in the > >broader X.509 world if it chose not to generate certificates that are > >ambiguous to such a world. > > The ambiguity exists in ALL verifiers, PKIX or not. Thus pointing the > finger at PKIX is not rational. > The ambiguity does exist in ALL verifiers, but it doesn't exist in all CA's. A CA that follows PKIX creates ambiguous certificates. Only CA that does does something that it SHOULD NOT do create unambiguous certificates. Here pointing the finger at PKIX is very rational. We cannot remove the possibility of ambiguity but we can generate certificates that are not affected by it. > > <snip> > > > > >On the contrary, changing RFC 2459 to require the inclusion of the > >basicConstraints extension on all certificates would help alleviate this > >ambiguity, and in some cases could completely address it. As you have > >pointed out, there is only an ambiguity when processing a certificate > >without a basicConstraints extension. By constraining PKIX to avoid > >generating such certificates, we would avoid any confusion in > >certificates generated by PKIX systems, whether or not the verifier > >is PKIX-compliant, and more importantly whether or not the verifier > >knows that the issuing system was PKIX-compliant. > > Changing PKIX to mandate inclusion of basicConstrants would improve the > odds, but not fix the problem. I don't view changes that have only > probabilistic improvements to be warranted, in general, and certainly not > here. It is not probabilistic improvements. A CA that put the basicConstraints extension is 100% not ambiguous. What probablistic about that? Why discourage CA's from generating unambiguous certificates? > > > >If RFC2459 were modified to require the extension, then it would > >be permissible for a verifier to make its own decisions about how > >to handle an ambiguous certificate (one without a basicConstraints > >extension). Reasonable options might include rejecting the > >certificate, asking for user guidance, or applying site-specific > >policy to determine how to treat it. The way RFC2459 is currently > >written, a PKIX verifier doesn't have these options - it must treat > >such a certificate as an EE certificate, whether or not that's the > >right thing to do (i.e. whether or not the issuing CA meant the > >certificate to be an EE or a CA cert). > > What is needed is an algorithm for a verifier to use to determine whether a > cert is an EE cert or a CA cert. We do not have such an algorithm in the > face of certs that are generated in compliance with X.509, period. I don't > want a heuristic improvement here, I want a fix. > Adding the extension is not a heuristic improvement, a certificate with the extension is certificate that doesn't need heuristics period. Admittedly the verifier will have heuristics but the CA can ensure that they won't be activated. > > <snip> > > > > >The PKIX working group doesn't have the ability to change X.509; we > >only have control of the PKIX specs. A change to RFC 2459 would allow > >us to avoid stumbling into into this ambiguity in X.509, with the result > >that: > > > >i) PKIX certificates would not be ambiguous to an X.509 verifier, > > > >and ii) PKIX verifiers would be able to distinguish ambiguous non-PKIX > >certs > >from unambiguous certs, without having to know whether the certificate > >issuer was PKIX-compliant. > > As David Kemp pointed out, we can file a DR to address this problem. > X.509 already addresses the problem and suggests: It is recommended that it be flagged critical, otherwise an entity which is not authorized to be a CA may issue certificates and a certificate-using system may unwittingly use such a certificate. For some reason PKIX decided to ignore the recommendation and invent it's own private semantics. Moshe --------------AE38C6DF985690259B2AADF2 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------AE38C6DF985690259B2AADF2-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA09882 for ietf-pkix-bks; Thu, 8 Apr 1999 01:48:54 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id BAA09878 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 01:48:50 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id KAA18085 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 10:51:35 +0200 (IST) Message-ID: <370C6D3E.14086921@cale.checkpoint.com> Date: Thu, 08 Apr 1999 11:47:58 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: CA vs. EE cert processing References: <v04020a18b331b07b2125@[128.33.238.98]> Content-Type: multipart/mixed; boundary="------------9F583804C3587A1243E4E12E" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------9F583804C3587A1243E4E12E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, RFC2459 IS broken in the since the it recommends generating EE certificate that require out of band information to to know that it not a CA certificate. Moshe Stephen Kent wrote: > Aram, > > >My two cents: I agree with John. Given that RFC2459 is not a "standard" yet > >and thus no standard-compliant software exists out there, we should "fix" > >RFC2459 to do the right thing for existing legacy software, and the new > >RFC2459 compliant software. > > The right thing is to avoid the ambiguity introduced by X.509; changing > 2459 cannot fix that. 2459 is not broken, so please don't use the term > "fix" when referring to it. > > Steve --------------9F583804C3587A1243E4E12E Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------9F583804C3587A1243E4E12E-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA07360 for ietf-pkix-bks; Wed, 7 Apr 1999 22:28:38 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA07355 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 22:28:28 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLYG>; Thu, 8 Apr 1999 15:28:38 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE96E@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org Subject: RE: CA vs. EE cert processing Date: Thu, 8 Apr 1999 15:28:36 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen - not to extend this debate - X.509 defines that Basic Constraints is used to indicate that the public key in the cert is valid for testing certificate signatures - by a certificate using system eg. a client or EE. By definition it means that in (eg.) a 3 tier CA model that the root level CA has granted a private and public key ( in a cert with BC set to CA) to a middle level CA to issue certificates with and "advertise the fact (in its certificate) that the root trusts the middle CA to issue certs and for clients to validate such certs using the middle CAs public key. It strikes me that any PKIX compliant top level ROOT CA will set this extension to ensure that the correct PKeys are used to validate certs which point to itself. However, what the client software does with this extension is another matter. Both have to be compatable. If an EE in its validation path gets a cert with which it wants to validate a lower level certificate with and this extension is not set - it should give up - if ideology is maintained. However, X.509 permits an exit to this process to enable a CA path to be built and validated without cert extensions - simply because that is what they are - optional certificate extensions. I see no ambiguity - just flexibility - 2459 can profile this flexibility out if desired. regards alan > -----Original Message----- > From: Stephen Kent > Sent: Thursday, April 08, 1999 1:49 AM > To: Alan Lloyd > Cc: ietf-pkix@imc.org > Subject: RE: CA vs. EE cert processing > > Alan, > > I disagree. There is no obvious reason for this base standard to allow > for > this ambiguity. This is not a problem that is out of scope for the > base > standard. we agree, though, that adherence to the 2459 profile > advoids > ambiguity. The reason for this debate is that some folks felt the > ambiguity was the fault of 2459, whereas the analysis shows it to be > intrinsic in X.509. Thus no fix to 2459 will remove the ambiguity. > > steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA06958 for ietf-pkix-bks; Wed, 7 Apr 1999 22:16:11 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA06954 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 22:16:09 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id HAA22618 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 07:16:53 +0200 Received: from mega (t1o69p95.telia.com [62.20.144.95]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id HAA41282; Thu, 8 Apr 1999 07:16:35 +0200 Message-ID: <002401be8187$1a0d4d40$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@bbn.com>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Thu, 8 Apr 1999 07:14:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id WAA06955 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Stefan + Steve, May I ask a question regarding signature laws which I am pretty ignorant of? If a company runs a SET Wallet Server for their employees to use, is not the company responsible for signatures produced by the certificate and keys stored on that server? Legally as well as technically. Now to the users (with their CyberPhones) that initiates transactions: They are responsible to their company that as a minimum records all transations with user identity. Or it could require a sign op as well. Looks OK to me. So what is so fundamentally flawed in the CyberPhone concept with respect to digital signature laws? Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA06949 for ietf-pkix-bks; Wed, 7 Apr 1999 22:16:01 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA06944 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 22:15:59 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id HAA22612 for <ietf-pkix@imc.org>; Thu, 8 Apr 1999 07:16:44 +0200 Received: from mega (t1o69p95.telia.com [62.20.144.95]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id HAA41316; Thu, 8 Apr 1999 07:16:40 +0200 Message-ID: <002501be8187$1cdd0f10$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@po1.bbn.com> Cc: "Stephen Kent" <kent@bbn.com>, <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Thu, 8 Apr 1999 07:14:50 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id WAA06946 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, >I know a numnber of reasons why SET has not been accepted in the U.S., if >that's the context you're citing, and they are largely independent of the >issues you cite. For example, U.S. consumer protection laws make the >advantages of SET over simple use of SSL and a credit card number >unattractive to users. You are absolute right. SET is a European problem currently. > Since most online merchants can make a fair amount >of money despite the security limitations (e.g., lack of origin >non-repudaition) of the current paradigm, there is insufficient motivation >for them to change to SET. Right. >Since most of the purchases over the web are >done from PCs, the thin n client argument is not relevant. That is true for the current situation - not for the mobile future though. Hum, maybe you should take a look on GlobeSet's (a leader in SET) ServerWallet and see why the developed it. >All of our employees have computers, those who travel have laptops. Not >all have cell phones. of the ones that do have cell phones, few would be >capable opf making use of the certs you describe, i.e., not many are PCS >phones. Sure, but I am talking about the year 2003 or so. >The solution you propose is definately NOT high quality. By design? I am fully convinced (not such a big surprise though :-)) that if the CyberPhone concept and associated server technology is developed by the best brains in the industry it could match any quality standards. Regarding the security model it is not so far from a PKI-only version of Kerberos which seems to be higly regarded by security people. >It is an effort to >take advantage of devices with limited capabilities, and skew security >design principles to accommodate these limitations. CyberPhone does a LOT more than address devices with limited capabilities. It also addresses certificate management, traceability and transaction logging, business transaction models, and last but not least end-user security including resource loss, revocation, backup and recovery. <snip> Regards Anders http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA06462 for ietf-pkix-bks; Wed, 7 Apr 1999 21:24:20 -0700 (PDT) Received: from NOD.RESTON.MCI.NET (nod.Reston.mci.net [166.45.6.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA06458 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 21:24:19 -0700 (PDT) Received: from mci.net ([166.45.3.11]) by shoe.reston.mci.net (PMDF V5.2-29 #33823) with ESMTP id <01J9RRMTARS88WW0J1@shoe.reston.mci.net> for ietf-pkix@imc.org; Thu, 8 Apr 1999 00:24:29 EDT Date: Wed, 07 Apr 1999 21:24:26 -0700 From: Paul Krumviede <paul@mci.net> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio To: ietf-pkix@imc.org Cc: "'SEIS-List'" <list@seis.nc-forum.com> Message-id: <370C2F7A.7E09E55F@mci.net> Organization: MCI WorldCom MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <v04020a02b3311debd2da@[128.89.0.111]> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen Kent wrote: > > Anders, > >> As I said > >>before, you should pursue any implementation approach you think is > >>fruitful, but don't ask this standards body to tailor parts of its work to > >>facilitate your (decidely nont mainstream) approach to using certs. > > > >It COULD become mainstream... > > > >Now we both know pretty well where we stand in this case so > >could please somebody else comment on this? > > I'm sure they will. One somebody else's comment: I'm uncomfortable with the suggested use of certs. -paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA06015 for ietf-pkix-bks; Wed, 7 Apr 1999 20:30:31 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA06010 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 20:30:29 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLXL>; Thu, 8 Apr 1999 13:31:02 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE96C@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@po1.bbn.com> Cc: ietf-pkix@imc.org, list@seis.nc-forum.com Subject: RE: SEIS: RE: Certificates, Directories, and Distinguished Names Date: Thu, 8 Apr 1999 13:31:01 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Yes its is probably best to teminate this discusion - simply because, and as usual, one asks the harder questions openly eg. Cert Subject and Issuer Alt names why, when, where? - and DNS names in certs and the validation issues.. and the rekey issues (for the real world) because of organisational and personnel churn (if email addresses are used).. And I (and others) follow this up with sound experience in dealing with distributed information engineering (eg directories), validation and revokation issues and also major global applications that wish to use PKI functionality ... what do you get back? not a lot. One aspect of inventing standards is that should serve at least five years of development and product introduction into operational business systems. regards alan > -----Original Message----- > From: Stephen Kent > Sent: Thursday, April 08, 1999 10:41 AM > To: Alan Lloyd > Cc: ietf-pkix@imc.org; list@seis.nc-forum.com > Subject: SEIS: RE: Certificates, Directories, and Distinguished > Names > > --- Message on the SEIS mailing list (list@seis.nc-forum.com) > > Alan, > > We seem to be making no progress wrt this discussion, like many of our > previous debates. Let save a few virtual trees and call it quits. > > Steve > > > ----------------- SEIS mailing list (list@seis.nc-forum.com) > Info about this list: http://www.nc-forum.com/seis > SEIS Contact: info@seis.se Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA05807 for ietf-pkix-bks; Wed, 7 Apr 1999 20:08:10 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA05801 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 20:08:04 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLXF>; Thu, 8 Apr 1999 13:08:21 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE96B@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Tony Bartoletti'" <azb@llnl.gov>, "''Stephen Kent' '" <kent@bbn.com> Cc: "'''ietf-pkix@imc.org ' ' '" <ietf-pkix@imc.org>, "'''list@seis.nc-forum.com ' ' '" <list@seis.nc-forum.com> Subject: RE: Certificates, Directories, and Distinguished Names Date: Thu, 8 Apr 1999 13:08:21 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tony, thanks for that. May I address something that has always concerned me about the view presented of directories. snips from the text. > I make an analogy between some folks reluctance to "bank", > and those who are similarly ill-at-ease allowing what might > be considered privacy info to be accessible via directories. snip > I see this sentiment "below the surface" when discussions of > global directories with searchable hierarchical Names are on > the table. It suggests a lack of control on the part of the > data-owner, and no amount of "we can make it real real secure > with lots of money" will assuage the unease. > If I said use a "database" for the PKI and personal info - which has been used all over the planet for the last 25 years - people are comfortable with that. If I said directory systems - there is an assumption that the whole planet can read the info regardless. Directories - are really a shift in information engineering that removes the distributed limitations of RDBs and in addition provides a coherent OO schema approach, a coherent authentication and ACI regime, use of common protocols for access, distribution and replication nad many other new properties for engineering distributed systems. Directories are nothing more than a major advancement in information storage and information protection technology and provide many common things that one would have to bespokely engineer with Data base approaches. Why there is this view that X.500 is big,slow, is the worlds one and only directory (which will never be deployed) and cannot be used for private data instead of an RDB - astounds me - simply because all that is so so wrong. All directories are is an evolution in information engineering for storage and access which should be used to one advantage and privately if desired - after all that is what technology improvements are about. I would like to think that those proposing a PKI for the internet or internet related services see the limitations of trying to put all ones data in an RDB and try telling a customer - all you need is this certificate server - in which you have to name things the same way or a different way to the other 26 databases they have with named items in. The issue of deploying secure information services - in most cases requires that a major clean up of the 10s of databases and address books one has with many name forms - first -- real world approaches to this is directory services (which can be private). hope this helps thanks and regards alan > These concerns seem laughable in the face of the main PKI > motivations dealt with here, being high-volume internet commerce. > And yet I am sure there are many who see the promise of security > (in privacy and identity) in public key technology, and hope to > see it serve their ends in this way. > > This is not to disparage the notion that directories will > be deployed and critical in a great many venues. If my "private" > information were not lying around on the disks of credit agencies, > I would have a hard time using all the plastic in my wallet. > > I simply share the feelings of many, I suspect, that commercial > concerns about how to best use keys and certs will overshadow > those uses where there are not quick-bucks to be made, and > that protocols tailored to the commercial uses will force > others into obscurity. > > Regards, > > ___tony___ > > > At 07:57 AM 4/8/99 +1000, Alan Lloyd wrote: > > > >Tony - not sure if I understand the thread or the last para. > > > >And dont get me wrong either re the value of PKIs. Having worked with > >directories for about 12 years and PKIs for 5 or so, for real > >operational business environments I appreciate the standards process, > >the profiling process and the need to deal with operational models > which > >today must include a distributed and consistent information > management > >capability. > > > >My line of comments try to address a major concern of the PKIX > process > >is: that design anchors such as email addresses in certs, databases > >instead of distributed directory systems, inflexibility in PKI > profiles > >because of theory, no recognition that business application (eg > mobile > >phones, car tagging, banking, etc) needs to be dealt with in terms of > >its PKI approach differently and and the need to keep adding things > in > >certs that are dynamic in the real world - makes the discussion > critical > >to say the least. > > > >As said PKIX is trying to profile X.509.. I have been involved with > the > >directory X.500 ISPs for a few years - and that effort was reduced to > >zero almost because the technology and products surfaced into the > market > >place and started dealing with real businesses - and that trying to > >mandate/option protocol and information fields in tables in standards > >for all circumstances in global business is impossible. > > > >In addition trying to shoe horn one PKI/CA - key management profile/ > >cert processing design for all aspects of trusted transactions - > which > >just happen to run over the internet, will also prove to be an > >impossible task. > > > >In addition - who will own the root level key for all this PKIX > >compliant stuff? > > > >As said PKIs will be built like directory services - for business > >domains and vertfical markets that provide EC services under the > >control of those who want to invest in such (PKI supported) services. > > > >regards alan > > > > > >---------- > >From: Tony Bartoletti > >To: Alan Lloyd; 'Stephen Kent' > >Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' ' > >Sent: 4/8/99 3:26:06 AM > >Subject: RE: Certificates, Directories, and Distinguished Names > > > >Just a General Observation: > > > >The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to > >parallel, in some ways, the recent thread on Anders' "CyberPhone" > >approach to outsourcing one's private-key handling. > > > >And "convenience," indeed, can only be ignored at one's peril (in > >a business model, at least:) > > > >Over all of this, I cannot help but be reminded of those who lived > >through the Great Depression, and to this day feel uncomfortable > >placing their money in banks. They will insist upon dealing in > >"cash", the kind they can stuff under their mattress, or bury in > >a steel box in the backyard. Foolish at it may seem to most, they > >insist upon being the final arbiters of their security/destiny, > >however ill-equipped to the task they may be. > > > >No amount of argument that, statistically, their money would be > >safer in a bank, or as bits-on-a-disk, will dissuade them. > >(And who knows, in the long run, if they will be wrong or right?) > > > >Must we promote a world so hostile to these individualists (they > >are many, if not majority) that they become shut-out of the future > >benefits that PKIs may afford? > > > >Is this concern not a silent undercurrent to many of these debates? > > > >___tony___ > > > > > > > >Tony Bartoletti LL > >Center for Information Operations and Assurance LL LL > >Lawrence Livermore National Laboratory LL LL LL > >PO Box 808, L - 303 LL LL LL > >Livermore, CA 94551-9900 LL LL LLLLLLLL > >phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL > >email: azb@llnl.gov LLLLLLLL > > > > > > > > Tony Bartoletti LL > Center for Information Operations and Assurance LL LL > Lawrence Livermore National Laboratory LL LL LL > PO Box 808, L - 303 LL LL LL > Livermore, CA 94551-9900 LL LL LLLLLLLL > phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL > email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA05310 for ietf-pkix-bks; Wed, 7 Apr 1999 19:03:32 -0700 (PDT) Received: from stargate.zergo.com.au (root@stargate.zergo.com.au [203.2.208.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA05306 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 19:03:28 -0700 (PDT) Received: from michaelz (dhcp-64.ws.zergo.com.au [192.168.72.64]) by stargate.zergo.com.au (8.9.1/8.8.7) with SMTP id MAA00519 for <ietf-pkix@imc.org >; Thu, 8 Apr 1999 12:03:16 +1000 Received: by localhost with Microsoft MAPI; Thu, 8 Apr 1999 12:03:34 +1000 Message-ID: <01BE81B7.D404B870.mzolotarev@baltimore.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com.au> Reply-To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> To: "'PKIX mailing group'" <ietf-pkix@imc.org> Subject: CMP message format. A naive question Date: Thu, 8 Apr 1999 12:03:32 +1000 Organization: Baltimore Pty Ltd X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The CMP message format can be very appropriately used for non-cert-related PKI services, such as TimeStamping, AttributeCertificates, DCS etc Q1. Are there any reasons (technical, patent-related, religious,...) why the CMP message structure can not or should not be used for non-CMP PKI services? Q2. If the CMP format can be legitimately used for non-certificate management protocol operations, then what would be the IDs for the new PKIBody content? Has anybody sorted out or reserved the IDs above [23]? Q3. What would be the name to use, when it is not a Cert Mgm Prot-related message any longer?. "Generic PKI Message Format" (GPMF)? Michael Z Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA04916 for ietf-pkix-bks; Wed, 7 Apr 1999 18:16:04 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA04911 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 18:16:02 -0700 (PDT) Received: from [128.33.238.98] (TC082.BBN.COM [128.33.238.82]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id VAA00466; Wed, 7 Apr 1999 21:16:43 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a18b331b07b2125@[128.33.238.98]> In-Reply-To: <199904071617.JAA07970@scv1.apple.com> Date: Wed, 7 Apr 1999 21:03:33 -0400 To: "Aram Perez" <aram@apple.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Aram, >My two cents: I agree with John. Given that RFC2459 is not a "standard" yet >and thus no standard-compliant software exists out there, we should "fix" >RFC2459 to do the right thing for existing legacy software, and the new >RFC2459 compliant software. The right thing is to avoid the ambiguity introduced by X.509; changing 2459 cannot fix that. 2459 is not broken, so please don't use the term "fix" when referring to it. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA04909 for ietf-pkix-bks; Wed, 7 Apr 1999 18:15:59 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA04905 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 18:15:58 -0700 (PDT) Received: from [128.33.238.98] (TC082.BBN.COM [128.33.238.82]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id VAA00454; Wed, 7 Apr 1999 21:16:39 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a17b331af2ed303@[128.33.238.98]> In-Reply-To: <OFF4961D1D.2995D9E0-ON8525674C.0046B92C@iris.com> Date: Wed, 7 Apr 1999 21:01:05 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@po1.bbn.com> Subject: Re: CA vs. EE cert processing Cc: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> John, <snip> >There are two parts to "this ambiguity". The one as stated where a PKIX >verifier encounters a certificate without a basicConstraints extension, and >another one where a non-PKIX verifier encounters such a certificate. >Leaving >the first one aside for the moment, PKIX would be a better player in the >broader X.509 world if it chose not to generate certificates that are >ambiguous to such a world. The ambiguity exists in ALL verifiers, PKIX or not. Thus pointing the finger at PKIX is not rational. <snip> > >On the contrary, changing RFC 2459 to require the inclusion of the >basicConstraints extension on all certificates would help alleviate this >ambiguity, and in some cases could completely address it. As you have >pointed out, there is only an ambiguity when processing a certificate >without a basicConstraints extension. By constraining PKIX to avoid >generating such certificates, we would avoid any confusion in >certificates generated by PKIX systems, whether or not the verifier >is PKIX-compliant, and more importantly whether or not the verifier >knows that the issuing system was PKIX-compliant. Changing PKIX to mandate inclusion of basicConstrants would improve the odds, but not fix the problem. I don't view changes that have only probabilistic improvements to be warranted, in general, and certainly not here. >If RFC2459 were modified to require the extension, then it would >be permissible for a verifier to make its own decisions about how >to handle an ambiguous certificate (one without a basicConstraints >extension). Reasonable options might include rejecting the >certificate, asking for user guidance, or applying site-specific >policy to determine how to treat it. The way RFC2459 is currently >written, a PKIX verifier doesn't have these options - it must treat >such a certificate as an EE certificate, whether or not that's the >right thing to do (i.e. whether or not the issuing CA meant the >certificate to be an EE or a CA cert). What is needed is an algorithm for a verifier to use to determine whether a cert is an EE cert or a CA cert. We do not have such an algorithm in the face of certs that are generated in compliance with X.509, period. I don't want a heuristic improvement here, I want a fix. <snip> > >The PKIX working group doesn't have the ability to change X.509; we >only have control of the PKIX specs. A change to RFC 2459 would allow >us to avoid stumbling into into this ambiguity in X.509, with the result >that: > >i) PKIX certificates would not be ambiguous to an X.509 verifier, > >and ii) PKIX verifiers would be able to distinguish ambiguous non-PKIX >certs >from unambiguous certs, without having to know whether the certificate >issuer was PKIX-compliant. As David Kemp pointed out, we can file a DR to address this problem. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04544 for ietf-pkix-bks; Wed, 7 Apr 1999 17:40:34 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04540 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 17:40:33 -0700 (PDT) Received: from [128.33.238.98] (TC098.BBN.COM [128.33.238.98]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id UAA25061; Wed, 7 Apr 1999 20:40:43 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a01b3311d77b7a5@[128.89.0.111]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE968@DSG1> Date: Wed, 7 Apr 1999 20:40:47 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: Certificates, Directories, and Distinguished Names Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, We seem to be making no progress wrt this discussion, like many of our previous debates. Let save a few virtual trees and call it quits. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04516 for ietf-pkix-bks; Wed, 7 Apr 1999 17:38:34 -0700 (PDT) Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.18.65]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04512 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 17:38:34 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.223.10]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with SMTP id RAA17258; Wed, 7 Apr 1999 17:38:49 -0700 (PDT) Message-Id: <3.0.3.32.19990407173820.00afe800@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 07 Apr 1999 17:38:20 -0700 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>, "''Stephen Kent' '" <kent@bbn.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Certificates, Directories, and Distinguished Names Cc: "'''ietf-pkix@imc.org ' ' '" <ietf-pkix@imc.org>, "'''list@seis.nc-forum.com ' ' '" <list@seis.nc-forum.com> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0DDB8A@DSG1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, I try here to accomodate viewpoints that are often at odds, judging from the long life these threads exhibit. I make an analogy between some folks reluctance to "bank", and those who are similarly ill-at-ease allowing what might be considered privacy info to be accessible via directories. Granted, I might be foolish to think my money is safer under my pillow (in general) than as bits on a magnetic disk far far away. I am more likely to be robbed at home than to have my account drained by a nefarious bank-insider. Yet some still insist on having their "gold" in their own hands, where they can see it and control it, directly and absolutely. I see this sentiment "below the surface" when discussions of global directories with searchable hierarchical Names are on the table. It suggests a lack of control on the part of the data-owner, and no amount of "we can make it real real secure with lots of money" will assuage the unease. Alot of folks, like the "bank-non-trustors" are less worried about abuses perpetrated by their neighbors, or even by the individual stranger, than they are by the power of the state. The (US) second amendment, once a form of balance to that power, is clearly impotent by orders of magnitude. Yet the people have one card that almost no amount of power can abuse, and that is cryptography, and by allowance unforgeable identity. They can jail or torture me, but it is in my power to relinquish the key or not. These concerns seem laughable in the face of the main PKI motivations dealt with here, being high-volume internet commerce. And yet I am sure there are many who see the promise of security (in privacy and identity) in public key technology, and hope to see it serve their ends in this way. This is not to disparage the notion that directories will be deployed and critical in a great many venues. If my "private" information were not lying around on the disks of credit agencies, I would have a hard time using all the plastic in my wallet. I simply share the feelings of many, I suspect, that commercial concerns about how to best use keys and certs will overshadow those uses where there are not quick-bucks to be made, and that protocols tailored to the commercial uses will force others into obscurity. Regards, ___tony___ At 07:57 AM 4/8/99 +1000, Alan Lloyd wrote: > >Tony - not sure if I understand the thread or the last para. > >And dont get me wrong either re the value of PKIs. Having worked with >directories for about 12 years and PKIs for 5 or so, for real >operational business environments I appreciate the standards process, >the profiling process and the need to deal with operational models which >today must include a distributed and consistent information management >capability. > >My line of comments try to address a major concern of the PKIX process >is: that design anchors such as email addresses in certs, databases >instead of distributed directory systems, inflexibility in PKI profiles >because of theory, no recognition that business application (eg mobile >phones, car tagging, banking, etc) needs to be dealt with in terms of >its PKI approach differently and and the need to keep adding things in >certs that are dynamic in the real world - makes the discussion critical >to say the least. > >As said PKIX is trying to profile X.509.. I have been involved with the >directory X.500 ISPs for a few years - and that effort was reduced to >zero almost because the technology and products surfaced into the market >place and started dealing with real businesses - and that trying to >mandate/option protocol and information fields in tables in standards >for all circumstances in global business is impossible. > >In addition trying to shoe horn one PKI/CA - key management profile/ >cert processing design for all aspects of trusted transactions - which >just happen to run over the internet, will also prove to be an >impossible task. > >In addition - who will own the root level key for all this PKIX >compliant stuff? > >As said PKIs will be built like directory services - for business >domains and vertfical markets that provide EC services under the >control of those who want to invest in such (PKI supported) services. > >regards alan > > >---------- >From: Tony Bartoletti >To: Alan Lloyd; 'Stephen Kent' >Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' ' >Sent: 4/8/99 3:26:06 AM >Subject: RE: Certificates, Directories, and Distinguished Names > >Just a General Observation: > >The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to >parallel, in some ways, the recent thread on Anders' "CyberPhone" >approach to outsourcing one's private-key handling. > >And "convenience," indeed, can only be ignored at one's peril (in >a business model, at least:) > >Over all of this, I cannot help but be reminded of those who lived >through the Great Depression, and to this day feel uncomfortable >placing their money in banks. They will insist upon dealing in >"cash", the kind they can stuff under their mattress, or bury in >a steel box in the backyard. Foolish at it may seem to most, they >insist upon being the final arbiters of their security/destiny, >however ill-equipped to the task they may be. > >No amount of argument that, statistically, their money would be >safer in a bank, or as bits-on-a-disk, will dissuade them. >(And who knows, in the long run, if they will be wrong or right?) > >Must we promote a world so hostile to these individualists (they >are many, if not majority) that they become shut-out of the future >benefits that PKIs may afford? > >Is this concern not a silent undercurrent to many of these debates? > >___tony___ > > > >Tony Bartoletti LL >Center for Information Operations and Assurance LL LL >Lawrence Livermore National Laboratory LL LL LL >PO Box 808, L - 303 LL LL LL >Livermore, CA 94551-9900 LL LL LLLLLLLL >phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL >email: azb@llnl.gov LLLLLLLL > > > Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04501 for ietf-pkix-bks; Wed, 7 Apr 1999 17:37:01 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04497 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 17:37:00 -0700 (PDT) Received: from [128.33.238.98] (TC098.BBN.COM [128.33.238.98]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id UAA24197; Wed, 7 Apr 1999 20:37:26 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a06b3312dbcd617@[128.89.0.111]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE969@DSG1> Date: Wed, 7 Apr 1999 11:48:39 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@po1.bbn.com> Subject: RE: CA vs. EE cert processing Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, I disagree. There is no obvious reason for this base standard to allow for this ambiguity. This is not a problem that is out of scope for the base standard. we agree, though, that adherence to the 2459 profile advoids ambiguity. The reason for this debate is that some folks felt the ambiguity was the fault of 2459, whereas the analysis shows it to be intrinsic in X.509. Thus no fix to 2459 will remove the ambiguity. steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04495 for ietf-pkix-bks; Wed, 7 Apr 1999 17:36:55 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04490 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 17:36:52 -0700 (PDT) Received: from [128.33.238.98] (TC098.BBN.COM [128.33.238.98]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id UAA24205; Wed, 7 Apr 1999 20:37:29 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a07b3312f242ad0@[128.89.0.111]> In-Reply-To: <001c01be80b8$52da0430$020000c0@mega.vincent.se> Date: Wed, 7 Apr 1999 20:29:35 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: "Stephen Kent" <kent@bbn.com>, "Stefan Santesson" <stefan@accurata.se>, <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, >Initially PKI was about certs and global X500 directories - Did not happen > >Now it is zillions of certs distributed in various ways - Slow deployment > >So I do really believe there is room for a "third wave" If the "third wave" does not match the PKIX model, you may wish to form a WG to produces standards suited specifically to it. The SPKI folks have made space available. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA04488 for ietf-pkix-bks; Wed, 7 Apr 1999 17:36:41 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA04484 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 17:36:39 -0700 (PDT) Received: from [128.33.238.98] (TC098.BBN.COM [128.33.238.98]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id UAA24183; Wed, 7 Apr 1999 20:37:17 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <v04020a02b3311debd2da@[128.89.0.111]> In-Reply-To: <00b501be8087$962bdd70$020000c0@mega.vincent.se> Date: Wed, 7 Apr 1999 20:28:18 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@po1.bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: "Stephen Kent" <kent@bbn.com>, <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, >> Nobody has a lot of experience with large >>scale deployment of PKIs in these contexts, so a statement about the >>relative difficulties of deployment of certs to end users vs. the approach >>you propose is premature. Insecure servers are a growing problem for >>businesses, so I also challange your second assertion. > >SET is an example of a large-scale PKI deployment that has _almost_ >flopped due to some of the factors that CyberPhone solves. Like: > >Certificate distribution >Thin client sw >Mobile universal usage I know a numnber of reasons why SET has not been accepted in the U.S., if that's the context you're citing, and they are largely independent of the issues you cite. For example, U.S. consumer protection laws make the advantages of SET over simple use of SSL and a credit card number unattractive to users. Since most online merchants can make a fair amount of money despite the security limitations (e.g., lack of origin non-repudaition) of the current paradigm, there is insufficient motivation for them to change to SET. Since most of the purchases over the web are done from PCs, the thin n client argument is not relevant. ><large snip> >>Finally, your proposal is clearly focused on one particular deployment >>model, which may or may not be realized. There are others, based on more >>computationally capable, mobile, personal devices, e.g., PDAs. > >Computationally capable devices do not solve >client certificate or client software distribution. Most of the client cert distribution problems I've had client discuss are not solved by your proposal, merely through centralization of certificate storage and by having a server act as a proxy for applying signatures. >The market for mobile phones is so much bigger than for other >devices (PDAs, PCs) etc. so IF this solution gets wide acceptance on >the mobile phone market - most other client PKI solutions MAY just die. >I.e. why pay additional money for certs, readers, software if your >employees already have a high-quality solution in their hands? All of our employees have computers, those who travel have laptops. Not all have cell phones. of the ones that do have cell phones, few would be capable opf making use of the certs you describe, i.e., not many are PCS phones. The solution you propose is definately NOT high quality. It is an effort to take advantage of devices with limited capabilities, and skew security design principles to accommodate these limitations. Such an approach might be commercially successful; as others have pointed out, convenience and good marketing often win out over other factors. But that doesn't mean we have to skew our standards to embrace such approaches. >BTW, why do you think MSFT is so interested in the mobile phone market? >Because it is there the future of IT is happening! Microsoft is interested in almost everything; after missing the Internet's initial surge they hedge their bets extensively, a luxury that comes from having so much money to play with. >> As I said >>before, you should pursue any implementation approach you think is >>fruitful, but don't ask this standards body to tailor parts of its work to >>facilitate your (decidely nont mainstream) approach to using certs. > >It COULD become mainstream... > >Now we both know pretty well where we stand in this case so >could please somebody else comment on this? I'm sure they will. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA03819 for ietf-pkix-bks; Wed, 7 Apr 1999 16:27:35 -0700 (PDT) Received: from stargate.zergo.com.au (root@stargate.zergo.com.au [203.2.208.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA03815 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 16:27:33 -0700 (PDT) Received: from michaelz (dhcp-64.ws.zergo.com.au [192.168.72.64]) by stargate.zergo.com.au (8.9.1/8.8.7) with SMTP id JAA29356; Thu, 8 Apr 1999 09:26:56 +1000 Received: by localhost with Microsoft MAPI; Thu, 8 Apr 1999 09:27:15 +1000 Message-ID: <01BE81A1.FD426FE0.mzolotarev@baltimore.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com.au> Reply-To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> To: "'Robert Zuccherato'" <robert.zuccherato@entrust.com>, "'Juan Luis Lopez'" <jluis@fnmt.es> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Time Stamp: tsa field in TSTInfo Date: Thu, 8 Apr 1999 09:27:12 +1000 Organization: Baltimore Pty Ltd X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The core time stamp information can be used indirectly, as a field inside some third party WhateverService (WS) structure. Even (!) if this WS structure gets signed/ enveloped, the signer is not going to be the TSA. DCS as it stands now may serve as an example. So, having tsa inside the TSTInfo may come as a useful thing - the WS clients may still want to know the TimeStamp's origin. Michael Zolotarev Technical Architect Baltimore Technologies Limited (Australia) Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA02863 for ietf-pkix-bks; Wed, 7 Apr 1999 14:57:10 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA02855 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 14:57:02 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLV2>; Thu, 8 Apr 1999 07:57:29 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0DDB8A@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "''Stephen Kent' '" <kent@bbn.com>, "'Tony Bartoletti '" <azb@llnl.gov> Cc: "'''ietf-pkix@imc.org ' ' '" <ietf-pkix@imc.org>, "'''list@seis.nc-forum.com ' ' '" <list@seis.nc-forum.com> Subject: RE: Certificates, Directories, and Distinguished Names Date: Thu, 8 Apr 1999 07:57:28 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tony - not sure if I understand the thread or the last para. And dont get me wrong either re the value of PKIs. Having worked with directories for about 12 years and PKIs for 5 or so, for real operational business environments I appreciate the standards process, the profiling process and the need to deal with operational models which today must include a distributed and consistent information management capability. My line of comments try to address a major concern of the PKIX process is: that design anchors such as email addresses in certs, databases instead of distributed directory systems, inflexibility in PKI profiles because of theory, no recognition that business application (eg mobile phones, car tagging, banking, etc) needs to be dealt with in terms of its PKI approach differently and and the need to keep adding things in certs that are dynamic in the real world - makes the discussion critical to say the least. As said PKIX is trying to profile X.509.. I have been involved with the directory X.500 ISPs for a few years - and that effort was reduced to zero almost because the technology and products surfaced into the market place and started dealing with real businesses - and that trying to mandate/option protocol and information fields in tables in standards for all circumstances in global business is impossible. In addition trying to shoe horn one PKI/CA - key management profile/ cert processing design for all aspects of trusted transactions - which just happen to run over the internet, will also prove to be an impossible task. In addition - who will own the root level key for all this PKIX compliant stuff? As said PKIs will be built like directory services - for business domains and vertfical markets that provide EC services under the control of those who want to invest in such (PKI supported) services. regards alan ---------- From: Tony Bartoletti To: Alan Lloyd; 'Stephen Kent' Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' ' Sent: 4/8/99 3:26:06 AM Subject: RE: Certificates, Directories, and Distinguished Names Just a General Observation: The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to parallel, in some ways, the recent thread on Anders' "CyberPhone" approach to outsourcing one's private-key handling. And "convenience," indeed, can only be ignored at one's peril (in a business model, at least:) Over all of this, I cannot help but be reminded of those who lived through the Great Depression, and to this day feel uncomfortable placing their money in banks. They will insist upon dealing in "cash", the kind they can stuff under their mattress, or bury in a steel box in the backyard. Foolish at it may seem to most, they insist upon being the final arbiters of their security/destiny, however ill-equipped to the task they may be. No amount of argument that, statistically, their money would be safer in a bank, or as bits-on-a-disk, will dissuade them. (And who knows, in the long run, if they will be wrong or right?) Must we promote a world so hostile to these individualists (they are many, if not majority) that they become shut-out of the future benefits that PKIs may afford? Is this concern not a silent undercurrent to many of these debates? ___tony___ Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA01881 for ietf-pkix-bks; Wed, 7 Apr 1999 13:11:14 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA01877 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 13:11:13 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 07 Apr 1999 14:11:06 -0600 Message-Id: <s70b677a.091@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Wed, 07 Apr 1999 14:10:52 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <kent@bbn.com>, <azb@llnl.gov>, <Alan.Lloyd@OpenDirectory.com.au> Cc: <ietf-pkix@imc.org>, <list@seis.nc-forum.com> Subject: SEIS: RE: Certificates, Directories, and Distinguished Names Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id NAA01878 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tony is right on with respect to the concerns that some individuals will have with respect to technology. When ATMs and direct deposit technology first emerged, it was the accountants and finance managers within some companies that were the most doubting Thomas's. Certainly as we get closer to Y2K, there are a fairly sizeable number of people who are buying gold and platinum double eagles rather than trusting a fractional deposit banking system, and who can say at this time whether they are right or wrong. I spend a fairly significant amount of my time engaging with various attorneys and legislators and debating the relative risk/benefit of PKI in general, and the risk of a compromise of Grandma's private key in particular, and I can testify that the is a large portion of the highly influential public that is not yet sold. Of course from my perspective they are straining at gnats and swallowing camels -- they are concerned that a virus could somehow compromise a private key, but at the same time they willing allow a typed document on a letterhead to serve as a legally binding signature, not to mention a faxed signature or simply a fax with an automatically inserted origination code on the top of the page. They will undoubtedly come around -- I remember with some shock the first time I went to a legal meeting and all of the attorneys had laptops and there were not legal pads in sight. But until that day comes, they are the folks that are writing the laws, not us, much as I try to play gadfly in that community. Bob >--- Message on the SEIS mailing list (list@seis.nc-forum.com) > >Just a General Observation: > >The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to >parallel, in some ways, the recent thread on Anders' "CyberPhone" >approach to outsourcing one's private-key handling. > >And "convenience," indeed, can only be ignored at one's peril (in >a business model, at least:) > >Over all of this, I cannot help but be reminded of those who lived >through the Great Depression, and to this day feel uncomfortable >placing their money in banks. They will insist upon dealing in >"cash", the kind they can stuff under their mattress, or bury in >a steel box in the backyard. Foolish at it may seem to most, they >insist upon being the final arbiters of their security/destiny, >however ill-equipped to the task they may be. > >No amount of argument that, statistically, their money would be >safer in a bank, or as bits-on-a-disk, will dissuade them. >(And who knows, in the long run, if they will be wrong or right?) > >Must we promote a world so hostile to these individualists (they >are many, if not majority) that they become shut-out of the future >benefits that PKIs may afford? > >Is this concern not a silent undercurrent to many of these debates? > >___tony___ > > > >Tony Bartoletti LL >Center for Information Operations and Assurance LL LL >Lawrence Livermore National Laboratory LL LL LL >PO Box 808, L - 303 LL LL LL >Livermore, CA 94551-9900 LL LL LLLLLLLL >phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL >email: azb@llnl.gov LLLLLLLL > > >----------------- SEIS mailing list (list@seis.nc-forum.com) >Info about this list: http://www.nc-forum.com/seis >SEIS Contact: info@seis.se > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA01729 for ietf-pkix-bks; Wed, 7 Apr 1999 12:46:26 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA01725 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 12:46:24 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id VAA18337 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 21:46:59 +0200 Received: from mega (t1o69p54.telia.com [62.20.144.54]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id VAA111991; Wed, 7 Apr 1999 21:46:50 +0200 Message-ID: <004401be8137$81e47510$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Wed, 7 Apr 1999 21:45:00 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id MAA01726 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Is this a battle between two Swedes only? Come on guys! Stefan, my original spec on the low-fat/heavy-bio, did never got a reaction. <snip> >The thing that interests me is who have the exclusive right to use the key, >and that this right is protected. Agreed, except that I don't see why such a right should/must be exclusive. >>2) I think that the thin client solution has more with sw distribution which >>is a true bottleneck recognized by most of the IT-industry > >You are solving yesterdays problems. > >The problem with exporting client software is a general problem which a >whole industry is working on. Java is one step along the line and we will >see more and better solutions. In a world where bandwidth are increasing we >will se more of "download what you need, when you need it" type of >approaches. You are almost right. Security-critical sw developed by several different companies requires signed code that you must trust. This complicates things considerably. My approach does probably (not 100% sure here since CyberPhone is currently only a glossy broschyre) NOT require download of security-code from independent sources as it is a "Generic Security Platform". >This does not require the private keys to be used within a server. This is definitely another question and I would say (while taking on my marketing hat) that CyberPhone is a "thin PKI" (new sexy term born this very second) solution that could solve even harder problems than the "thin client" did. > But I'll never like as a general tradeoff that private keys MUST be operated by >the server. They don't. Only in the case they belong to a server-based resource like a SET account, OBI purchaser <snip> >>So I do really believe there is room for a "third wave" >Yes there are, but is surely won't be private key servers. >However, a layered structure with a few long lived general certificates >(QC) that support a large number of specialized short lived certificates, >may very well be part of that "third wave". Hum, another IETF-Swede said in another mailing-list that the need for a static indentity (like an SSN) in a cert is not at all required to maintain a long-lasting certificate-based relationship in a convenient way. I asked him if for a high-level spec. on how he thought that that would work. He never did it. I feel the same thing for your suggestion. How? Please... If you take my "Dynamic Certificates" paper and try to cast that into conventional PKI you will end up in misery. Misery = twice the cost, twice the PITA. and a big chance to be bypassed by other solutions. Anders Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA00389 for ietf-pkix-bks; Wed, 7 Apr 1999 10:26:30 -0700 (PDT) Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.18.65]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA00384 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:26:29 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.223.10]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with SMTP id KAA15892; Wed, 7 Apr 1999 10:26:35 -0700 (PDT) Message-Id: <3.0.3.32.19990407102606.00ac2920@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 07 Apr 1999 10:26:06 -0700 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>, "'Stephen Kent'" <kent@bbn.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Certificates, Directories, and Distinguished Names Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE968@DSG1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Just a General Observation: The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to parallel, in some ways, the recent thread on Anders' "CyberPhone" approach to outsourcing one's private-key handling. And "convenience," indeed, can only be ignored at one's peril (in a business model, at least:) Over all of this, I cannot help but be reminded of those who lived through the Great Depression, and to this day feel uncomfortable placing their money in banks. They will insist upon dealing in "cash", the kind they can stuff under their mattress, or bury in a steel box in the backyard. Foolish at it may seem to most, they insist upon being the final arbiters of their security/destiny, however ill-equipped to the task they may be. No amount of argument that, statistically, their money would be safer in a bank, or as bits-on-a-disk, will dissuade them. (And who knows, in the long run, if they will be wrong or right?) Must we promote a world so hostile to these individualists (they are many, if not majority) that they become shut-out of the future benefits that PKIs may afford? Is this concern not a silent undercurrent to many of these debates? ___tony___ Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA00193 for ietf-pkix-bks; Wed, 7 Apr 1999 10:13:52 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA00189 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:13:50 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id TAA02331; Wed, 7 Apr 1999 19:14:32 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Wed, 7 Apr 1999 19:14:32 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id TAA11002; Wed, 7 Apr 1999 19:14:31 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id TAA04926; Wed, 7 Apr 1999 19:14:30 +0200 Date: Wed, 7 Apr 1999 19:14:30 +0200 Message-Id: <199904071714.TAA04926@emeriau.edelweb.fr> To: ietf-pkix@imc.org, jluis@fnmt.es, robert.zuccherato@entrust.com Subject: RE: Time Stamp: tsa field in TSTInfo Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > > Actually, I believe that when using CMS only the content (in this case > TSTInfo) is signed along with any authenticated attributes. Thus, the > distinguishing information for the TSA would not be signed if it was not > included within the TSTInfo structure. If the TST provider want to surely indicate its identity, one can use an ess signing certificate attribute. This seems preferable to me (if the tendancy is avoid to reinvent things). The ess stuff was probably not avaiable at the time when the tst draft was written for the first time. > > Robert. > > > ---------- > > From: Juan Luis López[SMTP:jluis@fnmt.es] > > Sent: Wednesday, April 07, 1999 5:25 AM > > To: pkix > > Subject: Time Stamp: tsa field in TSTInfo > > > > Hi everybody! > > > > I am involved in a Time Stamping project and we are analysing the PKIX > > draft about this subject. > > > > I would like to give my opinion on an issue to the list: > > It seems not appropriate to include a field in TSTInfo structure > > related to the tsa identity, i.e. tsa field. I don't find this field > > necessary because it is repeated when using a CMS or PKCS#7 envelope to > > encapsulate the token information. This information would be redundant > > since an identifier distinguishing the given tsa should be present in the > > signerInfo structure. > > > > So, I recommend the deletion of this field. > > > > Regards, > > Juan Luis López > > > > > > > > -------------------------------------------------------------------------- > > ----------- > > Juan Luis López < > > jluis@fnmt.es> > > Project Engineer > > http://www.fnmt.es/pkits > > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 > > C/ Juan de Mariana, 17 fax: [+34] 91 506 > > 48 51 > > E-28045 Madrid, SPAIN > > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA29721 for ietf-pkix-bks; Wed, 7 Apr 1999 09:25:43 -0700 (PDT) Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA29717 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 09:25:43 -0700 (PDT) Received: from mailgate1.apple.com (A17-128-100-225.apple.com [17.128.100.225]) by mail-out2.apple.com (8.8.5/8.8.5) with ESMTP id JAA16368 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 09:17:55 -0700 Received: from scv1.apple.com (scv1.apple.com) by mailgate1.apple.com (mailgate1.apple.com- SMTPRS 2.0.15) with ESMTP id <B0005953568@mailgate1.apple.com>; Wed, 07 Apr 1999 09:17:45 -0700 Received: from [17.205.41.166] (aram1.apple.com [17.205.41.166]) by scv1.apple.com (8.9.3/8.9.3) with ESMTP id JAA07970; Wed, 7 Apr 1999 09:17:44 -0700 Message-Id: <199904071617.JAA07970@scv1.apple.com> X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Wed, 07 Apr 1999 09:17:44 -0700 Subject: Re: CA vs. EE cert processing From: "Aram Perez" <aram@apple.com> To: John_Wray@iris.com, Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org MIME-Version: 1.0 X-Priority: 3 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> My two cents: I agree with John. Given that RFC2459 is not a "standard" yet and thus no standard-compliant software exists out there, we should "fix" RFC2459 to do the right thing for existing legacy software, and the new RFC2459 compliant software. Aram Perez Apple Computer, Inc. > > > Steve writes: > >>This memo examines certificate processing with regard to determining >>whether a certificate is associated with a CA or an EE, to determine where >>the ambiguity lies and thus help clarify this discussion. Upon further >>analysis I discovered that the issue is more complex that I originally >>realized, and so my simple algorithm was oversimplified. However the >>suggestions put forth so far (as best I recall) also seem to miss the >>point, as explained below. >> >>First question: is this a v1 certificate or a v3 certificate? >> ... >> >>Second question: is there a basicConstraints extension present in the >>certificate? If not, then according to RFC 2459 this must be an EE cert, >>since CA certs MUST contain this extension. But, according to X.509, if > the >>constraint is absent (or present but marked non-critical and not > understood >>by the implementation), then it is up to the implementation to use other >>means of determining if the certificate is for a CA or an EE. At this >>point we have ambiguity, based on examining only the presence or absence > of >>this constraint in a v3 cert. X.509 does not specify what else should be >>done. So, not knowing if the certificate was issued by an RFC 2459 >>compliant CA, or an X.509 compliant CA, we have to go to "Plan B." Note >>that nothing we change in RFC 2459 can fix this problem as the ambiguity > is >>traceable to X.509. > > There are two parts to "this ambiguity". The one as stated where a PKIX > verifier encounters a certificate without a basicConstraints extension, and > another one where a non-PKIX verifier encounters such a certificate. > Leaving > the first one aside for the moment, PKIX would be a better player in the > broader X.509 world if it chose not to generate certificates that are > ambiguous to such a world. > >>If we have a basicConstraints extension, [then everything's fine - >>no ambiguity (JCW)]. >> >>Plan B: We are here because we have a v3 certificate with no >>basicConstraints extension and because we don't know if the CA that issued >>the certificate was operating in compliance with either 2459 or X.509. We >>now have to examine other fields of the certificate, or have some out of >>band mechanism to help. X.509 provides no guidance on how to do this, >>which leaves implementers wondering. RFC 2459 provides no guidance > because >>a CA complying with the RFC would not have this problem. >> >>So, how can we remove this residual ambiguity? Well, it can't be removed >>by a change only to RFC 2459, because that standard is not the source of >>the ambiguity. If one were to change X.509, to require that a compliant > CA >>include the basicConstraints extension (critical or not), when a >>certificate was issued to a CA, then the ambiguity would be removed at its >>source. If this change were made to X.509, no change to 2459 would be >>required. Specifically, changing 2459 to call for inclusion of this >>constraint for EE certificates (either as a SHOULD or MUST) would not >>address the ambiguity encountered above. > > On the contrary, changing RFC 2459 to require the inclusion of the > basicConstraints extension on all certificates would help alleviate this > ambiguity, and in some cases could completely address it. As you have > pointed out, there is only an ambiguity when processing a certificate > without a basicConstraints extension. By constraining PKIX to avoid > generating such certificates, we would avoid any confusion in > certificates generated by PKIX systems, whether or not the verifier > is PKIX-compliant, and more importantly whether or not the verifier > knows that the issuing system was PKIX-compliant. > > If RFC2459 were modified to require the extension, then it would > be permissible for a verifier to make its own decisions about how > to handle an ambiguous certificate (one without a basicConstraints > extension). Reasonable options might include rejecting the > certificate, asking for user guidance, or applying site-specific > policy to determine how to treat it. The way RFC2459 is currently > written, a PKIX verifier doesn't have these options - it must treat > such a certificate as an EE certificate, whether or not that's the > right thing to do (i.e. whether or not the issuing CA meant the > certificate to be an EE or a CA cert). > >>Some have suggested that we should consider changes to 2459 to help >>alleviate problems resulting from CAs that do not comply with 2459. The >>above analysis suggests that if the source of the certificate is an X.509 >>compliant CA, the solution lies with a change to X.509. If the CA is not >>assumed to comply with either 2459 or X.509, I do not see how fixing > either >>2459 or X.509 could possible help. > > The PKIX working group doesn't have the ability to change X.509; we > only have control of the PKIX specs. A change to RFC 2459 would allow > us to avoid stumbling into into this ambiguity in X.509, with the result > that: > > i) PKIX certificates would not be ambiguous to an X.509 verifier, > > and ii) PKIX verifiers would be able to distinguish ambiguous non-PKIX > certs > from unambiguous certs, without having to know whether the certificate > issuer was PKIX-compliant. > > > John > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA29613 for ietf-pkix-bks; Wed, 7 Apr 1999 09:10:41 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id JAA29609 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 09:10:40 -0700 (PDT) Received: id MAA10392; Wed, 7 Apr 1999 12:07:48 -0400 Received: by gateway id <G4CAZWL2>; Wed, 7 Apr 1999 12:10:08 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD84@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: ietf-pkix@imc.org, "'Juan G. de la Vega'" <jgonzalez@fnmt.es> Subject: RE: Time Stamping: comments on nonce field Date: Wed, 7 Apr 1999 12:04:13 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id JAA29610 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> My comments are below: > ---------- > From: Juan G. de la Vega[SMTP:jgonzalez@fnmt.es] > Sent: Wednesday, April 07, 1999 5:39 AM > To: ietf-pkix@imc.org > Subject: Time Stamping: comments on nonce field > > First of all, the declaration of this field in the request and > token is somehow incoherent, while the nonce is mandatory in TimeStapReq > (it is not declared OPTIONAL), the TimeStampToken´s nonce is OPTIONAL but > it is stated that "...must be present if the similar field in TimeStampReq > is present..." and hence the clause OPTIONAL is meaningless and confusing > for this field shall always be present. > As I have said in the past, this was a mistake that I made because I did not manage to fully include support for TSA production of a "signed time". This would be a token which does not include a nonce or message imprint. TSA's could produce these tokens and make them available (for example on a website) for anyone who wants to obtain them. This will be rectified in the upcoming draft. > I would suggest this field to be declared OPTIONAL both in the request and > token or better deleted if we take into account the following: > > As far as I understand, a nonce value is present in the request and > token in order for the requester to be able to match the responses from > the TSA with her requests when using an asynchronous transport. It can be > argued that such functionality should be left to the transport layer when > required, but furthermore I must say that the nonce is not necessary since > matching can be performed using the "messageImprint" field. > Actually, the reason that the nonce is there and mandatory is to prevent replay attacks. Someone else could have obtained a time stamp on the data before your request. Thus, it is possible that the time stamp you received is not "fresh". Without a nonce, determining the freshness of the timestamp is difficult. Robert. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA29468 for ietf-pkix-bks; Wed, 7 Apr 1999 08:51:30 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA29464 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 08:51:28 -0700 (PDT) Received: id LAA00151; Wed, 7 Apr 1999 11:48:23 -0400 Received: by gateway id <G4CAZWGX>; Wed, 7 Apr 1999 11:50:43 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD82@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: pkix <ietf-pkix@imc.org>, =?iso-8859-1?Q?=27Juan_Luis_L=F3pez=27?= <jluis@fnmt.es> Subject: RE: Time Stamp: tsa field in TSTInfo Date: Wed, 7 Apr 1999 11:44:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id IAA29465 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Actually, I believe that when using CMS only the content (in this case TSTInfo) is signed along with any authenticated attributes. Thus, the distinguishing information for the TSA would not be signed if it was not included within the TSTInfo structure. Robert. > ---------- > From: Juan Luis López[SMTP:jluis@fnmt.es] > Sent: Wednesday, April 07, 1999 5:25 AM > To: pkix > Subject: Time Stamp: tsa field in TSTInfo > > Hi everybody! > > I am involved in a Time Stamping project and we are analysing the PKIX > draft about this subject. > > I would like to give my opinion on an issue to the list: > It seems not appropriate to include a field in TSTInfo structure > related to the tsa identity, i.e. tsa field. I don't find this field > necessary because it is repeated when using a CMS or PKCS#7 envelope to > encapsulate the token information. This information would be redundant > since an identifier distinguishing the given tsa should be present in the > signerInfo structure. > > So, I recommend the deletion of this field. > > Regards, > Juan Luis López > > > > -------------------------------------------------------------------------- > ----------- > Juan Luis López < > jluis@fnmt.es> > Project Engineer > http://www.fnmt.es/pkits > Fábrica Nacional de Moneda y Timbre tel: [+34] 91 506 48 40 > C/ Juan de Mariana, 17 fax: [+34] 91 506 > 48 51 > E-28045 Madrid, SPAIN > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA28938 for ietf-pkix-bks; Wed, 7 Apr 1999 07:48:30 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA28932 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 07:48:29 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA17552 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:49:11 -0400 (EDT) Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id KAA17548 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:49:11 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id KAA18603 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:47:42 -0400 (EDT) Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.56.12]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id KAA01212 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 10:48:49 -0400 (EDT) Message-Id: <199904071448.KAA01212@ara.missi.ncsc.mil> Date: Wed, 7 Apr 1999 10:48:49 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: CA vs. EE cert processing To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: SzZkhah/IKEF5AxoL9RtBw== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > From: John_Wray@iris.com > > The PKIX working group doesn't have the ability to change X.509; we > only have control of the PKIX specs. A change to RFC 2459 would allow > us to avoid stumbling into into this ambiguity in X.509, with the result > that: > > i) PKIX certificates would not be ambiguous to an X.509 verifier, > > and ii) PKIX verifiers would be able to distinguish ambiguous non-PKIX > certs > from unambiguous certs, without having to know whether the certificate > issuer was PKIX-compliant. The ITU has the ability to change X.509; this ambiguity should qualify for treatment as a defect, if someone takes it upon themselves to generate a DR. You are correct that requiring the extension in EE certs would eliminate the ambiguity. But so would any one of: * correcting the incompletely-specified X.509 / ISO 9594-8 * providing for manual intervention in user agents * including the Key Usage extension in EE certs * choosing to include the Basic Constraints extension in EE certs - PKIX does not prohibit that practice, just discourages it. Changing PKIX from SHOULD NOT to SHOULD would not help - the ambiguity would remain. And changing it to MUST would suddenly bring all previously conforming EE certs into non-conformance, as well as forcing the inclusion of redundant information in newly-issued certs. The right answer is to fix X.509 to require the basic constraints extension in CA certs. It already requires the version number to be present in v3 certs; certs with the version number omitted unambiguously default to v1. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA28327 for ietf-pkix-bks; Wed, 7 Apr 1999 06:37:11 -0700 (PDT) Received: from epic.iris.com (epic.iris.com [198.112.211.21]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA28321 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 06:37:07 -0700 (PDT) From: John_Wray@iris.com Subject: Re: CA vs. EE cert processing To: Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org Date: Wed, 07 Apr 1999 13:38:19 GMT Message-ID: <OFF4961D1D.2995D9E0-ON8525674C.0046B92C@iris.com> X-Priority: 3 (Normal) X-MIMETrack: Serialize by Router on Epic/Iris(Daily Build (based on 166.1)|Apr 6 1999) at 04/07/99 09:40:08 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve writes: >This memo examines certificate processing with regard to determining >whether a certificate is associated with a CA or an EE, to determine where >the ambiguity lies and thus help clarify this discussion. Upon further >analysis I discovered that the issue is more complex that I originally >realized, and so my simple algorithm was oversimplified. However the >suggestions put forth so far (as best I recall) also seem to miss the >point, as explained below. > >First question: is this a v1 certificate or a v3 certificate? > ... > >Second question: is there a basicConstraints extension present in the >certificate? If not, then according to RFC 2459 this must be an EE cert, >since CA certs MUST contain this extension. But, according to X.509, if the >constraint is absent (or present but marked non-critical and not understood >by the implementation), then it is up to the implementation to use other >means of determining if the certificate is for a CA or an EE. At this >point we have ambiguity, based on examining only the presence or absence of >this constraint in a v3 cert. X.509 does not specify what else should be >done. So, not knowing if the certificate was issued by an RFC 2459 >compliant CA, or an X.509 compliant CA, we have to go to "Plan B." Note >that nothing we change in RFC 2459 can fix this problem as the ambiguity is >traceable to X.509. There are two parts to "this ambiguity". The one as stated where a PKIX verifier encounters a certificate without a basicConstraints extension, and another one where a non-PKIX verifier encounters such a certificate. Leaving the first one aside for the moment, PKIX would be a better player in the broader X.509 world if it chose not to generate certificates that are ambiguous to such a world. >If we have a basicConstraints extension, [then everything's fine - >no ambiguity (JCW)]. > >Plan B: We are here because we have a v3 certificate with no >basicConstraints extension and because we don't know if the CA that issued >the certificate was operating in compliance with either 2459 or X.509. We >now have to examine other fields of the certificate, or have some out of >band mechanism to help. X.509 provides no guidance on how to do this, >which leaves implementers wondering. RFC 2459 provides no guidance because >a CA complying with the RFC would not have this problem. > >So, how can we remove this residual ambiguity? Well, it can't be removed >by a change only to RFC 2459, because that standard is not the source of >the ambiguity. If one were to change X.509, to require that a compliant CA >include the basicConstraints extension (critical or not), when a >certificate was issued to a CA, then the ambiguity would be removed at its >source. If this change were made to X.509, no change to 2459 would be >required. Specifically, changing 2459 to call for inclusion of this >constraint for EE certificates (either as a SHOULD or MUST) would not >address the ambiguity encountered above. On the contrary, changing RFC 2459 to require the inclusion of the basicConstraints extension on all certificates would help alleviate this ambiguity, and in some cases could completely address it. As you have pointed out, there is only an ambiguity when processing a certificate without a basicConstraints extension. By constraining PKIX to avoid generating such certificates, we would avoid any confusion in certificates generated by PKIX systems, whether or not the verifier is PKIX-compliant, and more importantly whether or not the verifier knows that the issuing system was PKIX-compliant. If RFC2459 were modified to require the extension, then it would be permissible for a verifier to make its own decisions about how to handle an ambiguous certificate (one without a basicConstraints extension). Reasonable options might include rejecting the certificate, asking for user guidance, or applying site-specific policy to determine how to treat it. The way RFC2459 is currently written, a PKIX verifier doesn't have these options - it must treat such a certificate as an EE certificate, whether or not that's the right thing to do (i.e. whether or not the issuing CA meant the certificate to be an EE or a CA cert). >Some have suggested that we should consider changes to 2459 to help >alleviate problems resulting from CAs that do not comply with 2459. The >above analysis suggests that if the source of the certificate is an X.509 >compliant CA, the solution lies with a change to X.509. If the CA is not >assumed to comply with either 2459 or X.509, I do not see how fixing either >2459 or X.509 could possible help. The PKIX working group doesn't have the ability to change X.509; we only have control of the PKIX specs. A change to RFC 2459 would allow us to avoid stumbling into into this ambiguity in X.509, with the result that: i) PKIX certificates would not be ambiguous to an X.509 verifier, and ii) PKIX verifiers would be able to distinguish ambiguous non-PKIX certs from unambiguous certs, without having to know whether the certificate issuer was PKIX-compliant. John Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA23249 for ietf-pkix-bks; Wed, 7 Apr 1999 02:41:05 -0700 (PDT) Received: from www.fnmt.es (www.fnmt.es [194.224.27.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA23245 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 02:41:03 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id va023239 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 11:36:49 +0100 Message-ID: <008201be80da$81bb1560$b001a8c0@dc-07.ceres.fnmt.es> From: "Juan G. de la Vega" <jgonzalez@fnmt.es> To: <ietf-pkix@imc.org> Subject: Time Stamping: comments on nonce field Date: Wed, 7 Apr 1999 11:39:04 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_007F_01BE80EB.3CE282A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. ------=_NextPart_000_007F_01BE80EB.3CE282A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi PKIX-ers, =20 I have some comments on Time Stamping protocols regarding "nonce" = field: =20 First of all, the declaration of this field in the request and = token is somehow incoherent, while the nonce is mandatory in TimeStapReq = (it is not declared OPTIONAL), the TimeStampToken=B4s nonce is OPTIONAL = but it is stated that "...must be present if the similar field in = TimeStampReq is present..." and hence the clause OPTIONAL is meaningless = and confusing for this field shall always be present. I would suggest = this field to be declared OPTIONAL both in the request and token or = better deleted if we take into account the following: =20 As far as I understand, a nonce value is present in the request and = token in order for the requester to be able to match the responses from = the TSA with her requests when using an asynchronous transport. It can = be argued that such functionality should be left to the transport layer = when required, but furthermore I must say that the nonce is not = necessary since matching can be performed using the "messageImprint" = field. The only justification at hand to defend the "nonce" is when asking = a TSA "What time it is" (not including messageImprints field), and in = order to defeat replay attacks in this case... Anyway, this use of a TSA = steps aside from "providing a proof-of-existence for a particular = message in an instant in time" and personally don't like it; I would = call that a STS (secure time source) (i.e.: authenticated NTP) and would = not force TS protocols modifications for that use. =20 Regards, =20 Juan. ____________________________________________ Juan Gonz=E1lez-de-la-Vega Software Engineer E-mail: <jgonzalez@fnmt.es> FNMT - F=E1brica Nacional de Moneda y Timbre Phone: +34 (91) 506 48 40. Fax: +34 (91) 506 48 59 ------=_NextPart_000_007F_01BE80EB.3CE282A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV> <DIV><FONT size=3D2>Hi PKIX-ers,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2> I have some comments on Time = Stamping=20 protocols regarding</FONT><FONT size=3D2> "nonce" = field:</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2> First of = all, the=20 declaration of this field in the request and token is somehow = incoherent, while=20 the nonce is mandatory in TimeStapReq (it is not declared OPTIONAL), the = TimeStampToken´s nonce is OPTIONAL but it is stated that = "...must be=20 present if the similar field in TimeStampReq is present..." and = hence the=20 clause OPTIONAL is meaningless and confusing for this field shall always = be=20 present. I would suggest this field to be declared OPTIONAL both in the = request=20 and token or better deleted if we take into account the = following:</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2> As far as I understand, a nonce = value is=20 present in the request and token in order for the requester to be able = to match=20 the responses from the TSA with her requests when using an asynchronous=20 transport. It can be argued that such functionality should be left to = the=20 transport layer when required, but furthermore I must say that the nonce = is not=20 necessary since matching can be performed using the = "messageImprint"=20 field.</FONT></DIV> <DIV><FONT size=3D2> The only justification at hand to = defend=20 the "nonce" is when asking a TSA "What time it is" = (not=20 including messageImprints field), and in order to defeat replay attacks = in this=20 case... Anyway, this use of a TSA steps aside from "providing a=20 proof-of-existence for a particular message in an instant in time" = and=20 personally don't like it; I would call that a STS (secure time source) = (i.e.:=20 authenticated NTP) and would not force TS protocols modifications for = that=20 use.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2> Regards,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2> Juan.</FONT></DIV></DIV> <DIV><FONT color=3D#000000=20 size=3D2>____________________________________________<BR>Juan=20 González-de-la-Vega<BR>Software Engineer<BR>E-mail: <<A=20 href=3D"mailto:jgonzalez@fnmt.es">jgonzalez@fnmt.es</A>><BR>FNMT -=20 Fábrica Nacional de Moneda y Timbre<BR>Phone: +34 (91) 506 48 = 40.<BR>Fax:=20 +34 (91) 506 48 59</FONT></DIV></BODY></HTML> ------=_NextPart_000_007F_01BE80EB.3CE282A0-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA23120 for ietf-pkix-bks; Wed, 7 Apr 1999 02:27:05 -0700 (PDT) Received: from www.fnmt.es (www.fnmt.es [194.224.27.14]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA23115 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 02:27:03 -0700 (PDT) Received: from dnsp.epc.fnmt.es (dnsp.epc.fnmt.es [193.149.3.17]) by www.fnmt.es (NTMail 3.02.13) with ESMTP id ra023235 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 11:22:43 +0100 Message-ID: <01d201be80d8$b28e15e0$d801a8c0@dc-10.ceres.fnmt.es> From: "=?iso-8859-1?Q?Juan_Luis_L=F3pez?=" <jluis@fnmt.es> To: "pkix" <ietf-pkix@imc.org> Subject: Time Stamp: tsa field in TSTInfo Date: Wed, 7 Apr 1999 11:25:54 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01CF_01BE80E9.66146320" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. ------=_NextPart_000_01CF_01BE80E9.66146320 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi everybody! =20 I am involved in a Time Stamping project and we are analysing the = PKIX draft about this subject. =20 I would like to give my opinion on an issue to the list: It seems not appropriate to include a field in TSTInfo structure = related to the tsa identity, i.e. tsa field. I don't find this field = necessary because it is repeated when using a CMS or PKCS#7 envelope to = encapsulate the token information. This information would be redundant = since an identifier distinguishing the given tsa should be present in = the signerInfo structure. =20 So, I recommend the deletion of this field. =20 Regards, Juan Luis L=F3pez =20 = -------------------------------------------------------------------------= ------------ Juan Luis L=F3pez = <jluis@fnmt.es> Project Engineer = http://www.fnmt.es/pkits F=E1brica Nacional de Moneda y Timbre tel: [+34] 91 506 48 = 40 C/ Juan de Mariana, 17 fax: [+34] 91 = 506 48 51 E-28045 Madrid, SPAIN =20 ------=_NextPart_000_01CF_01BE80E9.66146320 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 = HTML//EN"> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV> <DIV><FONT color=3D#000000 size=3D2> <FONT = color=3D#000000>Hi=20 everybody!</FONT></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000></FONT></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2> I am involved in = a Time=20 Stamping project and we are analysing the PKIX draft about this=20 subject.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2> I would like to = give my=20 opinion on an issue to the list:</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000> It seems=20 not appropriate to include a field in TSTInfo structure related to the = tsa=20 identity, i.e. tsa field. I don't find this field necessary because it = is=20 repeated when using a CMS or PKCS#7 envelope to encapsulate the token=20 information. This information would be redundant since an identifier=20 distinguishing the given tsa should be present in the signerInfo=20 structure.</FONT></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000></FONT></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000> So, I=20 recommend the deletion of this field.</FONT></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000></FONT></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000> =20 Regards,</FONT></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000></FONT></FONT> <FONT=20 color=3D#000000 size=3D2><FONT color=3D#000000> Juan Luis=20 López</FONT></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><FONT = color=3D#000000></FONT></FONT> </DIV> <DIV> </DIV></DIV> <DIV><FONT color=3D#000000 size=3D2> =20 -------------------------------------------------------------------------= ------------<BR>Juan=20 Luis=20 López &= nbsp; &n= bsp; &nb= sp; =20 <<A href=3D"mailto:jluis@fnmt.es">jluis@fnmt.es</A>><BR>Project=20 Engineer  = ; = &= nbsp; =20 <A=20 href=3D"http://www.fnmt.es/pkits">http://www.fnmt.es/pkits</A><BR>F&aacut= e;brica=20 Nacional de Moneda y=20 Timbre &= nbsp;=20 tel: [+34] 91 506 48 40<BR>C/ Juan de Mariana,=20 17  = ; = =20 fax: [+34] 91 506 48 51<BR>E-28045 Madrid,=20 SPAIN &n= bsp; =20 </FONT></DIV></BODY></HTML> ------=_NextPart_000_01CF_01BE80E9.66146320-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA21888 for ietf-pkix-bks; Wed, 7 Apr 1999 01:47:18 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA21843 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 01:46:57 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.8.7/8.8.7) with SMTP id KAA03333; Wed, 7 Apr 1999 10:47:35 +0200 Message-Id: <3.0.32.19990407104817.00a0c9a0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 07 Apr 1999 10:48:17 +0200 To: "Anders Rundgren" <anders.rundgren@jaybis.com>, "Stephen Kent" <kent@bbn.com> From: Stefan Santesson <stefan@accurata.se> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id BAA21846 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, At 06:34 AM 4/7/99 +0100, Anders Rundgren wrote: <snip> >1) The problem is that the private keys to a company purchaser cert are >not "yours". I.e. they are owned by the company that can control their use 100% >if they never leave their secure server. That is a very good working model. Who owns a private key??? I don't care. The thing that interests me is who have the exclusive right to use the key, and that this right is protected. > >2) I think that the thin client solution has more with sw distribution which >is a true bottleneck recognized by most of the IT-industry > You are solving yesterdays problems. The problem with exporting client software is a general problem which a whole industry is working on. Java is one step along the line and we will see more and better solutions. In a world where bandwidth are increasing we will se more of "download what you need, when you need it" type of approaches. This does not require the private keys to be used within a server. I could support almost any type of client server solution where "thin" clients gets software on demand to deploy what ever they are used for. But I'll never like as a general tradeoff that private keys MUST be operated by the server. To me you can put everything BUT the private keys (and one basic certificate) in the server. <snip> > >Initially PKI was about certs and global X500 directories - Did not happen > >Now it is zillions of certs distributed in various ways - Slow deployment > >So I do really believe there is room for a "third wave" > Yes there are, but is surely won't be private key servers. However, a layered structure with a few long lived general certificates (QC) that support a large number of specialized short lived certificates, may very well be part of that "third wave". And that seems to be not that far away from your thoughts. >Anders > > /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA19802 for ietf-pkix-bks; Wed, 7 Apr 1999 01:19:29 -0700 (PDT) Received: from stargate.zergo.com.au (root@stargate.zergo.com.au [203.2.208.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA19798 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 01:19:25 -0700 (PDT) Received: from michaelz (dhcp-64.ws.zergo.com.au [192.168.72.64]) by stargate.zergo.com.au (8.9.1/8.8.7) with SMTP id SAA23860; Wed, 7 Apr 1999 18:18:21 +1000 Received: by localhost with Microsoft MAPI; Wed, 7 Apr 1999 18:18:37 +1000 Message-ID: <01BE8123.0E737A40.mzolotarev@baltimore.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com.au> Reply-To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> To: "'Anders Rundgren'" <anders.rundgren@jaybis.com> Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org> Subject: RE: A $25,000,000,000 PKI Date: Wed, 7 Apr 1999 18:18:32 +1000 Organization: Baltimore Pty Ltd X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders You wrote: >Why do you think network-centric computing and thin clients are the new favorites >among IT-managers? Because these solutions give them both control >and convenience. I just want to place my vote - it is difficult to disagree. Convenience rules. With the advent of the 'thin client', when a terminal/mobilePh becomes just a secure empty-shell UI device, with the actual applications running on a host somewhere else, the whole idea of a physical 'flesh and blood' PKI client gets quite hazy. A server, running applications on behalf of thousands of devices, will inevitably come to host the PKI services as well, implementing some kind of VirtualCertificates, possibly employing private-key-servers etc. Because it is convenient. However, the fact that a physical topology of the client changes, does not change the nature of the PKI-based solution. As Stefan Santesson wrote: >Using this angle to view this kind of system design makes it quite clear >that this design is simply a matter of local policy which by no means >should affect general PKI standards and technical profiles. The problem of securing the host may scare off a company A - only to clear the market for a company B. BTW the 'lack of computation power' may not be a valid argument at all, as maintaining an Authenticated Secure Link between the thin client (CyberPhone) and the server may demand a great deal of 'computations' in the future (and we all know that tomorrow's mobile devices will posses the power of today's supercomputers (some brass music here pls.). Michael Z Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA19208 for ietf-pkix-bks; Wed, 7 Apr 1999 00:40:56 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA19204 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 00:40:53 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLS7>; Wed, 7 Apr 1999 17:41:18 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0DDB70@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent '" <kent@bbn.com>, "'Anders Rundgren '" <anders.rundgren@jaybis.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org>, "''SEIS-List' '" <list@seis.nc-forum.com> Subject: RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bi o Date: Wed, 7 Apr 1999 17:41:16 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I love this stuff - reality at last. As said - PKI and certs is a theoretical function applied to operational systems based on cost/trust/risk parameters. They (PKIUs and certs - and their validation) can be simple and cheap to deal with traveller kiosks, phone cards, freeway tolls - (ie. processed within a business policy (using directory services)) in fact their utility here is greater than barcoding people, getting retina scans, the name of ones cat and getting this signed off as being genuine by the chair of the UN and 20 lawers just so they get a key pair and then making them sign mail with this. On a more serious note - and as said trying to profile certs/PKIs for "the Internet" - when the Internet technologies will be used in many, many ways for many reasons is a hard task. Not complying to PXIX may be the norm for most certificate usage, particularly if there are 1bn phone users and millions of tagged cars around the place. Anders - about this money stuff - can we talk percentages? regards alan And then there is the cost issue. This is CHEAP, mass-produced stuff. Imagine a PKI that 2005 has 1 billion users (projected mobile phone deployment) where each user pays $25 to have his/hers CyberID. That is $25,000,000,000 / Year !!!! VeriSign, Thawte, are you listening? It is absolutely worth HUGE sums to create secure servers and even "adjust" laws on digital signatures. Maybe BBN could be interested in the server business? :-) Anders Rundgren Senior Internet e-commerce Architect http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA10960 for ietf-pkix-bks; Tue, 6 Apr 1999 21:35:52 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA10952 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 21:35:50 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id GAA06494 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 06:36:31 +0200 Received: from mega (t3o69p107.telia.com [62.20.145.107]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id GAA48513; Wed, 7 Apr 1999 06:36:24 +0200 Message-ID: <001c01be80b8$52da0430$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@bbn.com>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Wed, 7 Apr 1999 06:34:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id VAA10956 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, >I totally agree with Steve here. I am so surpriced :-) >The approach to let a server manage and use your private keys to sign your >signatures seams to be bad design for the sake of saving a little >processing power in the client. It seams even more bad taken into >consideration that computational power and memory capacity in clients >become cheaper every day. 1) The problem is that the private keys to a company purchaser cert are not "yours". I.e. they are owned by the company that can control their use 100% if they never leave their secure server. That is a very good working model. 2) I think that the thin client solution has more with sw distribution which is a true bottleneck recognized by most of the IT-industry >But creating and maintaining a general super secure multi-private-key >center will not be cheaper and cheaper every day. Well, once done it will become cheaper compared to the alternatives. Why do you think network-centric computing and thin clients are the new favorites among IT-managers? Because these solutions give them both control and convenience. <snip> Initially PKI was about certs and global X500 directories - Did not happen Now it is zillions of certs distributed in various ways - Slow deployment So I do really believe there is room for a "third wave" Anders Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA02397 for ietf-pkix-bks; Tue, 6 Apr 1999 19:52:06 -0700 (PDT) Received: from europe.std.com (europe.std.com [199.172.62.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA02393 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 19:52:05 -0700 (PDT) Received: from world.std.com by europe.std.com (STD1.2/BZS-8-1.0) id WAA06929; Tue, 6 Apr 1999 22:52:27 -0400 (EDT) Received: by world.std.com (TheWorld/Spike-2.0) id AA04977; Tue, 6 Apr 1999 22:52:27 -0400 Message-Id: <199904070252.AA04977@world.std.com> To: Stefan Santesson <stefan@accurata.se> Cc: ietf-pkix@imc.org, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: SEIS: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio In-Reply-To: Your message of "Wed, 07 Apr 1999 01:09:17 EDT." <3.0.32.19990407010917.00ae14b0@mail.accurata.se> Date: Tue, 06 Apr 1999 22:52:27 -0400 From: Dan Geer <geer@world.std.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The approach to let a server manage and use your private keys to sign your signatures seams to be bad design for the sake of saving a little processing power in the client. In this and all other matters of public acceptance of security practices/devices, never underestimate the lure of convenience. How else could one explain automatic surveillance traded off with not having to carry correct change for the toll booth, say? A bit afield, --dan Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA02354 for ietf-pkix-bks; Tue, 6 Apr 1999 19:50:00 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA02333; Tue, 6 Apr 1999 19:49:49 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLR4>; Wed, 7 Apr 1999 12:50:05 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE969@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Paul Hoffman / IMC'" <phoffman@imc.org>, Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org Subject: RE: CA vs. EE cert processing Date: Wed, 7 Apr 1999 12:50:01 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I think the issue saying that X.509 is broken - is somewhat wrong. If it broken - then whats the alternative?? Ditto X. things are ambiguious - when most tec specs (and I can name a few) that have more holes than substance. X.509 is a information and functional specification that does not dictate HOW to use things in operational systems. That is a PROFILING issue. Its just that the PXIX work is now PROFILING X.509 and naturally operational Usage issues need to be dealt with in this process.. regards alan > -----Original Message----- > From: Paul Hoffman / IMC > Sent: Wednesday, April 07, 1999 6:13 AM > To: Stephen Kent; ietf-pkix@imc.org > Subject: Re: CA vs. EE cert processing > > This summary is great. However, I come to slightly different > conclusions > than you do, based on the same logic. My conclusion is that X.509 by > itself > is broken due to the (now glaring) ambiguity. RFC 2459, though no > paragon > of clarity, fixes the problem of X.509. Thus, *any* CA vendor or cert > authority who doesn't follow RFC 2459, for at least this part of the > cert, > is using a broken protocol. > > <gratuitous-swipe> > Folks who implement protocols that start with "X." are used to this > kind of > ambiguity. Let them figure out how to fix it. > </gratuitous-swipe> > > Should we have added an "ConformsToRFC2459" attribute to RFC 2459? > > --Paul Hoffman, Director > --Internet Mail Consortium Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA24491 for ietf-pkix-bks; Tue, 6 Apr 1999 17:31:17 -0700 (PDT) Received: from springfield.SIMPSONS (rotek1.lnk.telstra.net [139.130.48.58]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA24486 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 17:31:14 -0700 (PDT) Received: by SPRINGFIELD with Internet Mail Service (5.5.2232.9) id <2LSTP78Y>; Wed, 7 Apr 1999 10:29:56 +1000 Message-ID: <C13ABC20EDDAD111B29E0000B456EABC0A638E@SPRINGFIELD> From: Andrew Probert <AndrewP@rotek.com.au> To: "'Anders Rundgren'" <anders.rundgren@jaybis.com>, Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org, "'SEIS-List'" <list@seis.nc-forum.com> Subject: RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bi o Date: Wed, 7 Apr 1999 10:29:55 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I personally don't have a problem with private keys and certs being used in digital phones, the keyboard being used for PIN entry, and some smart applications for interaction, say with IVR servers and the newly released Wireless Application Protocol to web servers. [Insert new YASP (yet another security protocol) here?] All of this is technically viable, and desirable. No bio cert required. The PIN to unlock the feature surely would be sufficient for authentication. Andew Probert Rotek Consulting http://www.rotek.com.au a Division of Secure Network Solutions Tel +61 3 9690 8877 Fax +61 3 9690 8171 > -----Original Message----- > From: Anders Rundgren [SMTP:anders.rundgren@jaybis.com] > Sent: Wednesday, April 07, 1999 9:46 AM > To: Stephen Kent > Cc: ietf-pkix@imc.org; 'SEIS-List' > Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & > QC-heavy-bio > > Steve, > > >>Of course, they are built on the fundamental principle that the > >>client always has the "final" cert and key. CyberPhone is not. > > > >Yes, this is the assumption, and it is a widely held one. To change it a > >lot of folks will need to be convinced otherwise. You have a lot of work > >ahead :-)! > > > I know. But its fun as well. > > <snip> > > >> Did you actually read the dynamic certs paper? > > >Yes, and I don't buy all of it's premises. The companies are the ones on > >the hook, as you say, but they also need individual accountability, hence > >the need for individual certs. > > You got that in the CyberID. Accountability is internal affaires is'nt > it? > > > Nobody has a lot of experience with large > >scale deployment of PKIs in these contexts, so a statement about the > >relative difficulties of deployment of certs to end users vs. the > approach > >you propose is premature. Insecure servers are a growing problem for > >businesses, so I also challange your second assertion. > > SET is an example of a large-scale PKI deployment that has _almost_ > flopped due to some of the factors that CyberPhone solves. Like: > > Certificate distribution > Thin client sw > Mobile universal usage > > <large snip> > >Finally, your proposal is clearly focused on one particular deployment > >model, which may or may not be realized. There are others, based on more > >computationally capable, mobile, personal devices, e.g., PDAs. > > Computationally capable devices do not solve > client certificate or client software distribution. > > The market for mobile phones is so much bigger than for other > devices (PDAs, PCs) etc. so IF this solution gets wide acceptance on > the mobile phone market - most other client PKI solutions MAY just die. > I.e. why pay additional money for certs, readers, software if your > employees already have a high-quality solution in their hands? > > BTW, why do you think MSFT is so interested in the mobile phone market? > Because it is there the future of IT is happening! > > > As I said > >before, you should pursue any implementation approach you think is > >fruitful, but don't ask this standards body to tailor parts of its work > to > >facilitate your (decidely nont mainstream) approach to using certs. > > It COULD become mainstream... > > Now we both know pretty well where we stand in this case so > could please somebody else comment on this? > > Anders > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA24122 for ietf-pkix-bks; Tue, 6 Apr 1999 16:59:07 -0700 (PDT) Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA24118 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 16:59:05 -0700 (PDT) Received: from lattin (sdn-ar-005casfraP082.dialsprint.net [158.252.212.84]) by falcon.prod.itd.earthlink.net (8.8.7/8.8.5) with SMTP id QAA22312; Tue, 6 Apr 1999 16:59:19 -0700 (PDT) From: "Bill Lattin" <wlattin@earthlink.net> To: "Meggison, Tim" <tim.meggison@CyberTrust.GTE.Com>, "Tony Bartoletti" <azb@llnl.gov>, "Dan Geer" <geer@world.std.com>, <ietf-pkix@imc.org> Subject: RE: Time-stamp server. TimePrecision info Date: Tue, 6 Apr 1999 16:58:51 -0700 Message-ID: <000501be8089$6b4aed60$54d4fc9e@lattin> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: <2575327B6755D211A0E100805F9FF95401CC4488@ndhmex02.ndhm.gtegsc.com> Importance: Normal Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I agree. Let's not arbitrarily limit ourselves based on current capabilities or applications. We are regularly trying to overcome arbitrary limitations in other areas - such as address space, time format problems, cryptographic key lengths - a little extra effort here can mean a system that will work for centuries. NTP works well today. Let's extend it to work well in future applications. Bill Lattin TTFN & Associates > -----Original Message----- > From: owner-ietf-pkix@imc.org [mailto:owner-ietf-pkix@imc.org]On Behalf > Of Meggison, Tim > Sent: Tuesday, April 06, 1999 10:56 > To: Tony Bartoletti; Dan Geer; ietf-pkix@imc.org > Subject: RE: Time-stamp server. TimePrecision info > > > I agree - we need to stop putting false limitations into > standards/protocols. > > Rather than asking "What applications require microseconds today", let's > turn it around and ask "Provide proof that microseconds won't be > necessary a > year from today." > > Let the market determine if it needs timestamps with the greater > granularity. > > -----Original Message----- > From: Tony Bartoletti [mailto:azb@llnl.gov] > Sent: Tuesday, April 06, 1999 1:37 PM > To: Dan Geer; ietf-pkix@imc.org > Subject: Re: Time-stamp server. TimePrecision info > > > It may be true that, out of a sense of fairness, some events are > considered "simultaneous" if they occur within the same second, > or minute. But 100 years ago, that may have been "days or weeks". > > I see technology rocketing ahead so fast my head spins. Try, if > you can, to imagine processor speeds and typical transmission > bandwidths 1000 times greater than the fastest today. It will > not be too far off. So I must concur with those who ask "What > harm in allowing microseconds, or even nanoseconds, to be > representable in the protocol? We may not (yet) have many > applications where such resolution (in signatures, certs, and > authentication) is critical. But can the same be said for > "hours"? Generally, no. > > Whatever you do, do not make a determination based upon saving > a few bytes. Such a decision will appear laughable in 10 years. > > ___tony___ > > > At 10:36 PM 4/2/99 -0500, Dan Geer wrote: > > > >We argue most about mechanism when we are least > >reconciled with respect to requirement. Perhaps > >I can provide a succulent target: > > > > The requirement for time is event serialization > > sufficient to support an economic level of recourse. > > > >Unremarkably, two events within the error band are > >definitionally simultaneous -- the NYSE tick is > >not micro-seconds but rather macro- and many events > >are declared simultaneous in the interest of fairness, > >to take a central example from high-value commerce. > > > >Is there an economist in the house? > > > >--dan > > > > > > > > Tony Bartoletti LL > Center for Information Operations and Assurance LL LL > Lawrence Livermore National Laboratory LL LL LL > PO Box 808, L - 303 LL LL LL > Livermore, CA 94551-9900 LL LL LLLLLLLL > phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL > email: azb@llnl.gov LLLLLLLL > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA23549 for ietf-pkix-bks; Tue, 6 Apr 1999 16:08:03 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA23545 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 16:08:01 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.8.7/8.8.7) with SMTP id BAA32642; Wed, 7 Apr 1999 01:08:36 +0200 Message-Id: <3.0.32.19990407010917.00ae14b0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 07 Apr 1999 01:09:17 +0200 To: Stephen Kent <kent@bbn.com>, "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stefan Santesson <stefan@accurata.se> Subject: Re: SEIS: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id QAA23546 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I totally agree with Steve here. The approach to let a server manage and use your private keys to sign your signatures seams to be bad design for the sake of saving a little processing power in the client. It seams even more bad taken into consideration that computational power and memory capacity in clients become cheaper every day. But creating and maintaining a general super secure multi-private-key center will not be cheaper and cheaper every day. To help viewing and comparing this system design with other systems, I view the private-key-server as being a part of the client system. This simply because this server handles the clients keys and will fall under the clients responsibility. So the question is if it is wise in some cases to split a normal client into a sub-client-server system, which from the relying party's viewpoint still acts like one client. Using this angle to view this kind of system design makes it quite clear that this design is simply a matter of local policy which by no means should affect general PKI standards and technical profiles. /Stefan At 05:47 PM 4/6/99 -0400, Stephen Kent wrote: >--- Message on the SEIS mailing list (list@seis.nc-forum.com) > >Anders, > >>>As far as a relying party is concerned, applying the signature consistent >>>with the certificate associated with the transaction is the basis (though >>>not the whole story) for non-repudiation of the transaction. All of the >>>digital signature laws and guidelines embody this notion, as do all >>>technical standards with which I am familiar. >> >>Of course, they are built on the fundamental principle that the >>client always has the "final" cert and key. CyberPhone is not. > >Yes, this is the assumption, and it is a widely held one. To change it a >lot of folks will need to be convinced otherwise. You have a lot of work >ahead :-)! > >>>If one has a security failure >>>at the server, it's not the relying party's problem, it is the client's >>>problem. >>>This sort of server design introduces a new component to the >>>system that must be trusted by the client >> >>The real "Client" in a business-to-business situation is the company (and >>their server) >>that have much more problems with their employees and certificate >>distribution than they have >>with unsecure servers. By having the "person-client" sign a transaction >>as well you are technically on the safe side. Did you actually read the >>dynamic certs paper? > >Yes, and I don't buy all of it's premises. The companies are the ones on >the hook, as you say, but they also need individual accountability, hence >the need for individual certs. Nobody has a lot of experience with large >scale deployment of PKIs in these contexts, so a statement about the >relative difficulties of deployment of certs to end users vs. the approach >you propose is premature. Insecure servers are a growing problem for >businesses, so I also challange your second assertion. > >>>and creates a higher value target if the server is shared by more than one >>>user. I'd say that makes this type of approach, in your system or any >>>similar one, >>>potentially a lot less secure than systems in which the signing is >>>performed solely by the >>>client. >> >>You say: "You can't build a secure server". I say: "Every Internet-bank >>system needs >>the same security level that a CyberPhone intermediary server requires" > >Not necessarily. The Internet banking we see today lacks non-repudiation, >for one thing. > >>>While I can't prevent people from making a security implementation >>>tradeoff in favor of systems of this sort, I certainly would not endorse >>>any accommodations to a standard to facilitate system design approaches of >>>this sort, due to the adverse secruity implications. >> >>I would not be so sure about that since there are TONS of advantages to >>gain if you read carefully the around 25 pages of information on the site. > >What I read was probably less than the full 25 pages, given that I printed >it and it didn't look that thick. However, my tolerance for market >literature as a means of technical communication is limited ... > >>And then there is the cost issue. This is CHEAP, mass-produced stuff. >> >>Imagine a PKI that 2005 has 1 billion users (projected mobile phone >>deployment) >>where each user pays $25 to have his/hers CyberID. That is >> >> $25,000,000,000 / Year !!!! >> >>VeriSign, Thawte, are you listening? >> >>It is absolutely worth HUGE sums to create secure servers and even >>"adjust" laws on >>digital signatures. Maybe BBN could be interested in the server business? :-) > >Well, CyberTrust, the organization for which I am the CTO, is in the CA >business and we understand how hard it is to make CA systems secure, >despite the relatively restricted interfaces they exhibit. I'm not saying >that one can't develop and manage such secure servers, but it is very hard. > >Finally, your proposal is clearly focused on one particular deployment >model, which may or may not be realized. There are others, based on more >computationally capable, mobile, personal devices, e.g., PDAs. As I said >before, you should pursue any implementation approach you think is >fruitful, but don't ask this standards body to tailor parts of its work to >facilitate your (decidely nont mainstream) approach to using certs. > >Steve > > >----------------- SEIS mailing list (list@seis.nc-forum.com) >Info about this list: http://www.nc-forum.com/seis >SEIS Contact: info@seis.se > ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA23418 for ietf-pkix-bks; Tue, 6 Apr 1999 15:52:22 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA23413 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 15:52:13 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLQN>; Wed, 7 Apr 1999 08:52:39 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE968@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@bbn.com> Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> Subject: RE: Certificates, Directories, and Distinguished Names Date: Wed, 7 Apr 1999 08:52:36 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thanks for that. > -----Original Message----- > From: Stephen Kent > Sent: Wednesday, April 07, 1999 12:42 AM > To: Alan Lloyd > Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' ' > Subject: RE: Certificates, Directories, and Distinguished Names > > Alan, > > > This can be agreed with or: > > > > Say I get a cert/key from Honest John cert co - and its > >recognised by a few dozen traveller kiosks around the country and > toll > >plazas on freeways. > > When I use it from the car, the email address of the > >transaction is toll booth 23@ Tullamaine -free way. roads and when I > go > >bush... another one day the email address is > >lost.traveller@kiosk10.inthebush.outback > > Gee, you Aussies really like to send mail from out of the way places > :-). yes, they are so far "out of the way" that we have cars and internet services there :-) > We agree that the message recipients care more about who you are than > the > origin of a specific message. However, in the e-mail world, the IDs > people > are comfortable with, are e-mail addresses. Thats a view that should evolve - I dont like remembering email addresses - simply because they seem to be changing often. Quote from an OpenDirectory slide - circa 10 years ago - Directories are use to hold information that one cannot remember or changes often and this is related to a name - that can be remebered and does not change (or rarely changes). > S/MIME decided to prefer that > form of ID for their application environment, and so it is appropriate > for > PKIX to support it. It is also an ID form supported in IPsec for > individuals. This is just another case of folks in the Internet > choosing > to make use of an existing naming infrastructure, > Oh I see - I wondered what this Internet stuff was about - perhaps I should use it too - and then my views might get accepted. :-) (or perhaps I dont think that using email addresses instead of directory systems is the way to go - ie. I dont believe in applying newer technologies - business level directory systems - in the old way - like email systems - simply because there is a difference and a damn good reason for not doing so) ie. Engineering concepts - EG. If I have a hammer (mail system concepts) and then get an electric drill (a directory system ) do I still bash the back of the drill to do the engineering -no I use a different approach to doing the job.? > i.e., the DNS, than to > build and rely upon a new one, e.g., X.500. This is an IETF WG, so > this > ought not be surprising! As said we are providing X.500 back ends to ISPs for Radius, DHCP/DNS services - and ISPs provide (wait for it) Internet Services ! Also, another view is that the networking properties of the Internet is used to support a distributed name based information system that businesses operate with using natural business entity names like Conference Room 3, etc . ie. the Internet just becomes the pipes for many directory services supporting the business information model of specific vertical markets. This strikes me as valid input to the IETF process. > > It strikes me that nailing, cryptographically, information in a > >certificate that may or may not get used could be a hinderance not a > >benefit.. > > I'm in favor of not putting too many attributes into a cert; remember > Steve's Rule of Revocation. (I never knew this to foget it - Gee Is > this published ?) > > But we're really talking about an alternate > Subject name here, not an added piece of info. > Is an Alternate Subject Name (that seems to have no purpose) not an added piece of info? author - a confused aussie :-) > <corporate merger activity advertisement deleted> Its strange you deleted this when in fact it highlights the very problem using mail addresses in certs. Its also odd that the very problems I describe in the real world which face operational systems dealing with churn and change - that can get resolved with directory systems - not mail systems with certificates - seem to get passed over... However, this has a good side - It just means that directory system suppliers get ahead of the suppliers with "email" /DB approaches to PKIs. > > It also strikes me that the last place I want my mail address is > >in my certificate - as this will create and compound any archive and > >rekey issues. > > Huh? If the e-mail address is the chosen name form, then learn to deal > with it! > > <typical Alan text about X.500 as a panacea deleted> Directories are not a panacea - they are an sound and validated enginerring approach to distributed information systems that run businesses over the Internet and other networks. They have solved problems ten years ago - that are being discussed today. > Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA23368 for ietf-pkix-bks; Tue, 6 Apr 1999 15:47:02 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA23364 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 15:47:00 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id AAA04312 for <ietf-pkix@imc.org>; Wed, 7 Apr 1999 00:47:34 +0200 Received: from mega (t1o69p22.telia.com [62.20.144.22]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id AAA67242; Wed, 7 Apr 1999 00:47:33 +0200 Message-ID: <00b501be8087$962bdd70$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Wed, 7 Apr 1999 00:45:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id PAA23365 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, >>Of course, they are built on the fundamental principle that the >>client always has the "final" cert and key. CyberPhone is not. > >Yes, this is the assumption, and it is a widely held one. To change it a >lot of folks will need to be convinced otherwise. You have a lot of work >ahead :-)! I know. But its fun as well. <snip> >> Did you actually read the dynamic certs paper? >Yes, and I don't buy all of it's premises. The companies are the ones on >the hook, as you say, but they also need individual accountability, hence >the need for individual certs. You got that in the CyberID. Accountability is internal affaires is'nt it? > Nobody has a lot of experience with large >scale deployment of PKIs in these contexts, so a statement about the >relative difficulties of deployment of certs to end users vs. the approach >you propose is premature. Insecure servers are a growing problem for >businesses, so I also challange your second assertion. SET is an example of a large-scale PKI deployment that has _almost_ flopped due to some of the factors that CyberPhone solves. Like: Certificate distribution Thin client sw Mobile universal usage <large snip> >Finally, your proposal is clearly focused on one particular deployment >model, which may or may not be realized. There are others, based on more >computationally capable, mobile, personal devices, e.g., PDAs. Computationally capable devices do not solve client certificate or client software distribution. The market for mobile phones is so much bigger than for other devices (PDAs, PCs) etc. so IF this solution gets wide acceptance on the mobile phone market - most other client PKI solutions MAY just die. I.e. why pay additional money for certs, readers, software if your employees already have a high-quality solution in their hands? BTW, why do you think MSFT is so interested in the mobile phone market? Because it is there the future of IT is happening! > As I said >before, you should pursue any implementation approach you think is >fruitful, but don't ask this standards body to tailor parts of its work to >facilitate your (decidely nont mainstream) approach to using certs. It COULD become mainstream... Now we both know pretty well where we stand in this case so could please somebody else comment on this? Anders Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA22799 for ietf-pkix-bks; Tue, 6 Apr 1999 14:46:59 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA22795 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 14:46:58 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA23709; Tue, 6 Apr 1999 17:47:33 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a13b3302d9b9da4@[128.89.0.110]> In-Reply-To: <009801be8079$d634b850$020000c0@mega.vincent.se> Date: Tue, 6 Apr 1999 17:47:31 -0400 To: "Anders Rundgren" <anders.rundgren@jaybis.com> From: Stephen Kent <kent@bbn.com> Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, >>As far as a relying party is concerned, applying the signature consistent >>with the certificate associated with the transaction is the basis (though >>not the whole story) for non-repudiation of the transaction. All of the >>digital signature laws and guidelines embody this notion, as do all >>technical standards with which I am familiar. > >Of course, they are built on the fundamental principle that the >client always has the "final" cert and key. CyberPhone is not. Yes, this is the assumption, and it is a widely held one. To change it a lot of folks will need to be convinced otherwise. You have a lot of work ahead :-)! >>If one has a security failure >>at the server, it's not the relying party's problem, it is the client's >>problem. >>This sort of server design introduces a new component to the >>system that must be trusted by the client > >The real "Client" in a business-to-business situation is the company (and >their server) >that have much more problems with their employees and certificate >distribution than they have >with unsecure servers. By having the "person-client" sign a transaction >as well you are technically on the safe side. Did you actually read the >dynamic certs paper? Yes, and I don't buy all of it's premises. The companies are the ones on the hook, as you say, but they also need individual accountability, hence the need for individual certs. Nobody has a lot of experience with large scale deployment of PKIs in these contexts, so a statement about the relative difficulties of deployment of certs to end users vs. the approach you propose is premature. Insecure servers are a growing problem for businesses, so I also challange your second assertion. >>and creates a higher value target if the server is shared by more than one >>user. I'd say that makes this type of approach, in your system or any >>similar one, >>potentially a lot less secure than systems in which the signing is >>performed solely by the >>client. > >You say: "You can't build a secure server". I say: "Every Internet-bank >system needs >the same security level that a CyberPhone intermediary server requires" Not necessarily. The Internet banking we see today lacks non-repudiation, for one thing. >>While I can't prevent people from making a security implementation >>tradeoff in favor of systems of this sort, I certainly would not endorse >>any accommodations to a standard to facilitate system design approaches of >>this sort, due to the adverse secruity implications. > >I would not be so sure about that since there are TONS of advantages to >gain if you read carefully the around 25 pages of information on the site. What I read was probably less than the full 25 pages, given that I printed it and it didn't look that thick. However, my tolerance for market literature as a means of technical communication is limited ... >And then there is the cost issue. This is CHEAP, mass-produced stuff. > >Imagine a PKI that 2005 has 1 billion users (projected mobile phone >deployment) >where each user pays $25 to have his/hers CyberID. That is > > $25,000,000,000 / Year !!!! > >VeriSign, Thawte, are you listening? > >It is absolutely worth HUGE sums to create secure servers and even >"adjust" laws on >digital signatures. Maybe BBN could be interested in the server business? :-) Well, CyberTrust, the organization for which I am the CTO, is in the CA business and we understand how hard it is to make CA systems secure, despite the relatively restricted interfaces they exhibit. I'm not saying that one can't develop and manage such secure servers, but it is very hard. Finally, your proposal is clearly focused on one particular deployment model, which may or may not be realized. There are others, based on more computationally capable, mobile, personal devices, e.g., PDAs. As I said before, you should pursue any implementation approach you think is fruitful, but don't ask this standards body to tailor parts of its work to facilitate your (decidely nont mainstream) approach to using certs. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA22166 for ietf-pkix-bks; Tue, 6 Apr 1999 14:08:36 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA22161 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 14:08:31 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id XAA03172 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 23:09:10 +0200 Received: from mega (t3o69p64.telia.com [62.20.145.64]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id XAA67206; Tue, 6 Apr 1999 23:09:07 +0200 Message-ID: <009801be8079$d634b850$020000c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@jaybis.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio Date: Tue, 6 Apr 1999 23:07:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id OAA22162 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, >As far as a relying party is concerned, applying the signature consistent >with the certificate associated with the transaction is the basis (though >not the whole story) for non-repudiation of the transaction. All of the >digital signature laws and guidelines embody this notion, as do all >technical standards with which I am familiar. Of course, they are built on the fundamental principle that the client always has the "final" cert and key. CyberPhone is not. >If one has a security failure >at the server, it's not the relying party's problem, it is the client's >problem. >This sort of server design introduces a new component to the >system that must be trusted by the client The real "Client" in a business-to-business situation is the company (and their server) that have much more problems with their employees and certificate distribution than they have with unsecure servers. By having the "person-client" sign a transaction as well you are technically on the safe side. Did you actually read the dynamic certs paper? >and creates a higher value target if the server is shared by more than one >user. I'd say that makes this type of approach, in your system or any similar one, >potentially a lot less secure than systems in which the signing is performed solely by the >client. You say: "You can't build a secure server". I say: "Every Internet-bank system needs the same security level that a CyberPhone intermediary server requires" >While I can't prevent people from making a security implementation >tradeoff in favor of systems of this sort, I certainly would not endorse >any accommodations to a standard to facilitate system design approaches of >this sort, due to the adverse secruity implications. I would not be so sure about that since there are TONS of advantages to gain if you read carefully the around 25 pages of information on the site. And then there is the cost issue. This is CHEAP, mass-produced stuff. Imagine a PKI that 2005 has 1 billion users (projected mobile phone deployment) where each user pays $25 to have his/hers CyberID. That is $25,000,000,000 / Year !!!! VeriSign, Thawte, are you listening? It is absolutely worth HUGE sums to create secure servers and even "adjust" laws on digital signatures. Maybe BBN could be interested in the server business? :-) Anders Rundgren Senior Internet e-commerce Architect http://www.mobilephones-tng.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA21608 for ietf-pkix-bks; Tue, 6 Apr 1999 13:12:49 -0700 (PDT) Received: from aum (ip11.proper.com [165.227.249.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA21604; Tue, 6 Apr 1999 13:12:47 -0700 (PDT) Message-Id: <4.2.0.32.19990406130701.00b64100@mail.imc.org> X-Sender: phoffman@mail.imc.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Tue, 06 Apr 1999 13:12:40 -0700 To: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: CA vs. EE cert processing In-Reply-To: <v04020a0ab3300fde9fbd@[128.89.0.110]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This summary is great. However, I come to slightly different conclusions than you do, based on the same logic. My conclusion is that X.509 by itself is broken due to the (now glaring) ambiguity. RFC 2459, though no paragon of clarity, fixes the problem of X.509. Thus, *any* CA vendor or cert authority who doesn't follow RFC 2459, for at least this part of the cert, is using a broken protocol. <gratuitous-swipe> Folks who implement protocols that start with "X." are used to this kind of ambiguity. Let them figure out how to fix it. </gratuitous-swipe> Should we have added an "ConformsToRFC2459" attribute to RFC 2459? --Paul Hoffman, Director --Internet Mail Consortium Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA21367 for ietf-pkix-bks; Tue, 6 Apr 1999 12:47:28 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA21363 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 12:47:27 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id PAA24819; Tue, 6 Apr 1999 15:47:57 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a0cb33011a50ae1@[128.89.0.110]> In-Reply-To: <01BE8057.309231B0@HYDRA> Date: Tue, 6 Apr 1999 15:38:18 -0400 To: Anders Rundgren <anders.rundgren@jaybis.com> From: Stephen Kent <kent@bbn.com> Subject: Re: SEIS: RE: Spec. on QC-low-fat & QC-heavy-bio Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, As far as a relying party is concerned, applying the signature consistent with the certificate associated with the transaction is the basis (though not the whole story) for non-repudiation of the transaction. All of the digital signature laws and guidelines embody this notion, as do all technical standards with which I am familiar. If one has a security failure at the server, it's not the relying party's problem, it is the client's problem. This sort of server design introduces a new component to the system that must be trusted by the client, and creates a higher value target if the server is shared by more than one user. I'd say that makes this type of approach, in your system or any similar one, potentially a lot less secure than systems in which the signing is performed solely by the client. While I can't prevent people from making a security implementation tradeoff in favor of systems of this sort, I certainly would not endorse any accommodations to a standard to facilitate system design approaches of this sort, due to the adverse secruity implications. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA21184 for ietf-pkix-bks; Tue, 6 Apr 1999 12:27:23 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA21180 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 12:27:22 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id PAA14748 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 15:28:00 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a0ab3300fde9fbd@[128.89.0.110]> Date: Tue, 6 Apr 1999 15:25:10 -0400 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: CA vs. EE cert processing Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Folks, This memo examines certificate processing with regard to determining whether a certificate is associated with a CA or an EE, to determine where the ambiguity lies and thus help clarify this discussion. Upon further analysis I discovered that the issue is more complex that I originally realized, and so my simple algorithm was oversimplified. However the suggestions put forth so far (as best I recall) also seem to miss the point, as explained below. First question: is this a v1 certificate or a v3 certificate? If v1, there was no way to mark the certificate as a CA or EE explicitly, so some other information must be used. Nothing we say in 2459 is applicable here as we deal only with v3 certs, and thus no changes in 2459 would change how an implementation makes this determination for a v1 cert. Whatever means an implementation used to make this determination for v1 certs can still be employed. Thus v1 certs will not be addressed in the remainder of this analysis, and I assume that software should be written to be sensitive to whether it is dealing with v1 or v3 certificates. Second question: is there a basicConstraints extension present in the certificate? If not, then according to RFC 2459 this must be an EE cert, since CA certs MUST contain this extension. But, according to X.509, if the constraint is absent (or present but marked non-critical and not understood by the implementation), then it is up to the implementation to use other means of determining if the certificate is for a CA or an EE. At this point we have ambiguity, based on examining only the presence or absence of this constraint in a v3 cert. X.509 does not specify what else should be done. So, not knowing if the certificate was issued by an RFC 2459 compliant CA, or an X.509 compliant CA, we have to go to "Plan B." Note that nothing we change in RFC 2459 can fix this problem as the ambiguity is traceable to X.509. If we have a basicConstraints extension, is it NULL or does it have the CA flag set to TRUE. If NULL, then it is an EE certificate according to both RFC 2459 and X.509 (even though 2459 suggests that one not bother to include the extension in this case). If the CA flag is TRUE, then it is a CA certificate, according to both 2459 and X.509. So, if we get to this point, we have no ambiguity for either CA or EE certs. Plan B: We are here because we have a v3 certificate with no basicConstraints extension and because we don't know if the CA that issued the certificate was operating in compliance with either 2459 or X.509. We now have to examine other fields of the certificate, or have some out of band mechanism to help. X.509 provides no guidance on how to do this, which leaves implementers wondering. RFC 2459 provides no guidance because a CA complying with the RFC would not have this problem. So, how can we remove this residual ambiguity? Well, it can't be removed by a change only to RFC 2459, because that standard is not the source of the ambiguity. If one were to change X.509, to require that a compliant CA include the basicConstraints extension (critical or not), when a certificate was issued to a CA, then the ambiguity would be removed at its source. If this change were made to X.509, no change to 2459 would be required. Specifically, changing 2459 to call for inclusion of this constraint for EE certificates (either as a SHOULD or MUST) would not address the ambiguity encountered above. Some have suggested that we should consider changes to 2459 to help alleviate problems resulting from CAs that do not comply with 2459. The above analysis suggests that if the source of the certificate is an X.509 compliant CA, the solution lies with a change to X.509. If the CA is not assumed to comply with either 2459 or X.509, I do not see how fixing either 2459 or X.509 could possible help. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA20358 for ietf-pkix-bks; Tue, 6 Apr 1999 10:55:54 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (SYSTEM@NS3.GSC.GTE.Com [204.152.26.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA20354 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 10:55:53 -0700 (PDT) Received: from gscex01.gsc.gte.com ("port 2608"@gscex01.ndhm.gtegsc.com [155.95.162.170]) by Sonnet.GSC.GTE.Com (PMDF V5.2-30 #29038) with ESMTP id <01J9PRDYYG4U00009C@Sonnet.GSC.GTE.Com> for ietf-pkix@imc.org; Tue, 6 Apr 1999 13:55:44 -0400 (EDT) Received: by gscex01.ndhm.gtegsc.com with Internet Mail Service (5.5.2448.0) id <2L9MM44G>; Tue, 06 Apr 1999 13:55:44 -0400 Content-return: allowed Date: Tue, 06 Apr 1999 13:55:43 -0400 From: "Meggison, Tim" <tim.meggison@CyberTrust.GTE.Com> Subject: RE: Time-stamp server. TimePrecision info To: Tony Bartoletti <azb@llnl.gov>, Dan Geer <geer@world.std.com>, ietf-pkix@imc.org Message-id: <2575327B6755D211A0E100805F9FF95401CC4488@ndhmex02.ndhm.gtegsc.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I agree - we need to stop putting false limitations into standards/protocols. Rather than asking "What applications require microseconds today", let's turn it around and ask "Provide proof that microseconds won't be necessary a year from today." Let the market determine if it needs timestamps with the greater granularity. -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Tuesday, April 06, 1999 1:37 PM To: Dan Geer; ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info It may be true that, out of a sense of fairness, some events are considered "simultaneous" if they occur within the same second, or minute. But 100 years ago, that may have been "days or weeks". I see technology rocketing ahead so fast my head spins. Try, if you can, to imagine processor speeds and typical transmission bandwidths 1000 times greater than the fastest today. It will not be too far off. So I must concur with those who ask "What harm in allowing microseconds, or even nanoseconds, to be representable in the protocol? We may not (yet) have many applications where such resolution (in signatures, certs, and authentication) is critical. But can the same be said for "hours"? Generally, no. Whatever you do, do not make a determination based upon saving a few bytes. Such a decision will appear laughable in 10 years. ___tony___ At 10:36 PM 4/2/99 -0500, Dan Geer wrote: > >We argue most about mechanism when we are least >reconciled with respect to requirement. Perhaps >I can provide a succulent target: > > The requirement for time is event serialization > sufficient to support an economic level of recourse. > >Unremarkably, two events within the error band are >definitionally simultaneous -- the NYSE tick is >not micro-seconds but rather macro- and many events >are declared simultaneous in the interest of fairness, >to take a central example from high-value commerce. > >Is there an economist in the house? > >--dan > > > Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA20029 for ietf-pkix-bks; Tue, 6 Apr 1999 10:37:22 -0700 (PDT) Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.18.65]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA20025 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 10:37:21 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.223.10]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with SMTP id KAA03435; Tue, 6 Apr 1999 10:37:01 -0700 (PDT) Message-Id: <3.0.3.32.19990406103633.00adcc20@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 06 Apr 1999 10:36:33 -0700 To: Dan Geer <geer@world.std.com>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Time-stamp server. TimePrecision info In-Reply-To: <199904030336.AA01098@world.std.com> References: <A blather of messages as of "Fri, 02 Apr 1999 13:46:17 EST." <003d01be7d52$3ecaf030$fa4bffd0@brick> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> It may be true that, out of a sense of fairness, some events are considered "simultaneous" if they occur within the same second, or minute. But 100 years ago, that may have been "days or weeks". I see technology rocketing ahead so fast my head spins. Try, if you can, to imagine processor speeds and typical transmission bandwidths 1000 times greater than the fastest today. It will not be too far off. So I must concur with those who ask "What harm in allowing microseconds, or even nanoseconds, to be representable in the protocol? We may not (yet) have many applications where such resolution (in signatures, certs, and authentication) is critical. But can the same be said for "hours"? Generally, no. Whatever you do, do not make a determination based upon saving a few bytes. Such a decision will appear laughable in 10 years. ___tony___ At 10:36 PM 4/2/99 -0500, Dan Geer wrote: > >We argue most about mechanism when we are least >reconciled with respect to requirement. Perhaps >I can provide a succulent target: > > The requirement for time is event serialization > sufficient to support an economic level of recourse. > >Unremarkably, two events within the error band are >definitionally simultaneous -- the NYSE tick is >not micro-seconds but rather macro- and many events >are declared simultaneous in the interest of fairness, >to take a central example from high-value commerce. > >Is there an economist in the house? > >--dan > > > Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA18702 for ietf-pkix-bks; Tue, 6 Apr 1999 08:59:05 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA18693 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 08:58:41 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id RAA30261 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 17:59:18 +0200 Received: from HYDRA ([195.198.186.68]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id RAA96900; Tue, 6 Apr 1999 17:59:04 +0200 Received: by HYDRA with Microsoft Mail id <01BE8057.309231B0@HYDRA>; Tue, 6 Apr 1999 17:59:17 +0200 Message-ID: <01BE8057.309231B0@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: RE: Spec. on QC-low-fat & QC-heavy-bio Date: Tue, 6 Apr 1999 17:59:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, >I visit your web site and reviewed the marketing white papers there. Thank you for taking some of your precious time to read this! I hope that you do not only regard this as "marketing" material although the language is of that kind. By design so to say :-) >One feature of the system you propose, but that has not been mentioned before, >is that this proposal calls for users to cede control of certificates to a >server, which acts on their behalf. The user employs one (local) cert to >authenticate himself to this server, and to direct it to act as his >intermediary. You got it! This is a good description of CyberPhone when you use SET, OBI etc. >This raises serious secruity issues, especially wrt non-repudiation. Well, it does raise security issues, but (hopefully) not unsolvable such. Actually there are commercial products like the GlobSet ServerWallet that builds on the same basic principle. Similar solutions have also been launched by Brokat and BankGate. The difference is that CyberPhone generalizes this principle so that it becomes a "Universal Client PKI Platform" that though requires some special hardware as well. But let's get back to the security issues wrt non-repudiation! Client - IntermediaryServer(IS) - RP When you use a "virtual" certificate (intermediary server with your terminology) the non-repudiation issue for IS (that has the wanted resource) versus the RP is as today. But then we have the relation between the client and the IS that may or may not require a client-signed transaction. This is a matter of trust between the client and the intermediary server. I.e. you COULD require the client to sign a transaction and then the Intermediary Server would save the signed transaction (in case of disputes with the client), strip of the client's signature and add its own signature (SET, OBI, or something). Regards Anders Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA17779 for ietf-pkix-bks; Tue, 6 Apr 1999 08:06:03 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (SYSTEM@Sonnet.GSC.GTE.Com [131.131.251.1]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA17773 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 08:05:57 -0700 (PDT) Received: from gscex01.gsc.gte.com ("port 1711"@gscex01.ndhm.gtegsc.com [155.95.162.170]) by Sonnet.GSC.GTE.Com (PMDF V5.2-30 #29038) with ESMTP id <01J9PLH2LTXI00013W@Sonnet.GSC.GTE.Com> for ietf-pkix@imc.org; Tue, 6 Apr 1999 11:06:26 -0400 (EDT) Received: by gscex01.ndhm.gtegsc.com with Internet Mail Service (5.5.2448.0) id <2L9MM323>; Tue, 06 Apr 1999 11:06:26 -0400 Content-return: allowed Date: Tue, 06 Apr 1999 11:06:25 -0400 From: "Meggison, Tim" <tim.meggison@CyberTrust.GTE.Com> Subject: RE: Changes to RFC2459 To: "Kent, Steve-GTEI" <kent@bbn.com>, thayes@netscape.com Cc: ietf-pkix@imc.org Message-id: <2575327B6755D211A0E100805F9FF95401CC442C@ndhmex02.ndhm.gtegsc.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, Your algorithm works great as long as everyone is following the rules of the RFC. Unfortunately, this does not hold true in practice. When one processes a cert, there is no indicator that it was generated according to the RFC. As an implementer of a CA, it would be desirable to remove all ambiguity to improve interoperability. It is very easy for a cert-generator already to set the Basic Constraints for an EE cert - this is not new technology, and in fact is necessary to support other profiles (eg. SET). Besides saving a few bits in a certificate, what other benefits exist by not using the Basic Constraints to indicate an EE cert? Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA17648 for ietf-pkix-bks; Tue, 6 Apr 1999 07:58:20 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA17644 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 07:58:19 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA08044; Tue, 6 Apr 1999 10:58:50 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a05b32fd0bfc9bf@[128.89.0.110]> In-Reply-To: <01BE8032.61FE52D0@HYDRA> Date: Tue, 6 Apr 1999 10:58:20 -0400 To: Anders Rundgren <anders.rundgren@jaybis.com> From: Stephen Kent <kent@bbn.com> Subject: Re: SEIS: Spec. on QC-low-fat & QC-heavy-bio Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, I visit your web site and reviewed the marketing white papers there. One feature of the system you propose, but that has not been mentioned before, is that this proposal calls for users to cede control of certificates to a server, which acts on their behalf. The user employs one (local) cert to authenticate himself to this server, and to direct it to act as his intermediary. This raises serious secruity issues, especially wrt non-repudiation. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA17536 for ietf-pkix-bks; Tue, 6 Apr 1999 07:48:32 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA17532 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 07:48:30 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA03275; Tue, 6 Apr 1999 10:48:50 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a03b32fcbad9856@[128.89.0.110]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0BE960@DSG1> Date: Tue, 6 Apr 1999 10:42:00 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@bbn.com> Subject: RE: Certificates, Directories, and Distinguished Names Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, > This can be agreed with or: > > Say I get a cert/key from Honest John cert co - and its >recognised by a few dozen traveller kiosks around the country and toll >plazas on freeways. > When I use it from the car, the email address of the >transaction is toll booth 23@ Tullamaine -free way. roads and when I go >bush... another one day the email address is >lost.traveller@kiosk10.inthebush.outback Gee, you Aussies really like to send mail from out of the way places :-). We agree that the message recipients care more about who you are than the origin of a specific message. However, in the e-mail world, the IDs people are comfortable with, are e-mail addresses. S/MIME decided to prefer that form of ID for their application environment, and so it is appropriate for PKIX to support it. It is also an ID form supported in IPsec for individuals. This is just another case of folks in the Internet choosing to make use of an existing naming infrastructure, i.e., the DNS, than to build and rely upon a new one, e.g., X.500. This is an IETF WG, so this ought not be surprising! > It strikes me that nailing, cryptographically, information in a >certificate that may or may not get used could be a hinderance not a >benefit.. I'm in favor of not putting too many attributes into a cert; remember Steve's Rule of Revocation. But we're really talking about an alternate Subject name here, not an added piece of info. <corporate merger activity advertisement deleted> > It also strikes me that the last place I want my mail address is >in my certificate - as this will create and compound any archive and >rekey issues. Huh? If the e-mail address is the chosen name form, then learn to deal with it! <typical Alan text about X.500 as a panacea deleted> Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA17369 for ietf-pkix-bks; Tue, 6 Apr 1999 07:38:34 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA17365 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 07:38:33 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA28843; Tue, 6 Apr 1999 10:38:57 -0400 (EDT) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="============_-1288712952==_ma============" X-Sender: kent@po1.bbn.com Message-Id: <v04020a02b32fc79aa347@[128.89.0.110]> In-Reply-To: <37095C98.C64BBB8F@netscape.com> References: <v04020a1ab32eee1684e5@[128.89.0.110]> Date: Tue, 6 Apr 1999 10:31:54 -0400 To: thayes@netscape.com From: Stephen Kent <kent@bbn.com> Subject: Re: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --============_-1288712952==_ma============ Content-Type: text/plain; charset="us-ascii" Terry, >Even in a v3 environment there still needs to be a process defined (possibly >involving user interaction) which approves the operation and defines other >operational parameters that will be associated with the CA. Just because the >certificate looks like a valid v3 CA doesn't me I will always believe it. I agree whole heartedly with this design principle when it applies to self-seigned (root) CA certs. I would not agree that user interaction is needed for subordinate CA certs. >> > >> However, since v3 certs are clearly identified as such, one could use a >> different algorithm for CA determination for v1 vs. v3 certs. I don't >> criticize Netscape for adopting the algorithm you have described prior to >> development of the PKIX standards, I also don't think that PKIX v3 cert >> standards should be constrained by existing implementations that could have >> been coded to distinguish v3 vs. v1 certs. > >I believe you are suggesting that an application SHOULD (MUST?) disallow >requests to install certificates as a CA if the certificate extensions do not >allow this use. This may be a good idea. However (to bring us back to the >original discussion on basicConstraints), if PKIX does not require a >basicConstraints extension in EE certs, then an application would have to rely >on the version field to tell whether v3 rules (policies?) should be applied. First, this is not always an application issue per se; it may be subsumed by an API for cert management. Second, other than "root CA" certs, there is not a notion of "installing" a cert in the cert chain validation algorithm, so I interpret your comments in that more narrow context. Third, I am suggesting that it is approrpiate for the cert processing software to first examine the version field prior to subsequent processing, something that I would consider generally good software design practice. Having examined the version field, then one might reasonably use different rules for determining CA vs. EE certs. >I'm not sure I've seen this use of the version field before. In >particular, if >basicConstraints would have been the only extension in the certificate, >section >4.1.2.1 says that the version field should be set to version 1. This would >kick in v1 processing rules (for compatibility reasons). To get the kind of >processing you want, the version would have to be set to version 3 even though >there are no extensions included in the certificate. I don't understand how you are interpreting section 4.1.2.1 of RFC 2459. The relevant text says: 4.1.2.1 Version This field describes the version of the encoded certificate. When extensions are used, as expected in this profile, use X.509 version 3 (value is 2). If no extensions are present, but a UniqueIdentifier is present, use version 2 (value is 1). If only basic fields are present, use version 1 (the value is omitted from the certificate as the default value). Are you confusing the term "basic fields" here with the "basicConstraints" extension? The former term refers only to the fields in a version 1 certificate. So, even if basicConstraints is the only extention present, the version number MUST be 3 to comply with 2459. >A better solution would be to include the basicConstraints extensions in EE >certificates. In that case, the application could reject these v3 >certificates >in CA management functions, while still supporting the v1 environment. Of >course the cost is extra room in the certificate to carry the extension data. I still fail to see why the algorithm I described fails to work if one uses EE vs. CA rules appropriate to the version type of the certificate, which is consistent with 2459. Steve --============_-1288712952==_ma============ Content-Type: text/enriched; charset="us-ascii" Terry, >Even in a v3 environment there still needs to be a process defined (possibly >involving user interaction) which approves the operation and defines other >operational parameters that will be associated with the CA. Just because the >certificate looks like a valid v3 CA doesn't me I will always believe it. I agree whole heartedly with this design principle when it applies to self-seigned (root) CA certs. I would not agree that user interaction is needed for subordinate CA certs. >> > >> However, since v3 certs are clearly identified as such, one could use a >> different algorithm for CA determination for v1 vs. v3 certs. I don't >> criticize Netscape for adopting the algorithm you have described prior to >> development of the PKIX standards, I also don't think that PKIX v3 cert >> standards should be constrained by existing implementations that could have >> been coded to distinguish v3 vs. v1 certs. > >I believe you are suggesting that an application SHOULD (MUST?) disallow >requests to install certificates as a CA if the certificate extensions do not >allow this use. This may be a good idea. However (to bring us back to the >original discussion on basicConstraints), if PKIX does not require a >basicConstraints extension in EE certs, then an application would have to rely >on the version field to tell whether v3 rules (policies?) should be applied. First, this is not always an application issue per se; it may be subsumed by an API for cert management. Second, other than "root CA" certs, there is not a notion of "installing" a cert in the cert chain validation algorithm, so I interpret your comments in that more narrow context. Third, I am suggesting that it is approrpiate for the cert processing software to first examine the version field prior to subsequent processing, something that I would consider generally good software design practice. Having examined the version field, then one might reasonably use different rules for determining CA vs. EE certs. >I'm not sure I've seen this use of the version field before. In particular, if >basicConstraints would have been the only extension in the certificate, section >4.1.2.1 says that the version field should be set to version 1. This would >kick in v1 processing rules (for compatibility reasons). To get the kind of >processing you want, the version would have to be set to version 3 even though >there are no extensions included in the certificate. I don't understand how you are interpreting section 4.1.2.1 of RFC 2459. The relevant text says: <fontfamily><param>Courier_New</param><bigger>4.1.2.1 Version This field describes the version of the encoded certificate. When extensions are used, as expected in this profile, use X.509 version 3 (value is 2). If no extensions are present, but a UniqueIdentifier is present, use version 2 (value is 1). If only basic fields are present, use version 1 (the value is omitted from the certificate as the default value). </bigger></fontfamily>Are you confusing the term "basic fields" here with the "basicConstraints" extension? The former term refers only to the fields in a version 1 certificate. So, even if basicConstraints is the only extention present, the version number MUST be 3 to comply with 2459. >A better solution would be to include the basicConstraints extensions in EE >certificates. In that case, the application could reject these v3 certificates >in CA management functions, while still supporting the v1 environment. Of >course the cost is extra room in the certificate to carry the extension data. I still fail to see why the algorithm I described fails to work if one uses EE vs. CA rules appropriate to the version type of the certificate, which is consistent with 2459. Steve --============_-1288712952==_ma============-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA17184 for ietf-pkix-bks; Tue, 6 Apr 1999 07:18:23 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA17180 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 07:18:22 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA18735; Tue, 6 Apr 1999 10:18:52 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a01b32fc6415235@[128.89.0.110]> In-Reply-To: <92335590224415@cs26.cs.auckland.ac.nz> Date: Tue, 6 Apr 1999 10:15:33 -0400 To: pgut001@cs.auckland.ac.nz From: Stephen Kent <kent@bbn.com> Subject: Re: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, >>If that's the argument, then we need to consider such a change based on at >>least these issues: >> >> - under what circumstances would an EE use a self-signed cert? note >> that PKIX always describes self-signed certs in the context of CAs, >> not of EEs. X.509 makes NO mention of self-signed certs > >Internal use within an organisation is quite popular. Give a J.Random Luser a >PKI toolkit and a "Get it going by the end of the week" and you'll end up with >self-signed certs everywhere ("We tried all the options, when we clicked on >this one everything started working. We're doing X.509, right?"). Good example. I imagine such behavior will/does occur, but that does not mean that our standards should encourage it via codification. >> - should PKIX change to accommodate current browser conventions that >> are still ambiguous with regard to strict adherence to X.509? > >I'd say we need to take current browser (and anything else) conventions into >account. Given the choice between working with existing implementations and >claiming compliance to a standard, I'd say the majority of implementors will >go with the former (I can't see too many implementors getting far telling >their boss that "It breaks/exhibits undefined behaviour with any web browser, >but it is compliant with <standard which boss has probably never heard >of>"). >For an example of this thinking in action, look at the use of the >email/rfc822Address in the DN vs the alt name - the major CA's are still >putting it in the DN for compatibility with legacy stuff even though RFC 2459 >says you're not supposed to do this (I've had a report that one major vendors >email software will crash when it finds a cert with the email address in the >alt name instead of the DN, moving it into the DN fixes the problem. >Needless >to say the people working with this have decided to go for compatibility >rather than compliance (and I had to hack my code to selectively transport >the >email address across furlongs of extensions into the DN where it's not even >supposed to be)). > >(Insert at this point the can-of-worms argument about "do we need to track > every broken implementation out there?" - this is why I've been trying to > document all the known problems in the style guide). There are legitimate, differing views of whether a standard should attempt to encompass existing practice of the sort you note, or should focus on what the standard developers believe is "the right thing to do." We have examples in the IETF of both sorts of standards. My preference is for the latter, and the authors of RFC 2459 have taken this path in several instances; you noted the name for for e-mail addresses above. This document went through WG and IETF last call, and IESG approval, before being published as an RFC. Thus, it's rather late in the process to be questioning this philosophical orientation. So far, I see no compelling reason to change our direction in this regard. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA15685 for ietf-pkix-bks; Tue, 6 Apr 1999 04:35:15 -0700 (PDT) Received: from smtp.udac.net (smtp.udac.net [193.44.79.123]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA15681 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 04:35:13 -0700 (PDT) Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by smtp.udac.net (8.9.1/8.9.1) with ESMTP id NAA32700 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 13:35:41 +0200 Received: from HYDRA ([195.198.186.68]) by caesar.udac.se (8.7.3/NetworkC-1) with SMTP id NAA53640; Tue, 6 Apr 1999 13:35:36 +0200 Received: by HYDRA with Microsoft Mail id <01BE8032.61FE52D0@HYDRA>; Tue, 6 Apr 1999 13:35:49 +0200 Message-ID: <01BE8032.61FE52D0@HYDRA> From: Anders Rundgren <anders.rundgren@jaybis.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'SEIS-List'" <list@seis.nc-forum.com> Subject: Spec. on QC-low-fat & QC-heavy-bio Date: Tue, 6 Apr 1999 13:35:47 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi on a considerably upgraded document (its predecessor has been floating around before in this list) available at: http://www.mobilephones-tng.com/papers/idcards.html you will hopefully find some interesting stuff on how you in a practical way can combine "low-fat" QCs with their absolute opposite, the "heavy" QCs with biometric information. Note that the solution does NOT depend on 1) Out-of-band handling of biometric data (like mail attachments) 2) Directories holding biometric data (with their associated privacy problems) 3) Cumbersome maintenance of local RP databases with biometric data. And it keeps privacy in the hands of the user. Where it should be. Note that the specification targets an open environment rather than the needs of an organizational PKI. This conceptual specification does not go into ASN.1 representations though. [constructive] Criticism is welcomed! Regards Anders Rundgren Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA14382 for ietf-pkix-bks; Tue, 6 Apr 1999 03:21:17 -0700 (PDT) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA14376 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 03:21:14 -0700 (PDT) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id WAA03203; Tue, 6 Apr 1999 22:21:40 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92339410003480>; Tue, 6 Apr 1999 22:21:40 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, thayes@netscape.com Subject: Re: Changes to RFC2459 Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Tue, 6 Apr 1999 22:21:40 (NZST) Message-ID: <92339410003480@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> [Slightly off-topic design philosophy comments follow] >Even in a v3 environment there still needs to be a process defined (possibly >involving user interaction) which approves the operation and defines other >operational parameters that will be associated with the CA. Just because the >certificate looks like a valid v3 CA doesn't me I will always believe it. I don't think this will work, because it assumes (and, in a worst-case situation, absolutely requires) that users know what they're doing. I've always tried to design things so that they'll still work right if used by a lobotomized flatworm, even if this means adding redundant or unnecessary information to data to help sort things out (eg basicConstraints in EE certs). For an example of where the "rely on user intervention" approach falls down, the users manual for a recently-deployed nontrivial (>100K users) project which uses certs and which will result in considerable pain to users if there are any problems, contains in the manual a section which says something like "You'll see some certificate warning dialogs pop up. Click OK to get rid of them" (to see why this is a problem, assume the text of the dialog says "Do you want to install a new certificate for 'Verisign Class 1 Public Primary Certification Authority'"). User education won't fix this. Even if you were to add the several pages of text needed to explain what a certification authority was and what the user was doing by clicking OK, virtually noone would read it (I suspect most of them won't even read the manual as it currently stands, they just see a box with an OK button and click it because that's what they've done 1000 times before when they were in a situation like that). Do any vendors actually perform any testing with lobotom^H^H^H^Husers? I know that companies like Microsoft go to some effort to test various aspects of their user interfaces with real users (rather than the UI designers or programmers) to make sure they get them just right, does anyone do this with PKI-related products? Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA04679 for ietf-pkix-bks; Tue, 6 Apr 1999 00:22:47 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id AAA04675 for <ietf-pkix@imc.org>; Tue, 6 Apr 1999 00:22:42 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id JAA00868; Tue, 6 Apr 1999 09:25:03 +0200 (IST) Message-ID: <3709B612.21C680C5@cale.checkpoint.com> Date: Tue, 06 Apr 1999 10:21:54 +0300 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org Subject: Re: Changes to RFC2459 References: <v04020a10b32ad27828c8@[128.89.0.110]> <v04020a0bb32ea83a186e@[128.89.0.110]> Content-Type: multipart/mixed; boundary="------------247E866470FBFC5D40208D74" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------247E866470FBFC5D40208D74 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, Stephen Kent wrote: > Moshe, > > >The problem is that the algorithm is actually: > > > >IF BasicConstraints PRESENT { > > IF BasicConstraints.cA is TRUE > > THEN certificate-is-ca > > ELSE certificate-is-ee > >} > >ELSE { > > IF issuing CA is fully PKIX compliant > > THEN certificate-is-ee > > ELSE undefind > >} > > > >We cannot eliminate the undefined decision(*) but we can create certificates > >that doesn't need that by encouraging CA to put a BasicConstraints that > >contains BasicConstraints.cA=FALSE (It is encoded as NULL but this is just > >encoding) rule). > > The test I defined applies equally well for X.509 compliant CAs as well as > PKIX compliant CAs, as I stated. How? X.509 compliant CA can issue a certificate without basicConstraints to end entity. In regards to this situation it says: If this extension is not present or is flagged non-critical and is not recognized by a certificate-using system, then that system should use other means to determine if the certified public key may be used to verify certificate signatures. Which is the "undefined" situation in my case. > Are you suggesting that we should change > PKIX to somewhow better accommodate CAs that don't comply with it? No. We should change PKIX such that PKIX CA will issue certificates that don't require out of bound information to know if they are CA certificates or not. > > > We can look at this from two perspectives: > > - first, we're in chanrge of PKIX standards, so of course we're > most interested in the situation where the CA is PKIX compliant. if you > assume otherwise, then there can be many ways in which processing will be > adversely affected. > - second, since X.509 does not require the presence of this > extension, but merely recommends its use for EE certs, your modification of > my simple test also is deficient. why not include clauses for X.509 > compliant CAs who do not elect to include the extension? Why my test includes it. It says that it can't reach a decision for those CA's. > > > If one changed both PKIX and X.509 to mandate inclusion of this extension > for both EE and CA certs, AND if all CAs were compliant with either > standard, then life would, indeed, be easier. But, if you use as an > example, the ambiguity that may arise from CAs that comply with neither > standard, why bother? > > Steve Totally removing the ambiguity is now almost impossible. But creating a certificate that contains no ambiguity is very easy and should be encouraged instead of discouraged. Moshe --------------247E866470FBFC5D40208D74 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------247E866470FBFC5D40208D74-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA18147 for ietf-pkix-bks; Mon, 5 Apr 1999 20:16:10 -0700 (PDT) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id UAA18136 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 20:16:05 -0700 (PDT) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id UAA15316; Mon, 5 Apr 1999 20:16:51 -0700 Message-ID: <00b201be7fdb$34877310$90bffad0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, "IETF PKIX" <ietf-pkix@imc.org> Subject: Re: 3 Time Stamping issues Date: Mon, 5 Apr 1999 20:11:44 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> SNIP --- How about if I add the following text: When issuing an error response with PKIFailureInfo having value timeNotAvailable (14) then the TSA MAY place any random value in the tstTime field of TSTInfo. Upon receiving such an error response a client MUST not trust the time contained in the tstTime field. This seems like reasonable behaviour. --> Why Not force a Null Response? This way if the value of the tstTime is NULL then you know that there is an issue with the timesource... --> Todd Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA16331 for ietf-pkix-bks; Mon, 5 Apr 1999 19:57:04 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA16322 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 19:56:57 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQLL0>; Tue, 6 Apr 1999 12:57:24 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0BE960@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent'" <kent@bbn.com> Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> Subject: RE: Certificates, Directories, and Distinguished Names Date: Tue, 6 Apr 1999 12:57:23 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Some comments - > -----Original Message----- > From: Stephen Kent > Sent: Tuesday, April 06, 1999 3:49 AM > To: Alan Lloyd > Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' ' > Subject: RE: Certificates, Directories, and Distinguished Names > > Alan, > > >My question was really aimed at the cert extensions subject - issuer > alt > >names.. I still dont understand what and why these are in the cert - > if > >its baggage for some obscure reason - then thats OK - but if its for > >validation process issues - then they have to be spelled out. And if > >they are just baggage, instead of making them "alt name forms"- why > not > >call then subject and issuer additional info or in fact just make > them > >cert ext directory attributes? > > > >We seem to have in these extensions, a lot of form without content. > > Alt names allow a PKI to use name forms most closely aligned to the > application context with which the certs will be used. That, by > itself, is > sufficient reason to provide them. > This can be agreed with or: Say I get a cert/key from Honest John cert co - and its recognised by a few dozen traveller kiosks around the country and toll plazas on freeways. When I use it from the car, the email address of the transaction is toll booth 23@ Tullamaine -free way. roads and when I go bush... another one day the email address is lost.traveller@kiosk10.inthebush.outback It strikes me that nailing, cryptographically, information in a certificate that may or may not get used could be a hinderance not a benefit.. As you are aware by now OpendDrectory - *(opendirectory.com) got bought by Platinum Technologies (platinum.com) who have justy been bought by CA (ca.com) -- so whats the key management issues eh! It also strikes me that the last place I want my mail address is in my certificate - as this will create and compound any archive and rekey issues. I just dont believe in making a certficate a replacement for directory entry (because the processes that use certificates dont have a directy service) - when the certficate was designed to work within the framework of processes that used directory services. Simply because - its the human/operational side that will have to deal with the issues - and companies - first and foremost want less operating costs and bigger systems. To date - few have able to explain a real benefit of these alt names - and even fewer have dealt with the dynamics of cert/key re issuance and archive because of these extra attributes and their implications with domain agile devices, working into multi domain business environments.. Oh well.. regards alan > Look at the messes created by shoe > horning DNS names into DNs in SSL certs, or e-mail addresses into DNs > in > S/MIME. We can't go back and change the Subject and Issuer to be > GeneralNames due to backward compatability constraints, so ... > > Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA12986 for ietf-pkix-bks; Mon, 5 Apr 1999 19:09:27 -0700 (PDT) Received: from stargate.zergo.com.au (root@stargate.zergo.com.au [203.2.208.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA12973 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 19:09:17 -0700 (PDT) Received: from michaelz (dhcp-64.ws.zergo.com.au [192.168.72.64]) by stargate.zergo.com.au (8.9.1/8.8.7) with SMTP id MAA32156; Tue, 6 Apr 1999 12:08:10 +1000 Received: by localhost with Microsoft MAPI; Tue, 6 Apr 1999 12:08:24 +1000 Message-ID: <01BE8026.2B8435F0.mzolotarev@baltimore.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com.au> Reply-To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> To: "'Stephen Kent'" <kent@bbn.com>, Paul Koning <pkoning@xedia.com> Cc: "memcneil@got.net" <memcneil@got.net>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "ietf-stime@stime.org" <ietf-stime@stime.org>, "'slaing@baltimore.com.au'" <slaing@baltimore.com.au>, "'ashellshear@baltimore.com.au'" <ashellshear@baltimore.com.au> Subject: RE: Time-stamp server. TimePrecision info Date: Tue, 6 Apr 1999 12:08:21 +1000 Organization: Baltimore Pty Ltd X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thank you, Stephen. This looks like a very reasonable point. Just think about it - aren't we are getting carried away from the main purpose of Time Stamping? Which is, of course, TIME STAMPING. Which is to define a TTP to provide "a proof-of-existence of a message at an instant of time". Old good PKIX, non-repudiation, etc, etc Instead, what the discussion is now getting dragged into appears to have more to do with some kind of Real Time Mission Critical Globally Distributed Secure Ultimate Time Synchronization Service. Yes, there are a lot of requirements which fall under the umbrella of the abovementioned RTMCGDSUTSS :), and there are solutions for this. And today's mail can serve as an excellent reference point for anybody who would like to find out about that class of systems. And the issue may well worth its own discussion thread. But is it what has been originally set as a goal of Time Stamping? If the answer is Yes, then we should change dramatically our original pa radigm. My own coordinate system would definitely have to undergo major tuning up. Otherwise, should we concentrate on identifying the scope of the system, based on classical boring Use Case approach? Once we are clear on the scope of the system, we would be much better off thinking about TS Token, precision and other unarguably important issues. And of course, the fact that TSS may not happen to be exactly what NTP and other services are for, does not preclude borrowing solutions/approaches that are already out there. Michael Z Stephen wrote: >in a realtime system, it is not clear that the audit trails need >or could tolerate the overhead of signing every log entry. They might need >accurate local clocks for the logs, but do they need time stamps from >network accessible servers? Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA11266 for ietf-pkix-bks; Mon, 5 Apr 1999 18:00:16 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA11262 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 18:00:15 -0700 (PDT) Received: from tintin.mcom.com (tintin.mcom.com [205.217.233.42]) by netscape.com (8.8.5/8.8.5) with ESMTP id SAA23944 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 18:00:16 -0700 (PDT) Received: from netscape.com ([208.12.62.90]) by tintin.mcom.com (Netscape Messaging Server 4.03) with ESMTP id F9QTGT00.ABI; Mon, 5 Apr 1999 18:00:29 -0700 Message-ID: <37095C98.C64BBB8F@netscape.com> Date: Mon, 05 Apr 1999 18:00:08 -0700 From: thayes@netscape.com (Terry Hayes) Reply-To: thayes@netscape.com Organization: Netscape Communications, Inc. X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org Subject: Re: Changes to RFC2459 References: <v04020a1ab32eee1684e5@[128.89.0.110]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen, A comment on your response, and an attempt to bring the discussion back to the basicConstraints issue. Stephen Kent wrote: > ... What you describe is an > algorithm, including user interaction, for declaring a cert to be that of a > CA in certain contexts, and subject to certain later processing constraints > (analogous to use of nameConstraints), all of which is understandable in a > pre-v3 environment. Even in a v3 environment there still needs to be a process defined (possibly involving user interaction) which approves the operation and defines other operational parameters that will be associated with the CA. Just because the certificate looks like a valid v3 CA doesn't me I will always believe it. > > However, since v3 certs are clearly identified as such, one could use a > different algorithm for CA determination for v1 vs. v3 certs. I don't > criticize Netscape for adopting the algorithm you have described prior to > development of the PKIX standards, I also don't think that PKIX v3 cert > standards should be constrained by existing implementations that could have > been coded to distinguish v3 vs. v1 certs. I believe you are suggesting that an application SHOULD (MUST?) disallow requests to install certificates as a CA if the certificate extensions do not allow this use. This may be a good idea. However (to bring us back to the original discussion on basicConstraints), if PKIX does not require a basicConstraints extension in EE certs, then an application would have to rely on the version field to tell whether v3 rules (policies?) should be applied. I'm not sure I've seen this use of the version field before. In particular, if basicConstraints would have been the only extension in the certificate, section 4.1.2.1 says that the version field should be set to version 1. This would kick in v1 processing rules (for compatibility reasons). To get the kind of processing you want, the version would have to be set to version 3 even though there are no extensions included in the certificate. A better solution would be to include the basicConstraints extensions in EE certificates. In that case, the application could reject these v3 certificates in CA management functions, while still supporting the v1 environment. Of course the cost is extra room in the certificate to carry the extension data. Terry Hayes thayes@netscape.com Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA09684 for ietf-pkix-bks; Mon, 5 Apr 1999 16:44:38 -0700 (PDT) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA09679 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 16:44:35 -0700 (PDT) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id LAA23218; Tue, 6 Apr 1999 11:45:02 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92335590224415>; Tue, 6 Apr 1999 11:45:02 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, kent@bbn.com Subject: Re: Changes to RFC2459 Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Tue, 6 Apr 1999 11:45:02 (NZST) Message-ID: <92335590224415@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen Kent <kent@bbn.com> >If that's the argument, then we need to consider such a change based on at >least these issues: > > - under what circumstances would an EE use a self-signed cert? note > that PKIX always describes self-signed certs in the context of CAs, > not of EEs. X.509 makes NO mention of self-signed certs Internal use within an organisation is quite popular. Give a J.Random Luser a PKI toolkit and a "Get it going by the end of the week" and you'll end up with self-signed certs everywhere ("We tried all the options, when we clicked on this one everything started working. We're doing X.509, right?"). > - should PKIX change to accommodate current browser conventions that > are still ambiguous with regard to strict adherence to X.509? I'd say we need to take current browser (and anything else) conventions into account. Given the choice between working with existing implementations and claiming compliance to a standard, I'd say the majority of implementors will go with the former (I can't see too many implementors getting far telling their boss that "It breaks/exhibits undefined behaviour with any web browser, but it is compliant with <standard which boss has probably never heard of>"). For an example of this thinking in action, look at the use of the email/rfc822Address in the DN vs the alt name - the major CA's are still putting it in the DN for compatibility with legacy stuff even though RFC 2459 says you're not supposed to do this (I've had a report that one major vendors email software will crash when it finds a cert with the email address in the alt name instead of the DN, moving it into the DN fixes the problem. Needless to say the people working with this have decided to go for compatibility rather than compliance (and I had to hack my code to selectively transport the email address across furlongs of extensions into the DN where it's not even supposed to be)). (Insert at this point the can-of-worms argument about "do we need to track every broken implementation out there?" - this is why I've been trying to document all the known problems in the style guide). Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA09179 for ietf-pkix-bks; Mon, 5 Apr 1999 16:05:44 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA09175 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 16:05:43 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id TAA01178; Mon, 5 Apr 1999 19:06:13 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a1ab32eee1684e5@[128.89.0.110]> In-Reply-To: <37093A44.B92135E6@netscape.com> Date: Mon, 5 Apr 1999 19:02:20 -0400 To: thayes@netscape.com From: Stephen Kent <kent@bbn.com> Subject: Re: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Terry, Thanks for the additional clarification. What you describe is an algorithm, including user interaction, for declaring a cert to be that of a CA in certain contexts, and subject to certain later processing constraints (analogous to use of nameConstraints), all of which is understandable in a pre-v3 environment. However, since v3 certs are clearly identified as such, one could use a different algorithm for CA determination for v1 vs. v3 certs. I don't criticize Netscape for adopting the algorithm you have described prior to development of the PKIX standards, I also don't think that PKIX v3 cert standards should be constrained by existing implementations that could have been coded to distinguish v3 vs. v1 certs. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA08869 for ietf-pkix-bks; Mon, 5 Apr 1999 15:33:48 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA08865 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 15:33:44 -0700 (PDT) Received: from tintin.mcom.com (tintin.mcom.com [205.217.233.42]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA10865 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 15:33:47 -0700 (PDT) Received: from netscape.com ([208.12.62.90]) by tintin.mcom.com (Netscape Messaging Server 4.03) with ESMTP id F9QMOP00.18F for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 15:34:01 -0700 Message-ID: <37093A44.B92135E6@netscape.com> Date: Mon, 05 Apr 1999 15:33:40 -0700 From: thayes@netscape.com (Terry Hayes) Reply-To: thayes@netscape.com Organization: Netscape Communications, Inc. X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Changes to RFC2459 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I would like to restate Michael Sierchio's description of what defines a CA in Netscape's products. I would say that by installing the certificate in question, the user of the application is asserting that the certificate belongs to a CA. The MIME type "application/x-x509-ca-cert" begins the process of installing the CA, but it is up to the user to confirm that operation, and to set various trust (or policy) bits that are stored with the certificate. The installation operation allowed, whether the certificate is self-signed (a common case), or is a certificate issued by some other entity. The Netscape applications do not check extensions for these certificates, primarily for compatibility with older (V1-style) CA certificates. If the user does install what appears to be an EE certificate as a CA, Netscape applications will allow that "EE" to issue certificates. However these certificates will only work as part of a certificate chain that ends with this "EE-CA". The chain will never include the CA that issued the original EE certificate. The policies that apply to the chain will be those assigned by the user to the "EE-CA" certificate when it was installed. The same effect would have occurred if the "EE" had issued a self-signed certificate to itself, and the user had installed that instead. Certificates at middle levels of a certification chain are required to contain an indication that it is a CA. This can be done with the basicConstraints extension, or with private certificate type extensions which were defined and in-use to solve this problem before X.509 standard extensions were available. Terry Hayes thayes@netscape.com Michael Sierchio wrote: > Peter Gutmann wrote: > > > Both MSIE and Netscape treat self-signed certs without basicConstraits as > > CA's by default (in fact I don't know of any way to get them to *not* > > treat the cert owners as CA's). > > My impression is that, in the case of Netscape, it's the MIME type > that causes a cert to be treated as a CA: application/x-x509-ca-cert, > and not all of these are self-signed. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA07686 for ietf-pkix-bks; Mon, 5 Apr 1999 13:08:29 -0700 (PDT) Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA07682 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 13:08:27 -0700 (PDT) Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.8.7/8.8.7) with SMTP id WAA22299 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 22:09:00 +0200 Message-Id: <3.0.32.19990405220940.00a9e890@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 05 Apr 1999 22:09:41 +0200 To: ietf-pkix@imc.org From: Stefan Santesson <stefan@accurata.se> Subject: EESSI - European Electronic Signature Standardization Initiative Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id NAA07683 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> For those interested in the progress in the field of electronic signature standardization in Europe, EESSI (European Electronic Standardization Initiative) have know opened their web site. Further EESSI have just released meeting minutes from their first Consultation meeting in Brussels, 24th February 1999. On this meeting IETF activities was presented by Denis Pinkas, and the PKIX Qualified Certificates work was presented by myself. The Qualified Certificates web site URL: http://www.accurata.se/QC/ has been updated with links to ESSI + meeting minutes. Look under "Related Information" : "ESSI". /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 ------------------------------------------------------------------- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA07448 for ietf-pkix-bks; Mon, 5 Apr 1999 12:44:26 -0700 (PDT) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id MAA07444 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 12:44:22 -0700 (PDT) Received: id PAA03094; Mon, 5 Apr 1999 15:41:32 -0400 Received: by gateway id <G4CAZMRC>; Mon, 5 Apr 1999 15:43:51 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD70@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Robert Zuccherato <robert.zuccherato@entrust.com>, "'Santoni Adriano'" <santoni@sia.it> Cc: IETF-PXIX <ietf-pkix@imc.org> Subject: RE: 3 Time Stamping issues Date: Mon, 5 Apr 1999 15:37:59 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id MAA07445 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Adriano; How about if I add the following text: When issuing an error response with PKIFailureInfo having value timeNotAvailable (14) then the TSA MAY place any random value in the tstTime field of TSTInfo. Upon receiving such an error response a client MUST not trust the time contained in the tstTime field. This seems like reasonable behaviour. Robert. > ---------- > From: Santoni Adriano[SMTP:santoni@sia.it] > Sent: Friday, April 02, 1999 4:35 AM > To: 'Denis Pinkas'; 'Robert Zuccherato' > Cc: IETF-PXIX > Subject: R: 3 Time Stamping issues > > I have a different doubt about the protocol: > > the TSTInfo structure includes a status field with PKIStatusInfo syntax. I > understand that the TSA could signal to the requestor (ie the client) the > unavailability of a time source by using the valure 15 (tdaNotAvailable) > for > the failInfo field (with syntax PKIFailureInfo) of the TSTInfo status > field. > However, if the TSA has no reliable time source available, it should not > issue a time value at all, right? Nontheless, the tstTime field of the > TSTInfo structure is not OPTIONAL. So, it must carry some value, somehow. > > The question, then, is: what time value should be put in the (mandatory) > tstTime field when the TSA signals an error? > > The same reasoning applies to other error condition which (should) prevent > the TSA from issuing a time indication. > > Adriano > > > -----Messaggio originale----- > > Da: Denis Pinkas [SMTP:Denis.Pinkas@bull.net] > > Inviato: giovedì 1 aprile 1999 17.59 > > A: IETF-PXIX > > Oggetto: 3 Time Stamping issues > > > > Since I am a co-editor of the Time Stamping document, I would like > > to give my opinion on the various issues raised on the mailing list. > > > > 1. There has been a suggestion to possibly improve the resolution to > > microseconds from milliseconds. > > > > Since the delay in the transmission is at least in the millisecond > > order, having something more precise would give a false degree of > > precision. I would not go under the millisesond. > > > > 2. There has been a suggestion to possibly add a precision field. > > > > I do not think this is absolutely necessary. So I am not supportive > > of it since the policy can handle this. > > > > 3. There has been a suggestion to possibly add a message information > > field. > > > > I have arguments *against* this idea. I would realy like to keep the > > TSA as much ignorant as possible of the purpose of the Time > > Stamping. If we add that information, the TSA could know "Invoice > > from Alpha company to Delta company". Is > > this way the TSA could learn that the Delta company is doing > > commerce with the Delta company. This may that be a nice point to > > spy. So I am against the inclusion of that aditional information. > > > > However, ... I understand the concern of the linkeage and I would > > propose an alternative: > > > > Defining a Time Stamping Token (TST) that would be able to include > > that information. Basically the TST would be the concatenation of > > the "message information field" and of the signed portion of the > > information received. The TST would be constructed locally instead > > of being fully constructed by the TSA. We could define its structure > > in a normative annex. > > > > Regards, > > > > Denis > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA03440 for ietf-pkix-bks; Mon, 5 Apr 1999 11:06:49 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA03435 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 11:06:48 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id OAA29364; Mon, 5 Apr 1999 14:06:57 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a0bb32ea83a186e@[128.89.0.110]> In-Reply-To: <37085ABE.2BC09087@cale.checkpoint.com> References: <v04020a10b32ad27828c8@[128.89.0.110]> Date: Mon, 5 Apr 1999 14:00:37 -0400 To: Moshe Litvin <moshe@cale.checkpoint.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Moshe, >The problem is that the algorithm is actually: > >IF BasicConstraints PRESENT { > IF BasicConstraints.cA is TRUE > THEN certificate-is-ca > ELSE certificate-is-ee >} >ELSE { > IF issuing CA is fully PKIX compliant > THEN certificate-is-ee > ELSE undefind >} > >We cannot eliminate the undefined decision(*) but we can create certificates >that doesn't need that by encouraging CA to put a BasicConstraints that >contains BasicConstraints.cA=FALSE (It is encoded as NULL but this is just >encoding) rule). The test I defined applies equally well for X.509 compliant CAs as well as PKIX compliant CAs, as I stated. Are you suggesting that we should change PKIX to somewhow better accommodate CAs that don't comply with it? We can look at this from two perspectives: - first, we're in chanrge of PKIX standards, so of course we're most interested in the situation where the CA is PKIX compliant. if you assume otherwise, then there can be many ways in which processing will be adversely affected. - second, since X.509 does not require the presence of this extension, but merely recommends its use for EE certs, your modification of my simple test also is deficient. why not include clauses for X.509 compliant CAs who do not elect to include the extension? If one changed both PKIX and X.509 to mandate inclusion of this extension for both EE and CA certs, AND if all CAs were compliant with either standard, then life would, indeed, be easier. But, if you use as an example, the ambiguity that may arise from CAs that comply with neither standard, why bother? Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA02609 for ietf-pkix-bks; Mon, 5 Apr 1999 10:48:38 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA02605 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 10:48:37 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA22205; Mon, 5 Apr 1999 13:48:58 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a09b32ea76ce803@[128.89.0.110]> In-Reply-To: <D1A949D4508DD1119C8100400533BEDC0D7409@DSG1> Date: Mon, 5 Apr 1999 13:49:03 -0400 To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> From: Stephen Kent <kent@bbn.com> Subject: RE: Certificates, Directories, and Distinguished Names Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Alan, >My question was really aimed at the cert extensions subject - issuer alt >names.. I still dont understand what and why these are in the cert - if >its baggage for some obscure reason - then thats OK - but if its for >validation process issues - then they have to be spelled out. And if >they are just baggage, instead of making them "alt name forms"- why not >call then subject and issuer additional info or in fact just make them >cert ext directory attributes? > >We seem to have in these extensions, a lot of form without content. Alt names allow a PKI to use name forms most closely aligned to the application context with which the certs will be used. That, by itself, is sufficient reason to provide them. Look at the messes created by shoe horning DNS names into DNs in SSL certs, or e-mail addresses into DNs in S/MIME. We can't go back and change the Subject and Issuer to be GeneralNames due to backward compatability constraints, so ... Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA02531 for ietf-pkix-bks; Mon, 5 Apr 1999 10:46:39 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA02526 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 10:46:38 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA20475; Mon, 5 Apr 1999 13:47:03 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a08b32ea3aa05e0@[128.89.0.110]> In-Reply-To: <3706392B.E6339FF5@got.net> References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> <199904021747.MAA05955@tonga.xedia.com> <v04020a12b32ad6da3056@[128.89.0.110]> <199904022052.PAA00608@tonga.xedia.com> Date: Mon, 5 Apr 1999 13:45:47 -0400 To: Michael McNeil <memcneil@got.net> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, ietf-stime@stime.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Michael, <snip> >To answer your request for an example, Steve, I envision the widespread >timestamping of system and network events, which may need to be audited >in a post mortem following, say, a virus attack across many machines. >If timestamps support a fine grained time resolution, then even events >which propagate within and between systems at computer speeds might be >identified and placed in their proper chronological sequence. This identifies a need for distributed, perhaps secure, time servers, but not necessarily time stamp servers. <snip> >>If you make assumptions that may be warranted in *some* cases, such as >>roughly equal packet transit times each way, you can tighten this up >>some. > >A number of probes of the time server will allow refinement of the >average round-trip latency -- refining, once again, the estimated >_precision_ of the time. The timestamping server should then (I argue) >use this in stating the overall precision of the time in its timestamps. >The precision in timestamps must be kept in mind when comparing times >from two different (or even two timestamps from the same) time server. The time stamp server may serve a variety of folks, and the delays may well differ for each of them. Also, I'm confused by the suggestion that the server use feedback from the clients to provide more accurate estimates for the delays. The clients are not trusted to provide such info. With regard to the issue of providing syntax to represenet increased precision vs. our need for it at this time, I reiterate the comments made earlier, and in a recent message to Todd. I agree that it is tempting to provide room for additional precision, but I worry that the syntax may be abused in two ways: - leading users to believe there is more significance than the application context warrants - allowing some vendors to trumpet their ability to offer increased precision as an important differentiator, when the system context makes such differences moot. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA02420 for ietf-pkix-bks; Mon, 5 Apr 1999 10:44:34 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA02416 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 10:44:33 -0700 (PDT) Received: from xedia.com by relay7.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjqs29983; Mon, 5 Apr 1999 13:43:58 -0400 (EDT) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA12088; Mon, 5 Apr 99 13:43:55 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id NAA04385; Mon, 5 Apr 1999 13:43:56 -0400 Date: Mon, 5 Apr 1999 13:43:56 -0400 Message-Id: <199904051743.NAA04385@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: kent@bbn.com Cc: ietf-pkix@imc.org, ietf-stime@stime.org Subject: Re: Time-stamp server. TimePrecision info X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: Stephen> Paul, >> You can also apply the same sort of example to real time systems. >> Consider a distributed real time control system. Suppose >> something goes wrong, and after the fires are put out and the bits >> of concrete have been bulldozed away, people start picking through >> the logs trying to figure out what sequence of events made things >> blow up. You need fine grain timestamps so you can unambiguously >> follow the directed graph of cause and event. For real time >> systems, sub-millisecond timestamps are perfectly meaningful. Stephen> That's more of what I had in mind when I asked for a Stephen> concrete example. However, in a realtime system, it is not Stephen> clear that the audit trails need or could tolerate the Stephen> overhead of signing every log entry. They might need Stephen> accurate local clocks for the logs, but do they need time Stephen> stamps from network accessible servers? Quite possibly yes, since such analysis may end up being done in court. Whether the overhead is acceptable depends on how much is riding on it, and how big the overhead actually is. I'm suggesting that with modern hardware it's not that high and dropping fast. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA02132 for ietf-pkix-bks; Mon, 5 Apr 1999 10:38:04 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA02127 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 10:38:01 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA15731; Mon, 5 Apr 1999 13:37:24 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a07b32ea2e7d7db@[128.89.0.110]> In-Reply-To: <199904051417.KAA04240@tonga.xedia.com> References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> <199904021747.MAA05955@tonga.xedia.com> <v04020a12b32ad6da3056@[128.89.0.110]> <199904022052.PAA00608@tonga.xedia.com> <3706392B.E6339FF5@got.net> Date: Mon, 5 Apr 1999 13:29:58 -0400 To: Paul Koning <pkoning@xedia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: memcneil@got.net, ietf-pkix@imc.org, ietf-stime@stime.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Paul, >You can also apply the same sort of example to real time systems. >Consider a distributed real time control system. Suppose something >goes wrong, and after the fires are put out and the bits of concrete >have been bulldozed away, people start picking through the logs trying >to figure out what sequence of events made things blow up. You need >fine grain timestamps so you can unambiguously follow the directed >graph of cause and event. For real time systems, sub-millisecond >timestamps are perfectly meaningful. That's more of what I had in mind when I asked for a concrete example. However, in a realtime system, it is not clear that the audit trails need or could tolerate the overhead of signing every log entry. They might need accurate local clocks for the logs, but do they need time stamps from network accessible servers? Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA01682 for ietf-pkix-bks; Mon, 5 Apr 1999 10:27:59 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA01677 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 10:27:58 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA11311; Mon, 5 Apr 1999 13:27:37 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a05b32e945b6c88@[128.89.0.110]> In-Reply-To: <92314646331939@cs26.cs.auckland.ac.nz> Date: Mon, 5 Apr 1999 13:26:03 -0400 To: pgut001@cs.auckland.ac.nz From: Stephen Kent <kent@bbn.com> Subject: Re: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, >Both MSIE and Netscape treat self-signed certs without basicConstraits as >CA's by default (in fact I don't know of any way to get them to *not* >treat the cert owners as CA's). > >MSIE: "You have been offered a new site certificate to place in your list > of trusted issuers..." >Netscape: "You are about to go through the process of accepting a > certificate authority..." > >Leaving out the basicConstraints makes the assumption that relying parties >are using PKIX-compliant software, and that the software will DTRT when it >finds one of these certs. I think this is leaving what could be a critical >security issue more or less to chance - all I need to do is find some >software which happens to not follow PKIX's implied behaviour and I can go >ahead and issue my own certs and let the entire world in the door. I thought the debate we are having was focused on the differences between compliance with X.509 and PKIX. Since neither standard REQUIRES inclusion of basic constraints for an EE, conformance to either standard does not completely solve the problem of the browser vendors having made the decision you cited, right? Is the concern that an EE might provide a self-signed cert to one of these browsers and have it interpreted as a CA vs. an EE cert? Obviously, since it is self-signed, an EE could elect to include a basic constraints extension with a CA flag if the intent is to deceive the browser user. So, is the argument, that PKIX should require an EE cert to have a NULL basic constraints extension so that an EE can be declared compliant with PKIX and still not cause these browsers to misinterpret a self-signed cert under these circumstances? If that's the argument, then we need to consider such a change based on at least these issues: - under what circumstances would an EE use a self-signed cert? note that PKIX always describes self-signed certs in the context of CAs, not of EEs. X.509 makes NO mention of self-signed certs - should PKIX change to accommodate current browser conventions that are still ambiguous with regard to strict adherence to X.509? Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA28333 for ietf-pkix-bks; Mon, 5 Apr 1999 09:16:56 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA28328 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 09:16:55 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA11740; Mon, 5 Apr 1999 12:17:24 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a04b32e924bbe30@[128.89.0.110]> In-Reply-To: <00d301be7d8e$68bff070$fa4bffd0@brick> Date: Mon, 5 Apr 1999 11:18:30 -0500 To: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: <ietf-pkix@imc.org> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Todd, >Steven, A policy Anchor is exactly what it sounds like. A mechanism used to >anchor a point in the operational policy of some system making it >referencable. In PKIX we have certification policies and those are the policies that first come to mind when we engage in discussions in this standards arena. Your definition still does not allow me to relate your comment to the general PKIX activities. For CA policies, there is an element of time, since we make use of time to determine validity intervals for certs, timeliness for CRLs, etc. But none of these functions require time with the sort of precision that you were describing as critical. Please try again, Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA28325 for ietf-pkix-bks; Mon, 5 Apr 1999 09:16:54 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA28321 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 09:16:53 -0700 (PDT) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA11729; Mon, 5 Apr 1999 12:17:22 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a03b32e90c762ef@[128.89.0.110]> In-Reply-To: <00b301be7d89$f763b190$fa4bffd0@brick> Date: Mon, 5 Apr 1999 11:15:58 -0500 To: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: <ietf-pkix@imc.org> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Todd, >off the top of my head here are four > >#1) Telcom Backbone management systems, tightly coupled cluster systems >maker up what are now virtual switches. I work for a large telecom company, but I'll have to ask for more details here, as this doesn't yet make sense to me. >#2) Event Simulation and Decision Support Management Distributed simulation systems don't seem to need this, based on the work I've seen re DoD simulators. >#3) Precision control of mechancial processes, like operating a high head >water cam on a power plant or the like, or operating a vacume control >sputtering system for semiconductor processing. I see why these folks need precise time, but not time stamping. >#4) Market Trading and Control of trading processes. - Many systems are >now tightly coupled fault tolerant clusters and these systems need this >"ridiculous" level of precision in their timestamping since they are not >connected in the same way we usually connect together (lan/wan/man etc). Definately not true. Perhaps I was not specific enough in my request. I'd like to see examples where someone actually explains the need, not just cites a topic. And, as Roberto points out, we're PKIX and so our initial focus was motivated by the time scale that we use in certs and crls. We might refine this to support greater precision, but I am not inclined to do so based on what I have heard so far. What I dl NOT want to see is the creation of a standard with provision for very precise time stamps that some vendor uses to tout the superiority of his product vs. another due to increased precision, irrespective of the significance of the extra digits or the relevance to the applciation context. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA23254 for ietf-pkix-bks; Mon, 5 Apr 1999 07:18:11 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA23249 for <ietf-pkix@imc.org>; Mon, 5 Apr 1999 07:18:10 -0700 (PDT) Received: from xedia.com by relay5.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjqf09115; Mon, 5 Apr 1999 10:17:30 -0400 (EDT) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA08371; Mon, 5 Apr 99 10:17:24 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id KAA04240; Mon, 5 Apr 1999 10:17:25 -0400 Date: Mon, 5 Apr 1999 10:17:25 -0400 Message-Id: <199904051417.KAA04240@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: memcneil@got.net Cc: ietf-pkix@imc.org, ietf-stime@stime.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> <199904021747.MAA05955@tonga.xedia.com> <v04020a12b32ad6da3056@[128.89.0.110]> <199904022052.PAA00608@tonga.xedia.com> <3706392B.E6339FF5@got.net> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Michael" == Michael McNeil <memcneil@got.net> writes: Michael> To answer your request for an example, Steve, I envision the Michael> widespread timestamping of system and network events, which Michael> may need to be audited in a post mortem following, say, a Michael> virus attack across many machines. If timestamps support a Michael> fine grained time resolution, then even events which Michael> propagate within and between systems at computer speeds Michael> might be identified and placed in their proper chronological Michael> sequence. That's a nice example. It sounds like it describes a collection of general purpose systems. That somewhat limits the meaningful precision of the timestamps because of the sloppy schedulers used in such systems. You can also apply the same sort of example to real time systems. Consider a distributed real time control system. Suppose something goes wrong, and after the fires are put out and the bits of concrete have been bulldozed away, people start picking through the logs trying to figure out what sequence of events made things blow up. You need fine grain timestamps so you can unambiguously follow the directed graph of cause and event. For real time systems, sub-millisecond timestamps are perfectly meaningful. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA17121 for ietf-pkix-bks; Sun, 4 Apr 1999 22:47:22 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id WAA17117 for <ietf-pkix@imc.org>; Sun, 4 Apr 1999 22:47:19 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id HAA14153; Mon, 5 Apr 1999 07:49:43 +0200 (IST) Message-ID: <37085C52.3C279E37@cale.checkpoint.com> Date: Mon, 05 Apr 1999 07:46:42 +0200 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: pgut001@cs.auckland.ac.nz CC: ietf-pkix@imc.org, kent@bbn.com Subject: Re: Changes to RFC2459 References: <92314646331939@cs26.cs.auckland.ac.nz> Content-Type: multipart/mixed; boundary="------------C000C69FA7FD056D0D29893A" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------C000C69FA7FD056D0D29893A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Gutmann wrote: -- Snip -- > Leading to the following entry in the X.509 style guide: > > -- Snip -- > > PKIX > > PKIX requires that end entity certificates not have a basicConstraints > extension, which leaves the handling of the CA status of the certificate to > chance. Several popular applications treat these certificates as CA > certificates for backwards-compatibility with X.509v1 CA certificates which > didn't include basicConstraints, but in practice it's not really possible to > determine how these certificates will be treated. Because of this, it's not > possible to issue a PKIX-compliant end entity certificate and know how it'll > be treated once it's in circulation. > -- Snip -- Since PKIX allows end entity certificates with basicConstraints - it is only SHOULD NOT and not MUST NOT - it is possible to do it. Moshe --------------C000C69FA7FD056D0D29893A Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------C000C69FA7FD056D0D29893A-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA17010 for ietf-pkix-bks; Sun, 4 Apr 1999 22:40:41 -0700 (PDT) Received: from natasha1. (natasha-gw.checkpoint.com [199.203.73.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id WAA17006 for <ietf-pkix@imc.org>; Sun, 4 Apr 1999 22:40:38 -0700 (PDT) Received: from cale.checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id HAA13887; Mon, 5 Apr 1999 07:43:01 +0200 (IST) Message-ID: <37085ABE.2BC09087@cale.checkpoint.com> Date: Mon, 05 Apr 1999 07:39:58 +0200 From: Moshe Litvin <moshe@cale.checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org Subject: Re: Changes to RFC2459 References: <v04020a10b32ad27828c8@[128.89.0.110]> Content-Type: multipart/mixed; boundary="------------361EB29BAA07A0846431C5A2" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------361EB29BAA07A0846431C5A2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, The problem is that the algorithm is actually: IF BasicConstraints PRESENT { IF BasicConstraints.cA is TRUE THEN certificate-is-ca ELSE certificate-is-ee } ELSE { IF issuing CA is fully PKIX compliant THEN certificate-is-ee ELSE undefind } We cannot eliminate the undefined decision(*) but we can create certificates that doesn't need that by encouraging CA to put a BasicConstraints that contains BasicConstraints.cA=FALSE (It is encoded as NULL but this is just encoding) rule). Moshe (*) We can complicate the algorithm so it will use keyUsage and reduce the number of undefined answers but not eiliminate them. Stephen Kent wrote: > Jim & Moshe, > > I admit to being confused at this point. My reading of PKIX and X.509 > suggests the folowing simple test, (coded in Kent++): > > - IF BasicConstraints PRESENT AND > IF BasicConstraints.cA PRESENT > THEN certificate-is-ca > ELSE certificate-is-ee > ELSE certificate-is-ee > > This is consistent with PKIX, which calls for the extension to be present > and non-NULL for a CA cert, but recommends that it be absent for an EE > cert. It is consistent with X.509, which requires the extension to always > be present and non-null for a CA, but suggests that it be present and NULL > for an EE. X.509 also suggests that if the extension is not present, then > a system may choose to employ other means to determine if it is an EE or a > CA cert. But, in that case, you're back to looking at other fields ... > > What's the problem? > > Steve --------------361EB29BAA07A0846431C5A2 Content-Type: text/x-vcard; charset=us-ascii; name="moshe.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Moshe Litvin Content-Disposition: attachment; filename="moshe.vcf" begin:vcard n:Litvin;Moshe tel;fax:+972 3 5759256 tel;work:+972 3 7534601 x-mozilla-html:TRUE org:Check Point Software Technologies Ltd. adr:;;;;;; version:2.1 email;internet:moshe@CheckPoint.com fn:Moshe Litvin end:vcard --------------361EB29BAA07A0846431C5A2-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA02884 for ietf-pkix-bks; Sun, 4 Apr 1999 18:14:13 -0700 (PDT) Received: from unknown (1Cust62.tnt1.atl2.da.uu.net [153.36.12.62]) by mail.proper.com (8.8.8/8.8.5) with SMTP id SAA02880 for <ietf-pkix@imc.org>; Sun, 4 Apr 1999 18:14:11 -0700 (PDT) From: remailer@replay.com Message-Id: <199904050114.SAA02880@mail.proper.com> To: <ietf-pkix@imc.org> Subject: toner sales advertising Date: Mon, 5 Apr 1999 05:51:18 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> BENCHMARK PRINT SUPPLY LASER PRINTER CARTRIDGES JUST FOR YOU AS WELL AS FAX AND COPIER TONER CHECK OUT THESE NEW PRINT CARTRIDGE PRICES : APPLE LASER WRITER PRO 600 OR 16/600 $69 LASER WRITER SELECT 300,310.360 $64 LASER WRITER 300, 320, 360 $54 LASER WRITER LS,NT,2NTX,2F,2G & 2SC $54 LASER WRITER 12/640 $79 HEWLETT PACKARD LASERJET SERIES 2,3 & 3D $49 LASERJET SERIES 2P AND 3P $54 LASERJET SERIES 3SI AND 4SI $75 LASERJET SERIES 4L AND 4P $49 LASERJET SERIES 4, 4M, 5, 5M $59 LASERJET SERIES 4000 HIGH YIELD $99 LASERJET SERIES 4V $95 LASERJET SERIES 5SI , 8000 $95 LASERJET SERIES 5L AND 6L $49 LASERJET SERIES 5P, 5MP, 6P, 6MP $59 LASERJET SERIES 5000 $89 HP LASERFAX LASERFAX 500, 700, FX1, $59 LASERFAX 5000, 7000, FX2, $59 LASERFAX FX3 $69 LASERFAX FX4 $79 LEXMARK OPTRA 4019, 4029 HIGH YIELD $135 OPTRA R, 4039, 4049 HIGH YIELD $135 OPTRA S 4059 HIGH YIELD $135 OPTRA E $59 OPTRA N $115 EPSON EPL-70000, 8000 $105 EPL-1000, 1500 $105 CANON LBP-430 $49 LBP-460, 465 $59 LBP-8 II $54 LBP-LX $54 LBP-MX $95 LBP-AX $49 LBP-EX $59 LBP-SX $49 LBP-BX $95 LBP-PX $49 LBP-WX $95 LBP-VX $59 CANON FAX L700 THRU L790 FX1 $59 CANONFAX L5000 L70000 FX2 $59 CANON COPIERS PC 20, 25 ETC.... $89 PC 3, 6RE, 7, 11 (A30) $69 PC 320 THRU 700 (E40) $89 NEC SERIES 2 LASER MODEL 95 $105 PLACE YOUR ORDER BY : PHONE 770-399-0953 FAX: 770-698-9700 E-MAIL: BPS111@EXCITE.COM WITH SUBJECTLINE: ORDER MAIL: 1091 REDSTONE LANE, ATLANTA GA 30338 MAKE SURE YOU INCLUDE THE FOLLOWING INFORMATION IN YOUR ORDER: 1) PHONE NUMBER 2) COMPANY NAME 3) SHIPPING ADDRESS 4) YOUR NAME 5) ITEMS NEEDED WITH QUANTITIES 6) METHOD OF PAYMENT. (COD OR CREDIT CARD) 7) CREDIT CARD NUMBER WITH EXPIRATION DATE WE SHIP UPS GROUND STANDARD. ADD $4.5 FOR SHIPPING AND HANDLING. FOR ORDER QUESTIONS CALL 770-399-0953 FOR CUSTOMER SERVICE 770-399-5505 FOR E-MAIL REMOVAL USE: BPS112@USA.NET OR CALL 770-399-5614 NOTE: OWNERS OF E-MAIL DOMAINS USED IN THIS MESSAGE, WETHER IN THE HEADER OR THE BODY OF THIS MESSAGE, ARE IN NO WAY ASSOCIATED WITH, PROMOTING, DISTRIBUTING OR ENDORSING ANY OF THE PRODUCTS ADVERTISED HEREIN AND ARE NOT LIABLE TO ANY CLAIMS THAT MAY ARISE THEREOF. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA02240 for ietf-pkix-bks; Sun, 4 Apr 1999 16:04:08 -0700 (PDT) Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA02236 for <ietf-pkix@imc.org>; Sun, 4 Apr 1999 16:03:46 -0700 (PDT) Received: by DSG1 with Internet Mail Service (5.0.1458.49) id <22ZNQL22>; Mon, 5 Apr 1999 09:03:57 +1000 Message-ID: <D1A949D4508DD1119C8100400533BEDC0D7409@DSG1> From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au> To: "'Stephen Kent '" <kent@bbn.com> Cc: "''Bob Jueneman ' '" <BJUENEMAN@novell.com>, "''H.Kesterson@az05.bull.com ' '" <H.Kesterson@az05.bull.com>, "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, "''list@seis.nc-forum.com ' '" <list@seis.nc-forum.com> Subject: RE: Certificates, Directories, and Distinguished Names Date: Mon, 5 Apr 1999 09:03:56 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thanks for that steve. I understand DNS names - I have a few :-) Its just that using this form of address (DNS) - just makes the PKI / CA concerned very limited (operationally) and bespoke. ie. one cannot ring the subject up in the event of errors - nor can one tie business rules or other info to them (as one can do with a directory service based system), one also must supply the EE cert with the transaction as one could scan the whole directory searching for dns type attrs.. small issues.. My question was really aimed at the cert extensions subject - issuer alt names.. I still dont understand what and why these are in the cert - if its baggage for some obscure reason - then thats OK - but if its for validation process issues - then they have to be spelled out. And if they are just baggage, instead of making them "alt name forms"- why not call then subject and issuer additional info or in fact just make them cert ext directory attributes? We seem to have in these extensions, a lot of form without content. regards alan ---------- From: Stephen Kent To: Alan Lloyd Cc: 'Bob Jueneman '; 'H.Kesterson@az05.bull.com '; 'ietf-pkix@imc.org '; 'list@seis.nc-forum.com ' Sent: 3/30/99 6:24:18 AM Subject: RE: Certificates, Directories, and Distinguished Names Alan, >I am not to sure what going to a DNS based name does does in terms of >process - eg. validation process or things that use certificates - can >someone please enlighten me. DNS names are often native to the applications, e.g., IPsec, SSL/TLS, and S/MIME, and thus it is preferable to make use of them as a more direct input to an access control decision. For example, browsers using SSL usually match the URL against a DNS name crudely encoded as a common name. It would be preferable (as 2459 points out) if the encoding were direct, rather than kludged in this fashion. Also, there are standards for storing certs in the DNS, which might allow one to take advantage of a very large, deployed repository infrastructure in the Internet. >ie. if there are problems with Issuer DN (ie its an SMTP address in the >extensions) and I am in the process of path validation - do I mail the >Issuer with something? That's not the motivation for use of DNS names here. >What about CRLs - are they attached to these DNS indexed things. Yes, there are provisions for storing CRLs, as well as certs, in DNS. >I understand that AIAs are useful as they deal with explicit a cert >based function such as OCSP. >I just dont understand the process (that must be related to the >certficate) if DNS type names are used for issuers, etc. If a DNS name is used exclusively, we restrict it to the subject field for an end entity certificate. Otherwise a DN must be present in the Issuer and/or Subject fields. >In addition - if one mixed name forms in a cert path - the process rules >can get messy. eg mail here, ldap there, OCSP over there, etc As noted above, the simple case is to use DNS names only for end entities. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA26241 for ietf-pkix-bks; Sat, 3 Apr 1999 10:13:36 -0800 (PST) Received: from always.got.net (root@always.got.net [207.111.232.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA26237 for <ietf-pkix@imc.org>; Sat, 3 Apr 1999 10:13:35 -0800 (PST) Received: from got.net (SC-219.got.net [209.66.101.219]) by always.got.net (8.8.8/8.8.7/Debian/GNU) with ESMTP id KAA09410; Sat, 3 Apr 1999 10:13:52 -0800 Message-ID: <37065A4F.F1B547E0@got.net> Date: Sat, 03 Apr 1999 10:13:35 -0800 From: Michael McNeil <memcneil@got.net> Organization: GMT X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: ietf-pkix@imc.org, ietf-stime@stime.org Subject: Re: Time-stamp server. TimePrecision info References: <01BE7C69.6AB798E0.mzolotarev@baltimore.com.au> <37039EFD.2F356055@got.net> <199904011644.LAA04231@tonga.xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> My comments below. >>Michael> == Michael McNeil <memcneil@got.net> writes: >>Michael> A desirable solution ought to both maintain strict >>Michael> monotonicity over leap seconds (without complicated >>Michael> manipulations if possible) as well as not hinder comparisons >>Michael> down to the fractional seconds, should that be desired. Paul Koning wrote: >Agreed. But if by comparison you mean the operators <, =, and >, then >what I described (which is what's in the current draft, once you make >it clear that the ss field has 60 as a legal value) works. I quite agree that for simple greater than comparisons, this method works. However, determining earlier-later than relationships are not (only) what I'm talking about. I believe it's desirable to be able to compare timestamps for the exact time difference (in seconds + fraction) between them, without convoluted computations and reference to tables. The method I described (storing away leap seconds) accomplishes this. Clearly, pegging specific timestamp times to the particular day, hour, etc., that they took place in requires conversion to calendric formats. The question is, which source format the time should be stored away in in the timestamp. I suggest a pure seconds count makes sense for this. Utility programs will be on hand to do what conversions are necessary. >A strcmp operation on time strings in GeneralizedTime format yields >the correct answer for all cases including leap seconds. It's pretty >clear why that is so: the characters in that string are in descending >order of significance reading left to right... Agreed. >As I mentioned elsewhere, whether conversion to this format requires >you to know about leap seconds depends on what you start from. If you >start from NTP format then I believe it does not. In any case, that's >an internal matter. When comparing two NTP times (which are purely UTC and ignore leap seconds), one first has ambiguity if the indicated UTC time happens to be left adjacent to a leap second. Second, one must refer to external tables of historic leap seconds to correctly place a leap second (or more) between two indicated dates. If the count of leap seconds is stored away in the timestamp along with the UTC time for that moment, computing the difference between any two timestamp times becomes quite simple, and any ambiguity in the vicinity of leap seconds is eliminated. >paul -- Michael McNeil memcneil@got.net Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA25985 for ietf-pkix-bks; Sat, 3 Apr 1999 09:30:34 -0800 (PST) Received: from lux.tenebras.com (dnai-207-181-255-76.dialup.dnai.com [207.181.255.76]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA25981 for <ietf-pkix@imc.org>; Sat, 3 Apr 1999 09:30:32 -0800 (PST) Received: from dnai.com (windoze [192.168.100.122]) by lux.tenebras.com (8.8.8/8.8.8) with ESMTP id JAA08514; Sat, 3 Apr 1999 09:30:18 -0800 (PST) (envelope-from kudzu@dnai.com) Message-ID: <37065019.C5A13A67@dnai.com> Date: Sat, 03 Apr 1999 09:30:01 -0800 From: Michael Sierchio <kudzu@dnai.com> Reply-To: kudzu@dnai.com Organization: Oversized Metaphysics X-Mailer: Mozilla 4.51 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: pgut001@cs.auckland.ac.nz CC: ietf-pkix@imc.org, kent@bbn.com Subject: Re: Changes to RFC2459 References: <92314646331939@cs26.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter Gutmann wrote: > Both MSIE and Netscape treat self-signed certs without basicConstraits as > CA's by default (in fact I don't know of any way to get them to *not* > treat the cert owners as CA's). My impression is that, in the case of Netscape, it's the MIME type that causes a cert to be treated as a CA: application/x-x509-ca-cert, and not all of these are self-signed. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA25391 for ietf-pkix-bks; Sat, 3 Apr 1999 07:52:19 -0800 (PST) Received: from always.got.net (root@always.got.net [207.111.232.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA25387 for <ietf-pkix@imc.org>; Sat, 3 Apr 1999 07:52:18 -0800 (PST) Received: from got.net (SC-219.got.net [209.66.101.219]) by always.got.net (8.8.8/8.8.7/Debian/GNU) with ESMTP id HAA19155; Sat, 3 Apr 1999 07:52:27 -0800 Message-ID: <3706392B.E6339FF5@got.net> Date: Sat, 03 Apr 1999 07:52:11 -0800 From: Michael McNeil <memcneil@got.net> Organization: GMT X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: kent@bbn.com, ietf-pkix@imc.org, ietf-stime@stime.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> <199904021747.MAA05955@tonga.xedia.com> <v04020a12b32ad6da3056@[128.89.0.110]> <199904022052.PAA00608@tonga.xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> My comments below. >>Stephen> == Stephen Kent <kent@bbn.com> writes: >>>"Paul> == Paul Koning <pkoning@xedia.com> writes: >>>>> Paul, Denis and Todd, Do we agree that the timestamp >>>>> represents the point at which a signature was applied, >>>>> independent of transmission delays and signing speed? >>>Paul> It seems to me it can only possibly mean one thing: it is the >>>Paul> time when the clock was read. :-) That time is later than the >>>Paul> generation of the request and earlier than the generation of >>>Paul> the signature. >>Stephen> A concise definition, but I think an unsatisfying one. If >>Stephen> the goal is to compare time stamps from two servers who have >>Stephen> very pricesly synchronized clocks, as you note is easy to do >>Stephen> with GPS, then internal processing delays at each server >>Stephen> seem likely to vary so much that very fine grained time >>Stephen> stamps cease being maeningful in many applications. That's >>Stephen> even before asking about network delays. So, I'm back to >>Stephen> the last part of my previous message. Give us some examples >>Stephen> where very fine grained time stamps from different >>Stephen> (synchronized) servers are meaningful. That's why every server's timestamps should include a precision field, where these factors are taken into account in declaring how many bits of the time data are significant. This is basic scientific notation -- one includes a statement of the precision to which the data are significant. To answer your request for an example, Steve, I envision the widespread timestamping of system and network events, which may need to be audited in a post mortem following, say, a virus attack across many machines. If timestamps support a fine grained time resolution, then even events which propagate within and between systems at computer speeds might be identified and placed in their proper chronological sequence. I say don't restrict timestamps to supporting only electronic analogues of yesterday's paper processes (timestamping contracts, patents, etc.). It will be necessary to follow events operating at computer speeds. The potential (not mandatory!) resolution of timestamps should reflect this. Paul Koning wrote: >I suppose the definition I gave isn't terribly nourishing but it is, I >think, the only possible honest one. I suppose the question is "how >does that relate to externally visible events?" That's easy to answer >but only in terms of bounds and ranges of values. > >Suppose I issue a request to a time stamp server at (local) time T1, >and get a reply at time T2. The reply contains a timestamp S and an >error bound (precision, tolerance, whatever you call it) E. > >So we know that the actual time S +/- E occurred sometime between T1 >and T2 (with the assumption that both S and E are correctly >supplied). In other words, T1 < S + E and T2 > S - E (and, of course, >T1 < T2). And that's all you know for certain. > >If you make assumptions that may be warranted in *some* cases, such as >roughly equal packet transit times each way, you can tighten this up >some. A number of probes of the time server will allow refinement of the average round-trip latency -- refining, once again, the estimated _precision_ of the time. The timestamping server should then (I argue) use this in stating the overall precision of the time in its timestamps. The precision in timestamps must be kept in mind when comparing times from two different (or even two timestamps from the same) time server. This goes way beyond whether a microseconds or milliseconds field is supported within timestamps. Conceivably a timestamping server's time might be off by seconds, perhaps many of them. It could still issue effective timestamps if it properly identifies how precise the time is. >Incidentally, this is very reminiscent of how you analyze time >synchronization protocols (not surprisingly). Viewing things in terms >of intervals is an approach you can find in the DEC Time Service >protocol spec; NTP borrowed some of that judging by notes in RFC >1305. > >As for examples where fine grained time stamps are meaningful... > >You can get time ticks accurate to a fraction of a microsecond today. >Real-time kernels can offer thread response times in the 10s of >microseconds or better (e.g., RT-Linux). High end point to point >datalinks running at moderate utilization (e.g., full duplex 100BaseT) >can provide latencies way below a millisecond for moderate size >packets. And digital signature hardware can do decent size signatures >in a millisecond or two. > >So millisecond-accuracy timestamps from sets of servers can clearly be >meaningful today in some topologies, and sub-millisecond soon. > >Does that mean that it makes sense from me to request sub-millisecond >resolution timestamps from ACME Timestamp Service, across the global >Internet, from my Win95 laptop? No, but not all applications are like >that. If you have a real-time environment in a well-designed LAN >setting, fine grained timestamps are quite meaningful. And, if you >want fine resolution time stamps for your real time process logs, >useful too. I quite agree. To my mind, some statements made in this discussion suggesting there should be no microseconds or even milliseconds field for time within timestamps are akin to suggestions that our numbering system shouldn't contain a micro-th or pico-th digit. Just because it's possible in our numbering system to express a number down to the _nano_ level, say, doesn't mean anyone warrants that any particular number is meaningful down to that level. Instead, one identifies the degree to which digits of the number are meaningful (with a + or - notation, say). Let's not forget and have to relearn notational lessons which scientists and (non-software) engineers have long since had -- in self defense -- to burn into their brain cells. Let's also not create new "millennium" problems where we might easily initially allow a wide enough field. Especially, let's get off this idea that any number of bits of allowed width for the time representation implies that is what's intended to be meaningful. In my view, NTP many years ago did it about right (for at least the short-term foreseeable future) in allowing specification of fractional time down to 2^(-32) second -- about 20% of a nanosecond. I doubt that, even today, any time server approaches this resolution; but the fact that the field width is set at this fine-grained level allows any server to get as close as it possibly can. And by NTP's identifying how close (precise) it is, one knows what bits to trust. I also like NTP's suggestion that bits beyond the limit of meaningful precision in the fractional representation be filled in not with 0 but by a random pattern. This allows, for example, a client to identify its echoed-back submitted time in the server's signed response as uniquely its own most recent request (even when its own time precision is no better than a second, say), helping defeat replay attacks and the like. I suggest two possibilities: 1) use the NTP time format for seconds and fractional seconds. Or, 2) specify a nanoseconds subfield for the time representation format in timestamps -- don't stop with microseconds. As an equally important requirement, include a statement of precision whose format should cover the range from many seconds down to the nanosecond. -- Michael McNeil memcneil@got.net Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA24140 for ietf-pkix-bks; Sat, 3 Apr 1999 05:34:09 -0800 (PST) Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA24136 for <ietf-pkix@imc.org>; Sat, 3 Apr 1999 05:34:06 -0800 (PST) Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id BAA18696; Sun, 4 Apr 1999 01:34:24 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92314646331939>; Sun, 4 Apr 1999 01:34:23 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, kent@bbn.com Subject: Re: Changes to RFC2459 Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Sun, 4 Apr 1999 01:34:23 (NZST) Message-ID: <92314646331939@cs26.cs.auckland.ac.nz> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen Kent <kent@bbn.com> >This is consistent with PKIX, which calls for the extension to be present and >non-NULL for a CA cert, but recommends that it be absent for an EE cert. It >is consistent with X.509, which requires the extension to always be present and >non-null for a CA, but suggests that it be present and NULL for an EE. X.509 >also suggests that if the extension is not present, then a system may choose >to employ other means to determine if it is an EE or a CA cert. But, in that >case, you're back to looking at other fields ... > >What's the problem? We went through this whole thing less than six months ago. Here's what I posted the last time this came round: -- Snip -- Both MSIE and Netscape treat self-signed certs without basicConstraits as CA's by default (in fact I don't know of any way to get them to *not* treat the cert owners as CA's). MSIE: "You have been offered a new site certificate to place in your list of trusted issuers..." Netscape: "You are about to go through the process of accepting a certificate authority..." Leaving out the basicConstraints makes the assumption that relying parties are using PKIX-compliant software, and that the software will DTRT when it finds one of these certs. I think this is leaving what could be a critical security issue more or less to chance - all I need to do is find some software which happens to not follow PKIX's implied behaviour and I can go ahead and issue my own certs and let the entire world in the door. -- Snip -- Leading to the following entry in the X.509 style guide: -- Snip -- PKIX PKIX requires that end entity certificates not have a basicConstraints extension, which leaves the handling of the CA status of the certificate to chance. Several popular applications treat these certificates as CA certificates for backwards-compatibility with X.509v1 CA certificates which didn't include basicConstraints, but in practice it's not really possible to determine how these certificates will be treated. Because of this, it's not possible to issue a PKIX-compliant end entity certificate and know how it'll be treated once it's in circulation. One use for this feature is that it may be used as a cryptographically strong random number generator. For each crypto key an application would issue 128 basicConstraint-less certificates, hand them out to different implementations/users, and use their CA/non-CA interpretation as one bit of a session key. This should yield close to 128 bits of pure entropy in each key. -- Snip -- Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA07849 for ietf-pkix-bks; Fri, 2 Apr 1999 21:03:15 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id VAA07843 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 21:03:14 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id VAA13213; Fri, 2 Apr 1999 21:03:37 -0800 Message-ID: <00d401be7d8e$ac950d30$fa4bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, "Denis Pinkas" <Denis.Pinkas@bull.net>, "'Todd S. Glassey'" <Todd.Glassey@www.GMTsw.com> Cc: <PHalliden@zergo.com>, "'Paul Koning'" <pkoning@xedia.com>, <ietf-pkix@imc.org>, "Mike King" <Mike.King@www.GMTsw.com> Subject: Re: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 20:58:52 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Robert - this is a dodge. I am not looking for an exhaustive list, I am looking for the one you designed it for. You built a suite of routines here - so how and what did you intend to use them. Todd -----Original Message----- From: Robert Zuccherato <robert.zuccherato@entrust.com> To: Denis Pinkas <Denis.Pinkas@bull.net>; 'Todd S. Glassey' <Todd.Glassey@www.GMTsw.com> Cc: PHalliden@zergo.com <PHalliden@zergo.com>; 'Paul Koning' <pkoning@xedia.com>; ietf-pkix@imc.org <ietf-pkix@imc.org>; Mike King <Mike.King@www.GMTsw.com> Date: Friday, April 02, 1999 7:41 PM Subject: RE: Time-stamp server. TimePrecision info >Todd; > >> ---------- >> From: Todd S. Glassey[SMTP:Todd.Glassey@www.GMTsw.com] >> Sent: Friday, April 02, 1999 4:46 PM >> To: Denis Pinkas; Todd S. Glassey >> Cc: Robert Zuccherato; PHalliden@zergo.com; 'Paul Koning'; >> ietf-pkix@imc.org; Mike King >> Subject: Re: Time-stamp server. TimePrecision info >> >> Denis, Robert , I totally disagree >> >> >> >That said, I agree with Denis. I do not see the use of microseconds >> to >> be >> >> >especially useful within this protocol. >> >> OK, so what exactly are the end uses of the protocol then? - I mean the >> specific end use models. You must have them in mind if you can say that >> Microseconds are not relevent. What I need to know is how am I going to >> use >> this protocol? >> >As the draft states, the main purpose of this service is "to verify that a >digital signature was applied before the certificate was revoked thus >allowing a revoked public key certificate to be used for verifying >signatures created prior to the time of revocation". Since CRLs only use >either UTCTime or GeneralizedTime, even milliseconds may not be relevant for >this purpose. > >However, as the draft states "An exhaustive list of possible uses of a TSA >is beyond the scope of this document." Thus, we included millisecond >accuracy. I am not really opposed to including microsecond accuracy. I >just do not see the need for it. > > Robert. > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA07457 for ietf-pkix-bks; Fri, 2 Apr 1999 21:01:14 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id VAA07451 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 21:01:13 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id VAA13210; Fri, 2 Apr 1999 21:01:45 -0800 Message-ID: <00d301be7d8e$68bff070$fa4bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 20:56:58 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steven, A policy Anchor is exactly what it sounds like. A mechanism used to anchor a point in the operational policy of some system making it referencable. -----Original Message----- From: Stephen Kent <kent@bbn.com> To: Todd S. Glassey <Todd.Glassey@GMTsw.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Friday, April 02, 1999 3:16 PM Subject: Re: Time-stamp server. TimePrecision info >Todd, > >I have no idea what the phrase "a policy anchor for a PKI" means. As a >provider of CA services and technology, I can assure you that none of my >clients has ever felt the need for such a precise time base wrt certificate >or CRL processing. Becuase none of them or the auditors know its possible. Also most of the world already believes that these issues are addressed. After all isn't the OS trustable? >So, I am puzzled by your terminology, insofar as it >references PKIs, and suggest that you don't continue to use this phrease >unless you can explain what it means and how it relates to the current >discussion. The phrase Policy Anchor is actually specific to an old IA concept with regard to management policy for manufacturing and control applications. > >Separately, I am willing to believe that there may be applications that >require the sort of precision you're suggesting, but I don't recall seeing >them described here yet. > >Steve > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA01923 for ietf-pkix-bks; Fri, 2 Apr 1999 20:29:30 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id UAA01915 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 20:29:28 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id UAA13192; Fri, 2 Apr 1999 20:29:56 -0800 Message-ID: <00b301be7d89$f763b190$fa4bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Paul Koning" <pkoning@xedia.com>, "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 20:25:10 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -----Original Message----- From: Stephen Kent <kent@bbn.com> To: Paul Koning <pkoning@xedia.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Friday, April 02, 1999 5:10 PM Subject: Re: Time-stamp server. TimePrecision info >Paul, > >> Stephen> Denis and Todd, Do we agree that the timestamp represents >> Stephen> the point at which a signature was applied, independent of >> Stephen> transmission delays and signing speed? >> >>It seems to me it can only possibly mean one thing: it is the time >>when the clock was read. :-) That time is later than the generation >>of the request and earlier than the generation of the signature. > >A concise definition, but I think an unsatisfying one. If the goal is to >compare time stamps from two servers who have very pricesly synchronized >clocks, as you note is easy to do with GPS, then internal processing delays >at each server seem likely to vary so much that very fine grained time >stamps cease being maeningful in many applications. That's even before >asking about network delays. So, I'm back to the last part of my previous >message. Give us some examples where very fine grained time stamps from >different (synchronized) servers are meaningful. off the top of my head here are four #1) Telcom Backbone management systems, tightly coupled cluster systems maker up what are now virtual switches. #2) Event Simulation and Decision Support Management #3) Precision control of mechancial processes, like operating a high head water cam on a power plant or the like, or operating a vacume control sputtering system for semiconductor processing. #4) Market Trading and Control of trading processes. - Many systems are now tightly coupled fault tolerant clusters and these systems need this "ridiculous" level of precision in their timestamping since they are not connected in the same way we usually connect together (lan/wan/man etc). >> > <snip> > >> >>Given that it costs nothing to allow the extra digits, why is there >>such a concern about doing that and future-proofing things? > >Just because we CAN do something syntactically, that does not mean that we >should. I'm a firm believer in trying to understand the implications of >the protocols that we develop, not just working on the details of the >protocols. Then you have to answer the question "how is this thing going to be used" in order to know what it needs to be able to do. Todd Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA00480 for ietf-pkix-bks; Fri, 2 Apr 1999 20:07:04 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA00476 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 20:07:03 -0800 (PST) Received: from xedia.com by relay6.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjgd17587; Fri, 2 Apr 1999 15:52:55 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA09107; Fri, 2 Apr 99 15:48:49 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id PAA00608; Fri, 2 Apr 1999 15:52:48 -0500 Date: Fri, 2 Apr 1999 15:52:48 -0500 Message-Id: <199904022052.PAA00608@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: kent@bbn.com Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> <199904021747.MAA05955@tonga.xedia.com> <v04020a12b32ad6da3056@[128.89.0.110]> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: >>>> Paul, Denis and Todd, Do we agree that the timestamp >>>> represents the point at which a signature was applied, >>>> independent of transmission delays and signing speed? >> It seems to me it can only possibly mean one thing: it is the >> time when the clock was read. :-) That time is later than the >> generation of the request and earlier than the generation of the >> signature. Stephen> A concise definition, but I think an unsatisfying one. If Stephen> the goal is to compare time stamps from two servers who have Stephen> very pricesly synchronized clocks, as you note is easy to do Stephen> with GPS, then internal processing delays at each server Stephen> seem likely to vary so much that very fine grained time Stephen> stamps cease being maeningful in many applications. That's Stephen> even before asking about network delays. So, I'm back to Stephen> the last part of my previous message. Give us some examples Stephen> where very fine grained time stamps from different Stephen> (synchronized) servers are meaningful. I suppose the definition I gave isn't terribly nourishing but it is, I think, the only possible honest one. I suppose the question is "how does that relate to externally visible events?" That's easy to answer but only in terms of bounds and ranges of values. Suppose I issue a request to a time stamp server at (local) time T1, and get a reply at time T2. The reply contains a timestamp S and an error bound (precision, tolerance, whatever you call it) E. So we know that the actual time S +/- E occurred sometime between T1 and T2 (with the assumption that both S and E are correctly supplied). In other words, T1 < S + E and T2 > S - E (and, of course, T1 < T2). And that's all you know for certain. If you make assumptions that may be warranted in *some* cases, such as roughly equal packet transit times each way, you can tighten this up some. Incidentally, this is very reminiscent of how you analyze time synchronization protocols (not surprisingly). Viewing things in terms of intervals is an approach you can find in the DEC Time Service protocol spec; NTP borrowed some of that judging by notes in RFC 1305. As for examples where fine grained time stamps are meaningful... You can get time ticks accurate to a fraction of a microsecond today. Real-time kernels can offer thread response times in the 10s of microseconds or better (e.g., RT-Linux). High end point to point datalinks running at moderate utilization (e.g., full duplex 100BaseT) can provide latencies way below a millisecond for moderate size packets. And digital signature hardware can do decent size signatures in a millisecond or two. So millisecond-accuracy timestamps from sets of servers can clearly be meaningful today in some topologies, and sub-millisecond soon. Does that mean that it makes sense from me to request sub-millisecond resolution timestamps from ACME Timestamp Service, across the global Internet, from my Win95 laptop? No, but not all applications are like that. If you have a real-time environment in a well-designed LAN setting, fine grained timestamps are quite meaningful. And, if you want fine resolution time stamps for your real time process logs, useful too. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA25895 for ietf-pkix-bks; Fri, 2 Apr 1999 19:36:07 -0800 (PST) Received: from europe.std.com (europe.std.com [199.172.62.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA25882 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 19:36:03 -0800 (PST) Received: from world.std.com by europe.std.com (STD1.2/BZS-8-1.0) id WAA25345; Fri, 2 Apr 1999 22:36:17 -0500 (EST) Received: by world.std.com (TheWorld/Spike-2.0) id AA01098; Fri, 2 Apr 1999 22:36:17 -0500 Message-Id: <199904030336.AA01098@world.std.com> To: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info In-Reply-To: A blather of messages as of "Fri, 02 Apr 1999 13:46:17 EST." <003d01be7d52$3ecaf030$fa4bffd0@brick> Date: Fri, 02 Apr 1999 22:36:17 -0500 From: Dan Geer <geer@world.std.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> We argue most about mechanism when we are least reconciled with respect to requirement. Perhaps I can provide a succulent target: The requirement for time is event serialization sufficient to support an economic level of recourse. Unremarkably, two events within the error band are definitionally simultaneous -- the NYSE tick is not micro-seconds but rather macro- and many events are declared simultaneous in the interest of fairness, to take a central example from high-value commerce. Is there an economist in the house? --dan Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA18418 for ietf-pkix-bks; Fri, 2 Apr 1999 18:31:27 -0800 (PST) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id SAA18409 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 18:31:25 -0800 (PST) Received: id VAB01720; Fri, 2 Apr 1999 21:25:33 -0500 Received: by gateway id <G4CAZ18C>; Fri, 2 Apr 1999 21:00:28 -0500 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD6B@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, "'Todd S. Glassey'" <Todd.Glassey@www.GMTsw.com> Cc: PHalliden@zergo.com, "'Paul Koning'" <pkoning@xedia.com>, ietf-pkix@imc.org, Mike King <Mike.King@www.GMTsw.com> Subject: RE: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 20:54:51 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Todd; > ---------- > From: Todd S. Glassey[SMTP:Todd.Glassey@www.GMTsw.com] > Sent: Friday, April 02, 1999 4:46 PM > To: Denis Pinkas; Todd S. Glassey > Cc: Robert Zuccherato; PHalliden@zergo.com; 'Paul Koning'; > ietf-pkix@imc.org; Mike King > Subject: Re: Time-stamp server. TimePrecision info > > Denis, Robert , I totally disagree > > >> >That said, I agree with Denis. I do not see the use of microseconds > to > be > >> >especially useful within this protocol. > > OK, so what exactly are the end uses of the protocol then? - I mean the > specific end use models. You must have them in mind if you can say that > Microseconds are not relevent. What I need to know is how am I going to > use > this protocol? > As the draft states, the main purpose of this service is "to verify that a digital signature was applied before the certificate was revoked thus allowing a revoked public key certificate to be used for verifying signatures created prior to the time of revocation". Since CRLs only use either UTCTime or GeneralizedTime, even milliseconds may not be relevant for this purpose. However, as the draft states "An exhaustive list of possible uses of a TSA is beyond the scope of this document." Thus, we included millisecond accuracy. I am not really opposed to including microsecond accuracy. I just do not see the need for it. Robert. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA15619 for ietf-pkix-bks; Fri, 2 Apr 1999 16:47:29 -0800 (PST) Received: from lux.tenebras.com (dnai-207-181-255-74.dialup.dnai.com [207.181.255.74]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA15615 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 16:47:28 -0800 (PST) Received: from dnai.com (windoze [192.168.100.122]) by lux.tenebras.com (8.8.8/8.8.8) with ESMTP id QAA05596; Fri, 2 Apr 1999 16:47:04 -0800 (PST) (envelope-from kudzu@dnai.com) Message-ID: <370564FD.1F63472C@dnai.com> Date: Fri, 02 Apr 1999 16:46:53 -0800 From: Michael Sierchio <kudzu@dnai.com> Reply-To: kudzu@dnai.com Organization: Oversized Metaphysics X-Mailer: Mozilla 4.51 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: policy oid registration, and handling References: <028001be7d32$7d7b1e10$1a03a8c0@peternt.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter Williams wrote: > > "MISPC Reference Implementation (T. Polk-NIST) > CDROM contains CA, RA, and client executable code. Represents a profile of > 2459, CMP, and CRMF. Available via web site: http://crscnist.gov/pki/mispc/" http://csrc.nist.gov/pki/mispc/ Minimum Interoperability Specifications for PKI Components Cooperative Research and Development: Implementing an Interoperable PKI NIST developed the Minimum Interoperability Specifications for PKI Components (MISPC), Version 1 with the assistance of ten CRADA partners: AT&T, BBN, Certicom, Cylink, DynCorp, IRE, Motorola, Nortel (Entrust), Spyrus, and Verisign. The specification includes a certificate and CRL profile, message formats and basic transactions for a PKI issuing signature certificates. The specification includes support for multiple signature algorithms and transactions to support a broad range of security policies. This document has been formally published as a NIST Special Publication 800-15; it is available electronically in Microsoft Word (284K) or PostScript (954K). Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA14576 for ietf-pkix-bks; Fri, 2 Apr 1999 15:15:47 -0800 (PST) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA14572 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 15:15:46 -0800 (PST) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA20952; Fri, 2 Apr 1999 18:16:02 -0500 (EST) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a16b32af9d2680c@[128.89.0.110]> In-Reply-To: <003d01be7d52$3ecaf030$fa4bffd0@brick> Date: Fri, 2 Apr 1999 18:18:46 -0500 To: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: <ietf-pkix@imc.org> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Todd, I have no idea what the phrase "a policy anchor for a PKI" means. As a provider of CA services and technology, I can assure you that none of my clients has ever felt the need for such a precise time base wrt certificate or CRL processing. So, I am puzzled by your terminology, insofar as it references PKIs, and suggest that you don't continue to use this phrease unless you can explain what it means and how it relates to the current discussion. Separately, I am willing to believe that there may be applications that require the sort of precision you're suggesting, but I don't recall seeing them described here yet. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA14447 for ietf-pkix-bks; Fri, 2 Apr 1999 15:03:59 -0800 (PST) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA14443 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 15:03:58 -0800 (PST) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id PAA18122; Fri, 2 Apr 1999 15:16:21 -0500 (EST) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a10b32ad27828c8@[128.89.0.110]> In-Reply-To: <2FBF98FC7852CF11912A0000000000010ECB5E01@DINO> Date: Fri, 2 Apr 1999 15:16:34 -0500 To: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Changes to RFC2459 Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Jim & Moshe, I admit to being confused at this point. My reading of PKIX and X.509 suggests the folowing simple test, (coded in Kent++): - IF BasicConstraints PRESENT AND IF BasicConstraints.cA PRESENT THEN certificate-is-ca ELSE certificate-is-ee ELSE certificate-is-ee This is consistent with PKIX, which calls for the extension to be present and non-NULL for a CA cert, but recommends that it be absent for an EE cert. It is consistent with X.509, which requires the extension to always be present and non-null for a CA, but suggests that it be present and NULL for an EE. X.509 also suggests that if the extension is not present, then a system may choose to employ other means to determine if it is an EE or a CA cert. But, in that case, you're back to looking at other fields ... What's the problem? Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14236 for ietf-pkix-bks; Fri, 2 Apr 1999 14:41:05 -0800 (PST) Received: from prv-mail20.provo.novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA14232 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 14:41:04 -0800 (PST) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 02 Apr 1999 15:19:02 -0700 Message-Id: <s704dfe6.062@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise 5.5 Date: Fri, 02 Apr 1999 15:18:56 -0700 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <Peter.Sylvester@edelweb.fr>, <Denis.Pinkas@bull.net>, <anders.rundgren@jaybis.com> Cc: <ietf-pkix@imc.org> Subject: Re: Low-fat leaf certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id OAA14233 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Just an observation. "Low fat leaf" (LFL) certificates may make great sense if the "fat contents" are available for trusted lookup , say in a directory. However, it is much more likely that the "fat" content is back in the originator's directory, rather than the relying party's directory. That being the case, it probably takes a lot less bandwidth, and certainly less latency time, to go ahead and include the information in the certificate itself, rather then fire up LDAP to the other directory to fetch it. Obviously this depends on how often the information is needed. If you are likely to need it often, you ought to pay the burden once, and then cache it locally in the RP directory. Assuming the infrastructure exists to do it either way, this becomes an engineering tradeoff. The same is true for sending certificates over the wire repeatedly, as in SSL and S/MIME, rather than normally retrieving them from the local cache or directory or going back to the originator as required. Bob >>> Peter Sylvester <Peter.Sylvester@edelweb.fr> 03/31/99 06:49AM >>> > > 1) "Name" (an alias/friendly name [as you are allowed to change name without changing "e"-identity]) > > 2) "dnQualifier" (a static [probably random] unique identifier in the domain) > > It is hard to get much slimmer than that! > No, you don't need 1. Actually 2 is 'the name' in the sense of a unique identifier to find a directory entry. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14077 for ietf-pkix-bks; Fri, 2 Apr 1999 14:25:30 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA14071 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 14:25:25 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id NAA12934; Fri, 2 Apr 1999 13:51:00 -0800 Message-ID: <003d01be7d52$3ecaf030$fa4bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> Cc: "Robert Zuccherato" <robert.zuccherato@entrust.com>, <PHalliden@zergo.com>, "'Paul Koning'" <pkoning@xedia.com>, <ietf-pkix@imc.org>, "Mike King" <Mike.King@www.GMTsw.com> Subject: Re: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 13:46:17 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, Robert , I totally disagree >> >That said, I agree with Denis. I do not see the use of microseconds to be >> >especially useful within this protocol. OK, so what exactly are the end uses of the protocol then? - I mean the specific end use models. You must have them in mind if you can say that Microseconds are not relevent. What I need to know is how am I going to use this protocol? >>Todd Responded: OK Fine, but humor me - what's the harm in being able to represent them? > > Denis: The TSA gets the clock first and then signs. I do not know any hardware >capable of signature in the micro-second range. Denis, The speed of the signature generation process today, has only a small amount to do with the time the timestamp process generation model takes, so this is not true. The signing process will be addressed by large signing engines for bulk document processing and for end user or POS style documents, the onesee twosee game - who cares how long it takes. And as to the issue of microseconds or nanoseconds, the physicists, have had time distribution networks with IRIG-B timecode protocol distribution facilities and the like for some years now. We in the IETF standarized on NTP and it supports 2 to the -32nd power resolution, so why is this argument even happening? We can commercially distribute time down to the nanosecond if we desire to. Timebases to support these requirements are available commercially today from Datum, HP, TrueTime, Odetics, Guide Technologies, and a wealth of others. Ay commercial operator could easily have their own Cesium reference for between $40K to $60K. IBM and HP have both regularly included them as an option with the mainframes they offer. As an example of this technology availability, Datum and others have these Cesium Heads with built in GPS Disciplining and all the drivers you need. Datum calls their's the GPS+ and from my side, this is a no brianer, if I need a certifiable timesource as a policy anchor for a PKI, I buy one of these systems and put it under contract to NIST to calibrate. POOF!!!, the resulting system, coupled with a rigid BCP model provides a truely credible Local Timebase that will easily pass any SAS70 and/or CS2 Audit if operated correctly. >The transmission delay is also >quite variable. ...and not directly relevent to the question at hand. While the transmission delay is specific to the time it takes to get the event notification to the stamping engine. The only relevency here is when the event actually reached the stanmping agency itself. The amount of time of takes is a function of the transport and its utilization... and these issues will change as technology is evolved and the stamper is right sized for its loading. As to the existance of the transmission delay issue, well this is the plight of any distributed agency, the hysteresis and latency of the transport being what it is, you build end user models that take this into account. [here we are again, back to the end user models and how important they are...] >The harm is giving false impression of precision. No Sir - I really feel strongly here that the actual harm is in not building a system that is insensitive to hiccups in the technological landscape. Denis, let me know if I read you wrong, but the general tone of your retort here leads me to believe that your model is specific to SW only based systems, layered on traditional clock chips and the OS TOD Services. My personal feeling is that this is one of those instances where SW only models are limited, but that hybrid systems abound and they are not, and the SW only ones will get better in time so in closing, Gentlemen - the timebase representation should mirror NTP 4.0's as a baseline. Todd Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14072 for ietf-pkix-bks; Fri, 2 Apr 1999 14:25:26 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA14066 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 14:25:25 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id OAA12944; Fri, 2 Apr 1999 14:05:26 -0800 Message-ID: <004801be7d54$425b7f10$fa4bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Paul Koning" <pkoning@xedia.com>, <kent@bbn.com> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Fri, 2 Apr 1999 14:00:39 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -----Original Message----- From: Paul Koning <pkoning@xedia.com> To: kent@bbn.com <kent@bbn.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Friday, April 02, 1999 11:10 AM Subject: Re: Time-stamp server. TimePrecision info >>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: > > Stephen> Denis and Todd, Do we agree that the timestamp represents > Stephen> the point at which a signature was applied, independent of > Stephen> transmission delays and signing speed? > >It seems to me it can only possibly mean one thing: it is the time >when the clock was read. :-) That time is later than the generation >of the request and earlier than the generation of the signature. Within a few microseconds, assuming a vertical stamping model, yes it would be the time when the agent got the event notification and responded. > > Stephen> If so, then I would > Stephen> not agrue against very fine granularity time stamps on thae > Stephen> basis of thise delays. Instead, I would argue that there is > Stephen> a false sense of precision being implied, and that we're > Stephen> better off just relying on the sequence number to serialize > Stephen> time stamps issued by the same server within the same tick. Don't limit the granularity of the timestamping facility by the OS implementation today. They are all broken with regard to this, but that will change when people come to realize how important "secureing their trust anchors" is and how critical the timebase is part of that. Certifiable timebases will become the metranome of the business to buisness extranet and corporate audited infrastructure. > >It sounds like you're arguing that only significant digits should be >present in the timestamp. The problem with that is that the server >has no way to do that, if you want to include network delays as part >of the tolerance implied by the digit count. This network delay weighting model then becomes the policy of what your timestamp represents. The total end to end time, or the time the "reciever agent" acknowledged the recepit of the event?, either way its specific to the policy and services structure of your stamping process, i.e. the use models... > >Better to indicate or document the various error sources explicitly. >Those the server knows about it can report if a tolerance (precision) >field is added. Those relating to network latency the server cannot >know but the client can (bounded by delay between request and >response). > > Stephen> If one believes that the time stamps have to represent finer > Stephen> granularity because they will be compared with time stamps > Stephen> from other servers, then there's a lot of work to do to > Stephen> convince me that the resulting synchronization is feasible, > Stephen> and that there is a legitimate need for such. Obviously the > Stephen> world lives with rather coarse precision and accuracy for > Stephen> lots of business time stamp operations today. maybe we need > Stephen> some additional, credible, motivating examples. > >Synchronization of two devices to within a fraction of a microsecond >is perfectly feasible today. Any GPS nav box does exactly that. GPS based NTP servers are in the 2.5K range and you can get a high quality one with a rubidium oscillator for an addition 5K or 6K. Cesiums is cheap these days if you are a bank. These days a medium performance router is more costly than an atomic clock setup for a network timebase. Since locally operated Atomic sources can provide 1x10-12th accuracy over a year and if they are audited by NIST. With a setup like this, you should be able to run a local source that stays provably, within a few nanoseconds of TAI/UTC. > >Given that it costs nothing to allow the extra digits, why is there >such a concern about doing that and future-proofing things? Amen! Todd Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA13851 for ietf-pkix-bks; Fri, 2 Apr 1999 12:28:05 -0800 (PST) Received: from po1.bbn.com ([192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA13846 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 12:27:24 -0800 (PST) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id PAA22889; Fri, 2 Apr 1999 15:26:31 -0500 (EST) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a12b32ad6da3056@[128.89.0.110]> In-Reply-To: <199904021747.MAA05955@tonga.xedia.com> References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> Date: Fri, 2 Apr 1999 15:25:27 -0500 To: Paul Koning <pkoning@xedia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Paul, > Stephen> Denis and Todd, Do we agree that the timestamp represents > Stephen> the point at which a signature was applied, independent of > Stephen> transmission delays and signing speed? > >It seems to me it can only possibly mean one thing: it is the time >when the clock was read. :-) That time is later than the generation >of the request and earlier than the generation of the signature. A concise definition, but I think an unsatisfying one. If the goal is to compare time stamps from two servers who have very pricesly synchronized clocks, as you note is easy to do with GPS, then internal processing delays at each server seem likely to vary so much that very fine grained time stamps cease being maeningful in many applications. That's even before asking about network delays. So, I'm back to the last part of my previous message. Give us some examples where very fine grained time stamps from different (synchronized) servers are meaningful. > <snip> > >Given that it costs nothing to allow the extra digits, why is there >such a concern about doing that and future-proofing things? Just because we CAN do something syntactically, that does not mean that we should. I'm a firm believer in trying to understand the implications of the protocols that we develop, not just working on the details of the protocols. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA13710 for ietf-pkix-bks; Fri, 2 Apr 1999 11:54:36 -0800 (PST) Received: from ns1.dmz.valicert.com (ns1.valicert.com [209.185.6.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA13706 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 11:54:35 -0800 (PST) Received: from ns1.serverfarm.valicert.com (corporate-gw.valicert.com [209.185.6.5]) by ns1.dmz.valicert.com (8.9.2/8.9.2) with ESMTP id LAA28956 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 11:54:14 -0800 (PST) Received: from peternt (static-3-26.engineering.valicert.com [192.168.3.26] (may be forged)) by ns1.serverfarm.valicert.com (8.9.2/8.9.2) with SMTP id LAA16334 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 11:54:16 -0800 (PST) Message-ID: <028001be7d32$7d7b1e10$1a03a8c0@peternt.valicert.com> From: "Peter Williams" <peterw@valicert.com> To: <ietf-pkix@imc.org> Subject: policy oid registration, and handling Date: Fri, 2 Apr 1999 11:59:01 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "MISPC Reference Implementation (T. Polk-NIST) CDROM contains CA, RA, and client executable code. Represents a profile of 2459, CMP, and CRMF. Available via web site: http://crscnist.gov/pki/mispc/" A. MISPC Can PKIX assign a cert-policy oid for this "MISPC" profile of RFC 2459, which is a profile of X.509 (1997). It is not a PKIX WG sponsored process, and does not meet spirit of IETF openness to individuals, but MISPC was a public-spirited effort designed to spur this industry on. It is generally recognised as meaningfull. B. PKIX-QC OID We agreed to assign a cert-policy oid for the PKIX-QC profile of RFC 2459, in the last meeting, note. Can we assign an oid, so implementations today can code for it, in their profile management dll-switching code? (Note X.509 v3 did prior assignment of extension oids, to help implementors, so there is clear and relevant precedent.) C. Registration Procedures Should procedure be created to enable any party to use the pkix arc to register a profile of 2459, providing it meets requirements such as posting of the specification as an RFC (as with the PEM PCA rules)? D. NIST Registration I note NIST is also running an policy-id object id arc, figuratively on behalf of ITU-T. Should PKIX-1 compliance require folks to recognise this arc as authoritative, in a spur towards making PKIX more real? This NIST security objects register has very formal and due process-oriented procedures for object (policy id) registration. It could complement the less formal Internet decision procedures used by IETF, and Russ (as the PKIX arc registrar). E. Individual-Centric Registration We need a mechanism whereby "individuals" can register and thereby share policy oids in the devolved extensibility and user experimentation framework which IETF and Internet culture normally promotes in its Internet standards. Just as folk can register (informally these days) mime types, so they should be able to register/obtain policy oids which are 2459 profiles. Peter. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA12797 for ietf-pkix-bks; Fri, 2 Apr 1999 09:47:51 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA12793 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 09:47:50 -0800 (PST) Received: from xedia.com by relay3.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjfr03658; Fri, 2 Apr 1999 12:47:09 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA05527; Fri, 2 Apr 99 12:43:06 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id MAA05955; Fri, 2 Apr 1999 12:47:05 -0500 Date: Fri, 2 Apr 1999 12:47:05 -0500 Message-Id: <199904021747.MAA05955@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: kent@bbn.com Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> <v04020a08b32aa018521c@[128.89.0.110]> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: Stephen> Denis and Todd, Do we agree that the timestamp represents Stephen> the point at which a signature was applied, independent of Stephen> transmission delays and signing speed? It seems to me it can only possibly mean one thing: it is the time when the clock was read. :-) That time is later than the generation of the request and earlier than the generation of the signature. Stephen> If so, then I would Stephen> not agrue against very fine granularity time stamps on thae Stephen> basis of thise delays. Instead, I would argue that there is Stephen> a false sense of precision being implied, and that we're Stephen> better off just relying on the sequence number to serialize Stephen> time stamps issued by the same server within the same tick. It sounds like you're arguing that only significant digits should be present in the timestamp. The problem with that is that the server has no way to do that, if you want to include network delays as part of the tolerance implied by the digit count. Better to indicate or document the various error sources explicitly. Those the server knows about it can report if a tolerance (precision) field is added. Those relating to network latency the server cannot know but the client can (bounded by delay between request and response). Stephen> If one believes that the time stamps have to represent finer Stephen> granularity because they will be compared with time stamps Stephen> from other servers, then there's a lot of work to do to Stephen> convince me that the resulting synchronization is feasible, Stephen> and that there is a legitimate need for such. Obviously the Stephen> world lives with rather coarse precision and accuracy for Stephen> lots of business time stamp operations today. maybe we need Stephen> some additional, credible, motivating examples. Synchronization of two devices to within a fraction of a microsecond is perfectly feasible today. Any GPS nav box does exactly that. Given that it costs nothing to allow the extra digits, why is there such a concern about doing that and future-proofing things? paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA12199 for ietf-pkix-bks; Fri, 2 Apr 1999 08:35:14 -0800 (PST) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA12195 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 08:35:13 -0800 (PST) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id LAA06324; Fri, 2 Apr 1999 11:35:26 -0500 (EST) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: kent@po1.bbn.com Message-Id: <v04020a08b32aa018521c@[128.89.0.110]> In-Reply-To: <37047F95.A12730EF@bull.net> References: <02a201be7cb2$dda47c80$c74bffd0@brick> Date: Fri, 2 Apr 1999 11:32:08 -0500 To: Denis Pinkas <Denis.Pinkas@bull.net>, "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Time-stamp server. TimePrecision info Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis and Todd, Do we agree that the timestamp represents the point at which a signature was applied, independent of transmission delays and signing speed? If so, then I would not agrue against very fine granularity time stamps on thae basis of thise delays. Instead, I would argue that there is a false sense of precision being implied, and that we're better off just relying on the sequence number to serialize time stamps issued by the same server within the same tick. If one believes that the time stamps have to represent finer granularity because they will be compared with time stamps from other servers, then there's a lot of work to do to convince me that the resulting synchronization is feasible, and that there is a legitimate need for such. Obviously the world lives with rather coarse precision and accuracy for lots of business time stamp operations today. maybe we need some additional, credible, motivating examples. Steve Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA12193 for ietf-pkix-bks; Fri, 2 Apr 1999 08:35:11 -0800 (PST) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA12189 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 08:35:08 -0800 (PST) Received: from [128.89.0.110] (COSMEC.BBN.COM [128.89.0.110]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id LAA06313 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 11:35:25 -0500 (EST) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="============_-1289051352==_ma============" X-Sender: kent@po1.bbn.com Message-Id: <v04020a07b32a998cc875@[128.89.0.110]> Date: Fri, 2 Apr 1999 11:38:59 -0500 To: <ietf-pkix@imc.org> From: Stephen Kent <kent@bbn.com> Subject: minutes and revised charter Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --============_-1289051352==_ma============ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I want to thank those who provided feedback for both the meeting minutes and the WG charter. Both have been revised in accordance with these comments. I am happy to report that Jeff Schiller has approved the new WG charter. I will see about having it posted to the IETF web site. I also will be submitting the minutes to the IETF secretariat. Several speakers have kindly provided me with their slides, and I will accept other slide sets for a week, before sending them off to the secretariat as well. Below are the final meeting minutes, and the revised charter. (The charter still is awaiting a few RFC numbers to be assigned.) Thanks, Steve -------------------------- PKIX WG Meeting 3/17/99 Edited by Steve Kent (WG co-chair) The PKIX WG met only once during the 44rd IETF and a approximately 200 individuals participated in these meetings. The meeting began with a review of the status of all of the WG document, presented by Warwick Ford, WG co-chair. The following text summarizes the status of the documents: PKIX COMPLETED DOCUMENTS PKIX Cert/CRL Profile (RFC 2459) Approved as Proposed Standard KEA Algorithms for Profile (RFC 2528) Approved as Informational RFC HTTP/FTP Operations (draft-ietf-pkix-opp-ftp-http-04.txt) Approved as Proposed Standard LDAP V2 Operational Protocols (draft-ietf-pkix-ipki2opp-08.txt) Approved as Proposed Standard LDAP V2 Schema (draft-ietf-pkix-ldapv2-schema-01.txt) Approved as Proposed Standard OCSP (draft-ietf-pkix-ocsp-05.txt) Approved as Proposed Standard CMP (RFC 2510) Approved as Proposed Standard CRMF (RFC 2511) Approved as Proposed Standard Certificate Policy/Practices Guideline (RFC 2527) Approved as Informational RFC PKIX WORK IN PROGRESS ECDSA Algorithms for Profile (draft-ietf-pkix-ipki-ecdsa-01.txt) New draft to be issued for WG last call shortly CMC (draft-ietf-pkix-cmc-02.txt) Under WG review Diffie-Hellman POP (draft-ietf-pkix-dhpop-00.txt) Under WG review Qualified Certificates (draft-ietf-santesson-qc-01.txt) Under WG review CMMF (draft-ietf-pkix-cmmf-02.txt) This item to be dropped from the program Time Stamp (draft-ietf-pkix-time-stamp-00.txt) Under WG review DCS (draft-ietf-pkix-dcs-00.txt) Under WG review Web-Based Integrated CA Services Protocol (draft-sakurai-pkix-icap-01.txt) Submitted for WG consideration Reports on Established Projects: A new WG charter was presented, in draft form, which shortly will be posted = to the mailing list. The expanded charter encompasses attribute certificates, time stamping and notarization services, and qualified certificates. CMC and Diffie-Hellman POP (J. Schaad-Microsoft) The CMC draft did not meet submission deadline, but was made available to th= e list. The D-H POP draft is undergoing revision. CMC has been revised to accommodate comments from Carlisle from the last meeting. Additional changes are planned, including removal of the key archival and recovery features, an= d clarification of RA operations. PKIX Roadmap (A. Arsenault-NSA) Missed submission deadline. Undergoing revision to deal with terminology inconsistencies, POP, adding a history of PKIX, new work items (e.g., qualified certificates and time stamping), explanation of name constraints f= or alt name forms, path validation, etc. Qualified Certificates (S. Santesson) Goals of qualified certificates were reviewed. The fundamental thrust of thi= s work is the development of a new SubjectAltName type, for "unmistakable identity" ID information. Attribute semantics represents the top-level structure for the SubjectaltName, making it clear what form of ID is being provided, e.g., national ID card or driver license. Also, this extension wil= l contain a registration authority field, as required by German law. A pointe= r to a web site for additional info was provided (http://www.accurata.se/QC/). Suggestion was made to consider splitting this work into two document: one f= or the new name form, and another (informational?) to explain the context for which this new name form was devised. However, to the extent that a qualifie= d certificate imposes constraints on other certificate fields, it is not clea= r Data Certification and Time Stamping (R. Zuccherato-Entrust) Data certification server I-D not recently updated, but will be soon, to respond to comments, e.g., ASN.1 corrections and more explanatory text. The time stamping document also has not been updated recently, but will undergo minor revisions, e.g., to allow for issuance of a time stamp without submission of a hash. Unfortunately, the topics of time stamping and data certification are rife with intellectual property claims, which may interfer= e with progression of these documents. Specifically, a lawsuit has been filed by patent holders against a company that has implemented a prior version of this protocol. The WG chairs will work with the authors of the documents to help resolve these issues. Other Topics: Progressing RFC 2459 to Draft Status (T. Polk-NIST) Collecting inputs for (mostly) minor corrections and clarifications to this document in anticipation of progressing this work. OCSP Clarification (S. Kent-BBN) Two sections of OCSP will be revised to clarify what is required of complian= t clients and servers with respect to what keys can be used to sign OCSP responses. Specifically, an OCSP response must be signed by either the CA wh= o issued the certificate in question, by an entity who has been explicitly delegated this authority by that CA (through direct issuance and inclusion o= f a specified EKU extension), or by an entity who has been selected as authoritative by the client. Compliant OCSP servers and clients MUST be able to support all three of these options.(Satisfying the third option is largel= y trivial for the server, but requires a configuration capability for clients.= ) Will End-Entity Certificates be Fat or Low Fat? (D. Pinkas-Bull) Proposal to minimize the addition of extensions to EE certificates, by movin= g as much of this sort of information to CA certificates, from EE certificates= =2E Examples of such extension data are pointers to OCSP responders and CRL servers, where applicable to all certificates issued by a CA. Attribute Certificates (S. Farrell-SSE) A kickoff announcement of this new work item. Providing pointers to work on attribute certificates for use with TLS, as an example. OCSP Interoperability Testing (A. Malparni-ValiCert) Reported on tests of seven independent implementations. All made use of HTT= P and direct, DER encoding (not base 64). Discovered some problems, e.g., in hash computation. Server-based Certificate Validation (A. Malparni-ValiCert) A suggestion to explore "outsourcing" certificate validation to a server, fr= om a client. Proposal is to develop a protocol between a client and the validation server, which might be attractive when the client is not computationally capable, or to help by centralizing administration of certificate validation management. There are security concerns here, because of the centralization of security function in servers. MISPC Reference Implementation (T. Polk-NIST) CDROM contains CA, RA, and client executable code. Represents a profile of 2459, CMP, and CRMF. Available via web site: http://crscnist.gov/pki/mispc/ ---------------------- Internet standards needed to support an X.509-based PKI. Several informational and standards track documents in support of the original goals of the WG have been approved by the IESG. The first of these standards, RFC 2459, profiles the X.509 version 3 certificates and version 2 CRLs for use in the Internet. The Certificate Management Protocol (CMP) (RFC 2510), the Online Certificate Status Protocol (OCSP) (RFC 2xxx), and the Certificate Management Request Format (CRMF) (RFC 2511) have been approved, as have profiles for the use of LDAP v2 for certificate and CRL storage (RFC 2xxx) and the use of FTP and HTTP for transport of PKI operations (RFC 2xxx). RFC 2527, an informational RFC on guidelines for certificate policies and practices also has been published, and the IESG has approved publication of an information RFC on use of KEA (RFC 2528) and ECDSA (RFC 2xxx). Work continues on a second certificate management protocol, CMC, closely aligned with the PKCS publications and with the cryptographic message syntax (CMS) developed for S/MIME. A roadmap, providing a guide to the growing set of PKIX document, is also being developed as an informational RFC. The working group is now embarking on additional standards work to develop protocols that are either integral to PKI management, or that are otherwise closely related to PKI use. Work is ongoing on alternative certificate revocation methods. There also is work defining conventions for certificate name forms and extension usage for "qualified certificates," certificates designed for use in (legally binding) non-repudiation contexts. Finally, work is underway on protocols for time stamping and data certification. These protocol are designed to support non-repudiation, making use of certificates and CRLs, and are so tightly bound to PKI use that they warrant coverage under this working group. Additional work will be initiated on a profile for X.509 attribute certificates, resulting in a new RFC and, perhaps, in extensions to existing certificate management standards to accommodate differences between attribute certificates and public-key certificates. New Goals and Milestones: July 99 Update RFC 2459, in anticipation of progression from PROPOSED to DRAFT Complete approval of CMC, qualified certificates, and time-stamp documents Initiate work on attribute certificate profile. Dec 99 Update March/April RFCs, for progress from PROPOSED to DRAFT Complete approval of data notarization document Publish I-D for attribute certificate profile March 00 Complete work on attribute certificate profile July 00 Continue RFC updating process, =8A --============_-1289051352==_ma============ Content-Type: text/enriched; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I want to thank those who provided feedback for both the meeting minutes and the WG charter. Both have been revised in accordance with these comments. I am happy to report that Jeff Schiller has approved the new WG charter. I will see about having it posted to the IETF web site. I also will be submitting the minutes to the IETF secretariat. Several speakers have kindly provided me with their slides, and I will accept other slide sets for a week, before sending them off to the secretariat as well. =20 Below are the final meeting minutes, and the revised charter. (The charter still is awaiting a few RFC numbers to be assigned.) Thanks, Steve -------------------------- PKIX WG Meeting 3/17/99=20 Edited by Steve Kent (WG co-chair) The PKIX WG met only once during the 44rd IETF and a approximately 200 individuals participated in these meetings.=20 The meeting began with a review of the status of all of the WG document,=20 presented by Warwick Ford, WG co-chair. The following text summarizes the=20 status of the documents: PKIX COMPLETED DOCUMENTS PKIX Cert/CRL Profile (RFC 2459) Approved as Proposed Standard KEA Algorithms for Profile (RFC 2528) Approved as Informational RFC HTTP/FTP Operations (draft-ietf-pkix-opp-ftp-http-04.txt)=20 Approved as Proposed Standard LDAP V2 Operational Protocols (draft-ietf-pkix-ipki2opp-08.txt) Approved as Proposed Standard LDAP V2 Schema (draft-ietf-pkix-ldapv2-schema-01.txt) Approved as Proposed Standard OCSP (draft-ietf-pkix-ocsp-05.txt) Approved as Proposed Standard CMP (RFC 2510) Approved as Proposed Standard CRMF (RFC 2511) Approved as Proposed Standard Certificate Policy/Practices Guideline (RFC 2527) Approved as Informational RFC PKIX WORK IN PROGRESS ECDSA Algorithms for Profile (draft-ietf-pkix-ipki-ecdsa-01.txt) New draft to be issued for WG last call shortly CMC (draft-ietf-pkix-cmc-02.txt) Under WG review Diffie-Hellman POP (draft-ietf-pkix-dhpop-00.txt) Under WG review Qualified Certificates (draft-ietf-santesson-qc-01.txt) Under WG review CMMF (draft-ietf-pkix-cmmf-02.txt) This item to be dropped from the program=20 Time Stamp (draft-ietf-pkix-time-stamp-00.txt)=20 Under WG review DCS (draft-ietf-pkix-dcs-00.txt) Under WG review Web-Based Integrated CA Services Protocol (draft-sakurai-pkix-icap-01.txt) Submitted for WG consideration Reports on Established Projects: A new WG charter was presented, in draft form, which shortly will be posted to=20 the mailing list. The expanded charter encompasses attribute certificates,=20 time stamping and notarization services, and qualified certificates. CMC and Diffie-Hellman POP (J. Schaad-Microsoft) The CMC draft did not meet submission deadline, but was made available to the=20 list. The D-H POP draft is undergoing revision. CMC has been revised to=20 accommodate comments from Carlisle from the last meeting. Additional changes=20 are planned, including removal of the key archival and recovery features, and=20 clarification of RA operations.=20 PKIX Roadmap (A. Arsenault-NSA) Missed submission deadline. Undergoing revision to deal with terminology=20 inconsistencies, POP, adding a history of PKIX, new work items (e.g.,=20 qualified certificates and time stamping), explanation of name constraints for=20 alt name forms, path validation, etc. Qualified Certificates (S. Santesson) Goals of qualified certificates were reviewed. The fundamental thrust of this=20 work is the development of a new SubjectAltName type, for "unmistakable identity" ID information. Attribute semantics represents the top-level structure for the SubjectaltName, making it clear what form of ID is being=20 provided, e.g., national ID card or driver license. Also, this extension will=20 contain a registration authority field, as required by German law. A pointer=20 to a web site for additional info was provided (http://www.accurata.se/QC/).=20 Suggestion was made to consider splitting this work into two document: one for=20 the new name form, and another (informational?) to explain the context for=20 which this new name form was devised. However, to the extent that a qualified=20 certificate imposes constraints on other certificate fields, it is not clear Data Certification and Time Stamping (R. Zuccherato-Entrust) Data certification server I-D not recently updated, but will be soon, to=20 respond to comments, e.g., ASN.1 corrections and more explanatory text. The=20 time stamping document also has not been updated recently, but will undergo=20 minor revisions, e.g., to allow for issuance of a time stamp without=20 submission of a hash. Unfortunately, the topics of time stamping and data=20 certification are rife with intellectual property claims, which may interfere=20 with progression of these documents. Specifically, a lawsuit has been filed=20 by patent holders against a company that has implemented a prior version of=20 this protocol. The WG chairs will work with the authors of the documents to=20 help resolve these issues. Other Topics: Progressing RFC 2459 to Draft Status (T. Polk-NIST) Collecting inputs for (mostly) minor corrections and clarifications to this=20 document in anticipation of progressing this work. OCSP Clarification (S. Kent-BBN) Two sections of OCSP will be revised to clarify what is required of compliant=20 clients and servers with respect to what keys can be used to sign OCSP responses. Specifically, an OCSP response must be signed by either the CA who=20 issued the certificate in question, by an entity who has been explicitly=20 delegated this authority by that CA (through direct issuance and inclusion of=20 a specified EKU extension), or by an entity who has been selected as=20 authoritative by the client. Compliant OCSP servers and clients MUST be able=20 to support all three of these options.(Satisfying the third option is largely=20 trivial for the server, but requires a configuration capability for clients.) Will End-Entity Certificates be Fat or Low Fat? (D. Pinkas-Bull) Proposal to minimize the addition of extensions to EE certificates, by moving=20 as much of this sort of information to CA certificates, from EE certificates.=20 Examples of such extension data are pointers to OCSP responders and CRL servers, where applicable to all certificates issued by a CA. Attribute Certificates (S. Farrell-SSE) A kickoff announcement of this new work item. Providing pointers to work on=20 attribute certificates for use with TLS, as an example. OCSP Interoperability Testing (A. Malparni-ValiCert) Reported on tests of seven independent implementations. All made use of HTTP=20 and direct, DER encoding (not base 64). Discovered some problems, e.g., in=20 hash computation. =20 Server-based Certificate Validation (A. Malparni-ValiCert) A suggestion to explore "outsourcing" certificate validation to a server, from=20 a client. Proposal is to develop a protocol between a client and the=20 validation server, which might be attractive when the client is not=20 computationally capable, or to help by centralizing administration of=20 certificate validation management. There are security concerns here, because=20 of the centralization of security function in servers.=20 MISPC Reference Implementation (T. Polk-NIST) CDROM contains CA, RA, and client executable code. Represents a profile of=20 2459, CMP, and CRMF. Available via web site: http://crscnist.gov/pki/mispc/ ---------------------- <fontfamily><param>Times</param><bigger><bigger>Internet standards needed to support an X.509-based PKI. Several informational and standards track documents in support of the original goals of the WG have been approved by the IESG. The first of these standards, RFC 2459, profiles the X.509 version 3 certificates and version 2 CRLs for use in the Internet. The Certificate Management Protocol (CMP) (RFC 2510), the Online Certificate Status Protocol (OCSP) (RFC 2xxx), and the Certificate Management Request Format (CRMF) (RFC 2511) have been approved, as have profiles for the use of LDAP v2 for certificate and CRL storage (RFC 2xxx) and the use of FTP and HTTP for transport of PKI operations (RFC 2xxx). RFC 2527, an informational RFC on guidelines for certificate policies and practices also has been published, and the IESG has approved publication of an information RFC on use of KEA (RFC 2528) and ECDSA (RFC 2xxx). Work continues on a second certificate management protocol, CMC, closely aligned with the PKCS publications and with the cryptographic message syntax (CMS) developed for S/MIME.=20 A roadmap, providing a guide to the growing set of PKIX document, is also being developed as an informational RFC. The working group is now embarking on additional standards work to develop protocols that are either integral to PKI management, or that are otherwise closely related to PKI use. Work is ongoing on alternative certificate revocation methods. There also is work defining conventions for certificate name forms and extension usage for "qualified certificates," certificates designed for use in (legally binding) non-repudiation contexts. Finally, work is underway on protocols for time stamping and data certification. These protocol are designed to support non-repudiation, making use of certificates and CRLs, and are so tightly bound to PKI use that they warrant coverage under this working group.=20 Additional work will be initiated on a profile for X.509 attribute certificates, resulting in a new RFC and, perhaps, in extensions to existing certificate management standards to accommodate differences between attribute certificates and public-key certificates. =20 New Goals and Milestones: July 99 Update RFC 2459, in anticipation of progression from PROPOSED to DRAFT Complete approval of CMC, qualified certificates, and time-stamp documents Initiate work on attribute certificate profile. =20 Dec 99 Update March/April RFCs, for progress from PROPOSED to DRAFT Complete approval of data notarization document Publish I-D for attribute certificate profile March 00 Complete work on attribute certificate profile July 00 Continue RFC updating process, =8A=20 </bigger></bigger></fontfamily> --============_-1289051352==_ma============-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA11605 for ietf-pkix-bks; Fri, 2 Apr 1999 07:32:01 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA11601 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 07:32:00 -0800 (PST) Received: from xedia.com by relay2.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjfi17285; Fri, 2 Apr 1999 10:31:17 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA03051; Fri, 2 Apr 99 10:27:13 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id KAA05851; Fri, 2 Apr 1999 10:31:12 -0500 Date: Fri, 2 Apr 1999 10:31:12 -0500 Message-Id: <199904021531.KAA05851@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> <37047F95.A12730EF@bull.net> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Denis" == Denis Pinkas <Denis.Pinkas@bull.net> writes: Denis> Todd S. Glassey said: >> >That said, I agree with Denis. I do not see the use >> of microseconds to be >especially useful within this protocol. >> >> OK Fine, but humor me - what's the harm in being able to represent >> them? Denis> The TSA gets the clock first and then signs. I do not know any Denis> hardware capable of signature in the micro-second range. The Denis> transmission delay is also quite variable. The harm is giving Denis> false impression of precision. You just made an excellent argument for a precision field. The alternative is to infer it from the number of digits in the timestamp itself, which is a kludge to say the least. (For example, if you have a precision, or I would prefer to call it "tolerance" of +/- 10s, would you omit the units digit of the seconds field? That would be correct but also very confusing.) Transmission delay may or may not be variable depending on the channel used. Signing may take more than a millisecond (or it may not; you can buy chips today that will do it in 2 or 3, so you'll be able to do it in under a millisecond in a year or two). But it's not a good idea to design the sizes of protocol fields so they are just barely large enough for today's technology. IPv4 at least used 4 bytes rather than the 2 they would have used for host addresses if they had used that approach. A half dozen extra bytes costs nothing, especially considering the size of a signature. Better to future-proof the protocol by going AT LEAST down to microseconds, or alternatively making the number of fractional seconds digits unconstrained. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA06187 for ietf-pkix-bks; Fri, 2 Apr 1999 02:35:27 -0800 (PST) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA06182 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 02:35:25 -0800 (PST) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id MAA11129; Fri, 2 Apr 1999 12:35:24 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Fri, 2 Apr 1999 12:35:23 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id MAA10405; Fri, 2 Apr 1999 12:35:22 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id MAA00678; Fri, 2 Apr 1999 12:35:22 +0200 Date: Fri, 2 Apr 1999 12:35:22 +0200 Message-Id: <199904021035.MAA00678@emeriau.edelweb.fr> To: Denis.Pinkas@bull.net, robert.zuccherato@entrust.com, santoni@sia.it Subject: Re: R: 3 Time Stamping issues Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> A similar problem exists in dcs. And more: In dcs dcsReqInfo DCSReqInfo, --MUST be the same value as the dcsReqInfo field in DCSReqData messageImprint MessageImprint, --if the data field in DCSReqData is MessageImprint, this --MUST contain that same value, otherwise it contains a hash of --the data field in DCSReqData using the hash algorithm --specified in the digestAlgorithm parameter of SignerInfo in --the data certification token are not optional, if the responder wants to signal some encoding error in the request, there is a problem. > > I have a different doubt about the protocol: > > the TSTInfo structure includes a status field with PKIStatusInfo syntax. I > understand that the TSA could signal to the requestor (ie the client) the > unavailability of a time source by using the valure 15 (tdaNotAvailable) for > the failInfo field (with syntax PKIFailureInfo) of the TSTInfo status field. > However, if the TSA has no reliable time source available, it should not > issue a time value at all, right? Nontheless, the tstTime field of the > TSTInfo structure is not OPTIONAL. So, it must carry some value, somehow. > > The question, then, is: what time value should be put in the (mandatory) > tstTime field when the TSA signals an error? > > The same reasoning applies to other error condition which (should) prevent > the TSA from issuing a time indication. > > Adriano > > > -----Messaggio originale----- > > Da: Denis Pinkas [SMTP:Denis.Pinkas@bull.net] > > Inviato: giovedì 1 aprile 1999 17.59 > > A: IETF-PXIX > > Oggetto: 3 Time Stamping issues > > > > Since I am a co-editor of the Time Stamping document, I would like > > to give my opinion on the various issues raised on the mailing list. > > > > 1. There has been a suggestion to possibly improve the resolution to > > microseconds from milliseconds. > > > > Since the delay in the transmission is at least in the millisecond > > order, having something more precise would give a false degree of > > precision. I would not go under the millisesond. > > > > 2. There has been a suggestion to possibly add a precision field. > > > > I do not think this is absolutely necessary. So I am not supportive > > of it since the policy can handle this. > > > > 3. There has been a suggestion to possibly add a message information > > field. > > > > I have arguments *against* this idea. I would realy like to keep the > > TSA as much ignorant as possible of the purpose of the Time > > Stamping. If we add that information, the TSA could know "Invoice > > from Alpha company to Delta company". Is > > this way the TSA could learn that the Delta company is doing > > commerce with the Delta company. This may that be a nice point to > > spy. So I am against the inclusion of that aditional information. > > > > However, ... I understand the concern of the linkeage and I would > > propose an alternative: > > > > Defining a Time Stamping Token (TST) that would be able to include > > that information. Basically the TST would be the concatenation of > > the "message information field" and of the signed portion of the > > information received. The TST would be constructed locally instead > > of being fully constructed by the TSA. We could define its structure > > in a normative annex. > > > > Regards, > > > > Denis > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA03701 for ietf-pkix-bks; Fri, 2 Apr 1999 01:44:54 -0800 (PST) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id BAA03697 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 01:44:52 -0800 (PST) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id LAA07985; Fri, 2 Apr 1999 11:45:07 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.1); Fri, 2 Apr 1999 11:45:06 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id LAA09674; Fri, 2 Apr 1999 11:45:05 +0200 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.6.10/8.6.6) id LAA00659; Fri, 2 Apr 1999 11:45:05 +0200 Date: Fri, 2 Apr 1999 11:45:05 +0200 Message-Id: <199904020945.LAA00659@emeriau.edelweb.fr> To: ietf-pkix@imc.org, Denis.Pinkas@bull.net Subject: Re: 3 Time Stamping issues Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> It seems to me that we are handling different things: - A requester of a time stamp may want to have an indication somewhere that allows to correlate a response with a request. For the actual time stamping proposal I do not see why the requester could not simply use the message imprint itself. (If the hash is not collision free, the requester already has another problem.) For the DCS draft there may be a problem because it is the DCS server that decides to create a messageImprint from the given data, and the current text proposes the DCS responder to choose the hash. One might change this and say, that the reponder takes (one of) the digest function used during signing the request. - A requester wants to carry whatever kind of pointer to the real data. One might debate about the usage, in any case I am not sure whether an opaque octet string is the right solution. The type of the data should probably be indicated by an OID. > > 3. There has been a suggestion to possibly add a message information > field. > > I have arguments *against* this idea. I would realy like to keep the > TSA as much ignorant as possible of the purpose of the Time > Stamping. If we add that information, the TSA could know "Invoice > from Alpha company to Delta company". Is > this way the TSA could learn that the Delta company is doing > commerce with the Delta company. This may that be a nice point to > spy. So I am against the inclusion of that aditional information. I agree (contrary to what I have said a few hours ago.) ;-) > > However, ... I understand the concern of the linkeage and I would > propose an alternative: > > Defining a Time Stamping Token (TST) that would be able to include > that information. Basically the TST would be the concatenation of > the "message information field" and of the signed portion of the > information received. The TST would be constructed locally instead > of being fully constructed by the TSA. We could define its structure > in a normative annex. The actual Timestamp token is a cms signed data object; the requester always has the possibility to add an unsignedattribute to the SignerInfo of the response. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA00793 for ietf-pkix-bks; Fri, 2 Apr 1999 00:40:10 -0800 (PST) Received: from ntsiaexch.office (exchange.sia.it [192.106.192.201]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA00665 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 00:36:25 -0800 (PST) Received: by ntsiaexch.office with Internet Mail Service (5.5.2232.9) id <2DXF6XD9>; Fri, 2 Apr 1999 10:35:03 +0200 Message-ID: <8160937F4F4CD111A93E00805FC17529012F193A@ntsiaexch.office> From: Santoni Adriano <santoni@sia.it> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'Robert Zuccherato'" <robert.zuccherato@entrust.com> Cc: IETF-PXIX <ietf-pkix@imc.org> Subject: R: 3 Time Stamping issues Date: Fri, 2 Apr 1999 10:35:02 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id AAA00790 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I have a different doubt about the protocol: the TSTInfo structure includes a status field with PKIStatusInfo syntax. I understand that the TSA could signal to the requestor (ie the client) the unavailability of a time source by using the valure 15 (tdaNotAvailable) for the failInfo field (with syntax PKIFailureInfo) of the TSTInfo status field. However, if the TSA has no reliable time source available, it should not issue a time value at all, right? Nontheless, the tstTime field of the TSTInfo structure is not OPTIONAL. So, it must carry some value, somehow. The question, then, is: what time value should be put in the (mandatory) tstTime field when the TSA signals an error? The same reasoning applies to other error condition which (should) prevent the TSA from issuing a time indication. Adriano > -----Messaggio originale----- > Da: Denis Pinkas [SMTP:Denis.Pinkas@bull.net] > Inviato: giovedì 1 aprile 1999 17.59 > A: IETF-PXIX > Oggetto: 3 Time Stamping issues > > Since I am a co-editor of the Time Stamping document, I would like > to give my opinion on the various issues raised on the mailing list. > > 1. There has been a suggestion to possibly improve the resolution to > microseconds from milliseconds. > > Since the delay in the transmission is at least in the millisecond > order, having something more precise would give a false degree of > precision. I would not go under the millisesond. > > 2. There has been a suggestion to possibly add a precision field. > > I do not think this is absolutely necessary. So I am not supportive > of it since the policy can handle this. > > 3. There has been a suggestion to possibly add a message information > field. > > I have arguments *against* this idea. I would realy like to keep the > TSA as much ignorant as possible of the purpose of the Time > Stamping. If we add that information, the TSA could know "Invoice > from Alpha company to Delta company". Is > this way the TSA could learn that the Delta company is doing > commerce with the Delta company. This may that be a nice point to > spy. So I am against the inclusion of that aditional information. > > However, ... I understand the concern of the linkeage and I would > propose an alternative: > > Defining a Time Stamping Token (TST) that would be able to include > that information. Basically the TST would be the concatenation of > the "message information field" and of the signed portion of the > information received. The TST would be constructed locally instead > of being fully constructed by the TSA. We could define its structure > in a normative annex. > > Regards, > > Denis Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA00269 for ietf-pkix-bks; Fri, 2 Apr 1999 00:27:40 -0800 (PST) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA00253 for <ietf-pkix@imc.org>; Fri, 2 Apr 1999 00:27:35 -0800 (PST) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id KAA15456; Fri, 2 Apr 1999 10:27:22 +0100 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id KAA25354; Fri, 2 Apr 1999 10:28:23 +0100 (NFT) Message-ID: <37047F95.A12730EF@bull.net> Date: Fri, 02 Apr 1999 10:28:06 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> CC: Robert Zuccherato <robert.zuccherato@entrust.com>, PHalliden@zergo.com, "'Paul Koning'" <pkoning@xedia.com>, ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info References: <02a201be7cb2$dda47c80$c74bffd0@brick> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Todd S. Glassey said: > -----Original Message----- > From: Robert Zuccherato <robert.zuccherato@entrust.com> > To: PHalliden@zergo.com <PHalliden@zergo.com>; 'Paul Koning' > <pkoning@xedia.com> > Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> > Date: Thursday, April 01, 1999 10:59 AM > Subject: RE: Time-stamp server. TimePrecision info > > >One point that I would like to clear up. The present timestamping draft > >does not consider resolution of hours to be sufficient. The reference to > >resolution of "less than a few hours" comes from an informative annex > giving > >an example of how the protocol could be used. The resolution required by > >any particular application is not considered in the main document. > Remember > >this document describes just the protocol to be used by the TSA. > > > >That said, I agree with Denis. I do not see the use of microseconds to be > >especially useful within this protocol. > > OK Fine, but humor me - what's the harm in being able to represent them? The TSA gets the clock first and then signs. I do not know any hardware capable of signature in the micro-second range. The transmission delay is also quite variable. The harm is giving false impression of precision. Denis > > Todd > > SNIP--- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA07163 for ietf-pkix-bks; Thu, 1 Apr 1999 18:49:43 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id SAA07159 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 18:49:42 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id SAA12379; Thu, 1 Apr 1999 18:50:02 -0800 Message-ID: <02a201be7cb2$dda47c80$c74bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Robert Zuccherato" <robert.zuccherato@entrust.com>, <PHalliden@zergo.com>, "'Paul Koning'" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 18:45:25 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> -----Original Message----- From: Robert Zuccherato <robert.zuccherato@entrust.com> To: PHalliden@zergo.com <PHalliden@zergo.com>; 'Paul Koning' <pkoning@xedia.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Thursday, April 01, 1999 10:59 AM Subject: RE: Time-stamp server. TimePrecision info >One point that I would like to clear up. The present timestamping draft >does not consider resolution of hours to be sufficient. The reference to >resolution of "less than a few hours" comes from an informative annex giving >an example of how the protocol could be used. The resolution required by >any particular application is not considered in the main document. Remember >this document describes just the protocol to be used by the TSA. > >That said, I agree with Denis. I do not see the use of microseconds to be >especially useful within this protocol. OK Fine, but humor me - what's the harm in being able to represent them? Todd SNIP--- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA05123 for ietf-pkix-bks; Thu, 1 Apr 1999 16:06:29 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id QAA05119 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 16:06:28 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id QAA12318; Thu, 1 Apr 1999 16:06:52 -0800 Message-ID: <026201be7c9c$12b9c720$c74bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "IETF PKIX" <ietf-pkix@imc.org> Subject: Re: 3 Time Stamping issues Date: Thu, 1 Apr 1999 16:02:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, - SNIP --- > >1. There has been a suggestion to possibly improve the resolution to >microseconds from milliseconds. > >Since the delay in the transmission is at least in the millisecond >order, having something more precise would give a false degree of >precision. I would not go under the millisesond. This assumes that you use a SW only model from today's commercially available equipment at the PC level. Anyone that needs a more reliable or finer granularity timesource can get a HW module from Datum or any of the other time board providers. Commercial computing has used IRIG-B and other timebase distribution protocols in time dependent networking apps for years. Limiting ourselves to a millisecond is probably ok for the next year or two, but microseconds are coming so why not use a large enough data structure to handle these eventualities? > >2. There has been a suggestion to possibly add a precision field. > >I do not think this is absolutely necessary. So I am not supportive >of it since the policy can handle this. No - absolutely there needs to be a precision field for comparison purposes and as part of the policy control infrastructure. > >3. There has been a suggestion to possibly add a message information >field. > >I have arguments *against* this idea. I would realy like to keep the >TSA as much ignorant as possible of the purpose of the Time >Stamping. If we add that information, the TSA could know "Invoice >from Alpha company to Delta company". I agree that the current protocol tools are probably ok without the message information *as long as we do the token strures* >Is this way the TSA could learn that the Delta company is doing >commerce with the Delta company. This may that be a nice point to >spy. So I am against the inclusion of that aditional information. > >However, ... I understand the concern of the linkeage and I would >propose an alternative: > >Defining a Time Stamping Token (TST) that would be able to include >that information. Basically the TST would be the concatenation of >the "message information field" and of the signed portion of the >information received. The TST would be constructed locally instead >of being fully constructed by the TSA. We could define its structure >in a normative annex. Yes, we should have a TST draft to submit on our GeoPositional Token by the end of the weekend. Stay Tuned. Todd Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA03614 for ietf-pkix-bks; Thu, 1 Apr 1999 13:34:16 -0800 (PST) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA03610 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 13:34:15 -0800 (PST) Received: from dell-450-nt (slip-32-100-84-130.ny.us.ibm.net [32.100.84.130]) by out2.ibm.net (8.8.5/8.6.9) with SMTP id VAA59048; Thu, 1 Apr 1999 21:34:07 GMT Message-ID: <006901be7c87$e9eb3e50$010a0a0a@dell-450-nt.baims.com> From: "Robert Klerer" <klerer@xhair.com> To: "Paul Halliden" <PHalliden@baltimore.com>, "'Paul Koning'" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 16:36:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Sequencing can be important. It is correctly stated that establishing precise sequencing across servers may not be achievable, but if a non-arbitrary ordering needs to be established, the availability of sequencing on a single server can be useful. (Whose bid got in first at the sellers choice of server). If the loser losses because of latency, they should buy a better network service. -----Original Message----- From: Paul Halliden <PHalliden@baltimore.com> To: 'Paul Koning' <pkoning@xedia.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Thursday, April 01, 1999 1:15 PM Subject: RE: Time-stamp server. TimePrecision info > > >I quite agree that hours may not be close enough in some cases. The point >is >that the spec specifically talks about a range of communication techniques >between requester and TSS including e-mail which has a notoriously variable >transit time. The timestamp gives no indication about how long the >requester's message took to get to the timestamp authority. Even if it >did, >I don't believe that the authority would be in any position to know >reliably >at what time the request was made. Thus anyone who relies on a sequence of >timestamps to indicate order is deluding themselves if they want precision >anywhere near the transit time of the network(s) used. I would expect the >timestamp authority's policy to say its service was unsuited for such >precise sequencing and that some other technique for establishing the >sequence of transactions should be used. > >Paul > > > >-----Original Message----- >From: Paul Koning [mailto:pkoning@xedia.com] >Sent: 01 April 1999 17:05 >To: PHalliden@zergo.com >Cc: ietf-pkix@imc.org >Subject: RE: Time-stamp server. TimePrecision info > > >I suspect that "close enough" may change over time, and hours may not >be good enough. For example, the required accuracy for timestamps on >stock trading messages is more likely to be minutes rather than hours >even today. > >In any case, it helps to be consistent. If hours or even minutes is >the outer limit of resolution needed, them milliseconds have no place >in the timestamp format. > >As for establishing order by having a second document include the >older timestamp of the first document, that's fine if I generate both >documents. If the dispute is on which of the two of us generated our >document first, then we'll be dealing with two independent timestamps >presumably from different servers. If they aren't synchronized to UTC >any better than hours, the service will not be useful in a number of >interesting cases. > >Finally: it's a bad idea to make the specs tighter than what is >achievable, but it also doesn't make a whole lot of sense to make them >4 orders of magnitude looser. Synchronizing to UTC to within a >fraction of a second is easy, and network round trip times are in the >range of seconds (actually, often way smaller than that). Yes, that >opens the question of how you handle leap seconds. One solution is to >loosen things up some more, but going from seconds to hours is really >not necessary. > > paul > > - att-1.htm Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA01219 for ietf-pkix-bks; Thu, 1 Apr 1999 09:30:35 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA01215 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 09:30:34 -0800 (PST) Received: from xedia.com by relay2.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjby09683; Thu, 1 Apr 1999 12:30:10 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA18901; Thu, 1 Apr 99 12:26:03 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id MAA04356; Thu, 1 Apr 1999 12:30:01 -0500 Date: Thu, 1 Apr 1999 12:30:01 -0500 Message-Id: <199904011730.MAA04356@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: Re: 3 Time Stamping issues References: <370397DF.34C4BAEF@bull.net> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Denis" == Denis Pinkas <Denis.Pinkas@bull.net> writes: Denis> 2. There has been a suggestion to possibly add a precision Denis> field. Denis> I do not think this is absolutely necessary. So I am not Denis> supportive of it since the policy can handle this. I would think the policy describes things that are more or less constant, certainly not things that are changing from hour to hour. But the precision of the timestamp (how closely it agrees with UTC) is a dynamic variable. If your authoritative time source (e.g., GPS) is working, you're synchronized to a small fraction of a second. If you lose the signal, your precision degrades at, typically, about 10^-4, i.e., 86 seconds per day. If your policy reports a rather loose synchronization you can use the policy approach (simply go off-line when sync has been lost for too long). But if you want to claim, say, 100 ms tolerance, but want to be able to keep operating even if the external clock is lost for more than 16 minutes, the precision field in the timestamp is useful. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA01199 for ietf-pkix-bks; Thu, 1 Apr 1999 09:29:00 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA01195 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 09:28:59 -0800 (PST) Received: from xedia.com by relay2.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjbx07624; Thu, 1 Apr 1999 12:25:43 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA18837; Thu, 1 Apr 99 12:21:36 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id MAA04354; Thu, 1 Apr 1999 12:25:34 -0500 Date: Thu, 1 Apr 1999 12:25:34 -0500 Message-Id: <199904011725.MAA04354@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: PHalliden@baltimore.com Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info References: <A92CFE655D22D211B2FB00A0C9CE01E0562A61@baltimore.com> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >> Paul Halliden wrote: > I quite agree that hours may not be close enough in some cases. The point is > that the spec specifically talks about a range of communication techniques > between requester and TSS including e-mail which has a notoriously variable > transit time. The timestamp gives no indication about how long the > requester's message took to get to the timestamp authority. Even if it did, > I don't believe that the authority would be in any position to know reliably > at what time the request was made. Thus anyone who relies on a sequence of > timestamps to indicate order is deluding themselves if they want precision > anywhere near the transit time of the network(s) used. I would expect the > timestamp authority's policy to say its service was unsuited for such > precise sequencing and that some other technique for establishing the > sequence of transactions should be used. I don't see that the transport matters. No matter what transport you use, the only thing the timestamp tells you is the time at which the server generated the stamp. The requester obviously issued the request before that, but you cannot know how much before that. Similarly, a sequence of timestamps shows sequence of timestamping, not sequence of request generation. If I need a timestamp to show that I did X by time Y, I'd use a transport with low enough latency to meet my needs. What that latency is, is a decision I have to make, but it doesn't matter to the server. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA01116 for ietf-pkix-bks; Thu, 1 Apr 1999 09:17:13 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id JAA01112 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 09:17:12 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id JAA11973; Thu, 1 Apr 1999 09:17:36 -0800 Message-ID: <016d01be7c62$e81879f0$c74bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "IETF PKIX" <ietf-pkix@imc.org>, <ietf-stime@www.GMTsw.com> Subject: New Timestamping Tokens Date: Thu, 1 Apr 1999 09:13:03 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hey Folks, I have a serious concern that we are focusing on only half the battle ere - these issues, that is to say about the structure of the Zuccheratto, et al. Timestamping Library, are really only half the puzzle for timestamping and event tracking. As I was saying above, I suggest that the protocol, without adding a recommended token structure is only half the battle. The protocol without a token structure and format is just that, a means to cook a new end, nothing more than core enablement. Imagine if you will, that you are looking at all the pieces of a classic car on the floor of your garage, Now take that image a step farther and imagine that THERE IS NO INSTRUCTION BOOK for building the car and you've never seen one assembled before... More importantly, that some auditor has to do a CS2 Audit on the completed car having never seen the instructions either, in order for you to sell the car. No what do you do? 'Cause in my mind, that's what the current timestamping protocol draft represents today - All the well manufactured infrastructure, but no instructions or approved method for using them. So, I suggest we help out the people who use these standards by giving them a baseline set of digital tokens. My feeling is that to the industry and our respective commercial endeavors, that this technology would be of uncountable value to since we would have an anchor point to code to, the Token. Todd Glassey Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA01028 for ietf-pkix-bks; Thu, 1 Apr 1999 09:09:57 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id JAA01024 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 09:09:56 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id JAA11958; Thu, 1 Apr 1999 09:09:36 -0800 Message-ID: <015d01be7c61$ca7b9040$c74bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: <PHalliden@zergo.com>, <mzolotarev@baltimore.com.au> Cc: <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 09:05:03 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_015A_01BE7C1E.BAD11400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. ------=_NextPart_000_015A_01BE7C1E.BAD11400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks for the opening... I was wondering how to work this in... There is an even bigger issue here for the use model. The actual end use = of the system you are describing, the document timestamper/verifier is a = end user application of timestamping only. There are many other uses of = certifiable time than just adding non-repudiation. Certain IA control = processes and other industrial control apps that are time based need = this resolution as part of their control and messaging processes. However the real issue is how to represent a timestamp in a manner = conducive to the most general purpose use models. Also to make this same = system work everywhere. That's why we need the token structure defined. The bottomline is that subsecond accuracy is required for a growing = number of industrial, commercial, and financial applications and because = of the complexities of integrating certifiable timebases into processes = and deliverable technologies, clean and reliable timebase services are = better off being deployed everywhere.=20 Todd=20 -----Original Message----- From: PHalliden@zergo.com <PHalliden@zergo.com> To: 'mzolotarev@baltimore.com.au' <mzolotarev@baltimore.com.au> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Thursday, April 01, 1999 8:19 AM Subject: RE: Time-stamp server. TimePrecision info =20 =20 Are we missing a point here? The use of a timestamp server is to = resolve questions such as "At what time was a document signed?", "In = what order were documents signed?" or "At what time was a document = received?". A timestamp server says "I issued a timestamp for the = document at xxxx date and time". In other words, there is not a precise = time relationship between the event potentially in dispute and the = generation of the timestamp. Appendix B of the current draft recognises = this by saying that, when subsequently verifying a document is = consistent with its timestamp, the evidence should only be accepted if = the times are "close enough (e.g. less than a few hours)". Whilst hours = may be a bit pessimistic for some systems, one only has to consider the = likely method of communication between the requestor and the timestamp = server to realise that a [leap] second either way is irrelevant. = Certainly, two requests issued at almost the same time will not = necessarily arrive at the timestamp server in the same order as they = were dispatched. If we really are concerned about establishing = completely unambiguously the order in which two documents are signed, a = higher level protocol is required e.g. one in which the second document = contains the timestamp of the first one. =20 =20 Paul Halliden=20 Director for Strategic Technology=20 = ______________________________________________________________________=20 Baltimore, The Square, Basing View, Basingstoke, Hants, RG21 4EG, UK = Tel: +44 (0) 1442 342 784 Fax: +44 (0) 1256 812901=20 http://www.baltimore.com=20 Baltimore is the operating name of Zergo Holdings plc=20 =20 =20 =20 -----Original Message-----=20 From: Michael Zolotarev [mailto:mzolotarev@baltimore.com.au]=20 Sent: 01 April 1999 09:00=20 To: 'Tony Bartoletti'; Todd S. Glassey; Paul Koning;=20 robert.zuccherato@entrust.com=20 Cc: ietf-pkix@imc.org; 'slaing@baltimore.com.au';=20 'ashellshear@baltimore.com.au'=20 Subject: RE: Time-stamp server. TimePrecision info=20 =20 =20 Tony,=20 I guess there is a neater solution to the 'gain a leap second' = problem,=20 using the serialNumber field of the response. If the serialNumebr is = properly maintained by the TSS, and returned to the client, a second = can=20 last as long as we want it:=20 time: 0.21 0.22 0.23 0.23 0.23 = 0.24=20 S/N: 1,2,3,4... x,x+1,x+2... n,n+1,n+2,n+3, n+4, n+.. = m,m+1...=20 The issue is, the problem only exists when we COMPARE two stamps = produced=20 by THE SAME TSS. And this is exactly where the serialNumber will = help us=20 out.=20 In a situation when you compare the stamps produced by different = servers,=20 or compare a stamp to a 'Golden Rolex' time, a one second difference = should=20 be tolerated, as the sources are not expected to be highly = synchronised=20 anyway.=20 Michael Zolotarev=20 Technical Architect, Baltimore Technologies Limited (Australia)=20 Happy Easter!=20 -----Original Message-----=20 From: Tony Bartoletti [SMTP:azb@llnl.gov]=20 Sent: Thursday, April 01, 1999 4:31 AM=20 To: Todd S. Glassey; Paul Koning; robert.zuccherato@entrust.com=20 Cc: ietf-pkix@imc.org=20 Subject: Re: Time-stamp server. TimePrecision info=20 At 07:44 PM 3/30/99 -0800, Todd S. Glassey wrote:=20 >How will you deal with leap seconds?=20 >=20 The only solution I can think of would be UGLY, but would preserve=20 the all-important monotonicity. At least it would work when a=20 leap-second is added. (Subtracting is another matter. You would=20 already have monotonicity, but differencing might be difficult.)=20 Add another field to the "seconds", as little as one "bit", that=20 is always zero except for a leap-second, when it is "one."=20 E.G. leap.seconds.milliseconds=20 Now, if (say) the 23rd second of this minute had to be "repeated"=20 (the clock is being set back 1 second, "gaining" a leap second,)=20 then it would first occur as 0.23.ms, and then a second later=20 as 1.23.ms.=20 Thus, the sequence of timestamps of seconds from 21 to 25 might=20 be recorded as 0.21, 0.22, 0.23, 1.23, 0.24, 0.25, with=20 0.23 < 1.23, and 1.23 < 0.24=20 Losing a leap-second (should that ever happen) is another matter.=20 One could just drop the "missing" second as the clock advances.=20 E.G.=20 0.21, 0.22, 0.24, 0.25=20 Monotonicity is preserved. Differencing is a headache.=20 I wonder how they will actually deal with this.=20 ___tony___=20 Tony Bartoletti LL=20 Center for Information Operations and Assurance LL LL=20 Lawrence Livermore National Laboratory LL LL LL=20 PO Box 808, L - 303 LL LL LL=20 Livermore, CA 94551-9900 LL LL LLLLLLLL = phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL=20 email: azb@llnl.gov LLLLLLLL=20 ------=_NextPart_000_015A_01BE7C1E.BAD11400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type><TITLE>RE: Time-stamp server. TimePrecision = info</TITLE><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2>Thanks for the opening... I was = wondering how to=20 work this in...</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>There is an even bigger issue here = for the use=20 model. The actual end use of the system you are describing, the document = timestamper/verifier is a end user application of timestamping only. = There are=20 many other uses of certifiable time than just adding non-repudiation. = Certain IA=20 control processes and other industrial control apps that are time based = need=20 this resolution as part of their control and messaging = processes.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>However the real issue is how to represent a = timestamp in a=20 manner conducive to the most general purpose use models. Also to make = this same=20 system work everywhere. That's why we need the token structure=20 defined.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>The bottomline is that subsecond accuracy is = required for a=20 growing number of industrial, commercial, and financial applications and = because=20 of the complexities of integrating certifiable timebases into processes = and=20 deliverable technologies, clean and reliable timebase services are = better off=20 being deployed everywhere. </FONT></DIV> <DIV> </DIV> <DIV><FONT color=3D#000000 size=3D2>Todd </FONT></DIV> <DIV> </DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #000000 solid 2px; MARGIN-LEFT: 5px; PADDING-LEFT: = 5px"> <DIV><FONT face=3DArial size=3D2><B>-----Original = Message-----</B></FONT><FONT=20 face=3DArial size=3D2><BR><B>From: </B><A=20 href=3D"mailto:PHalliden@zergo.com">PHalliden@zergo.com</A> <<A=20 = href=3D"mailto:PHalliden@zergo.com">PHalliden@zergo.com</A>><BR><B>To:= =20 </B><A=20 = href=3D"mailto:'mzolotarev@baltimore.com.au'">'mzolotarev@baltimore.com.a= u'</A>=20 <<A=20 = href=3D"mailto:mzolotarev@baltimore.com.au">mzolotarev@baltimore.com.au</= A>><BR><B>Cc:=20 </B><A href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> = <<A=20 = href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A>><BR><B>Date:=20 </B>Thursday, April 01, 1999 8:19 AM<BR><B>Subject: </B>RE: = Time-stamp=20 server. TimePrecision info<BR><BR></DIV></FONT> <P><FONT size=3D2>Are we missing a point here? The use of a = timestamp=20 server is to resolve questions such as "At what time was a = document=20 signed?", "In what order were documents signed?" or = "At=20 what time was a document received?". A timestamp server = says=20 "I issued a timestamp for the document at xxxx date and=20 time". In other words, there is not a precise time = relationship=20 between the event potentially in dispute and the generation of the=20 timestamp. Appendix B of the current draft recognises this by = saying=20 that, when subsequently verifying a document is consistent with its=20 timestamp, the evidence should only be accepted if the times are = "close=20 enough (e.g. less than a few hours)". Whilst hours may be = a bit=20 pessimistic for some systems, one only has to consider the likely = method of=20 communication between the requestor and the timestamp server to = realise that=20 a [leap] second either way is irrelevant. Certainly, two = requests=20 issued at almost the same time will not necessarily arrive at the = timestamp=20 server in the same order as they were dispatched. If we really = are=20 concerned about establishing completely unambiguously the order in = which two=20 documents are signed, a higher level protocol is required e.g. one = in which=20 the second document contains the timestamp of the first = one.</FONT></P><BR> <P><FONT size=3D2>Paul Halliden</FONT> <BR><FONT size=3D2>Director = for Strategic=20 Technology</FONT> <BR><FONT=20 = size=3D2>________________________________________________________________= ______</FONT>=20 <BR><FONT size=3D2>Baltimore, The Square, Basing View, Basingstoke, = Hants,=20 RG21 4EG, UK</FONT> <BR><FONT size=3D2>Tel: +44 (0) 1442 342 784 = Fax: +44 (0)=20 1256 812901</FONT> <BR><FONT size=3D2><A = href=3D"http://www.baltimore.com"=20 target=3D_blank>http://www.baltimore.com</A></FONT> <BR><FONT = size=3D2>Baltimore=20 is the operating name of Zergo Holdings plc </FONT></P><BR><BR> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Michael Zolotarev [<A=20 = href=3D"mailto:mzolotarev@baltimore.com.au">mailto:mzolotarev@baltimore.c= om.au</A>]</FONT>=20 <BR><FONT size=3D2>Sent: 01 April 1999 09:00</FONT> <BR><FONT = size=3D2>To: 'Tony=20 Bartoletti'; Todd S. Glassey; Paul Koning;</FONT> <BR><FONT=20 size=3D2>robert.zuccherato@entrust.com</FONT> <BR><FONT size=3D2>Cc: = ietf-pkix@imc.org; 'slaing@baltimore.com.au';</FONT> <BR><FONT=20 size=3D2>'ashellshear@baltimore.com.au'</FONT> <BR><FONT = size=3D2>Subject: RE:=20 Time-stamp server. TimePrecision info</FONT> </P><BR> <P><FONT size=3D2>Tony,</FONT> </P> <P><FONT size=3D2>I guess there is a neater solution to the 'gain a = leap=20 second' problem, </FONT><BR><FONT size=3D2>using the serialNumber = field of the=20 response. If the serialNumebr is </FONT><BR><FONT size=3D2>properly = maintained=20 by the TSS, and returned to the client, a second can = </FONT><BR><FONT=20 size=3D2>last as long as we want it:</FONT> </P> <P><FONT size=3D2>time: =20 0.21 =20 = 0.22 &nb= sp; =20 0.23 =20 0.23 0.23 </FONT><BR><FONT = size=3D2> 0.24</FONT> <BR><FONT=20 size=3D2>S/N: 1,2,3,4... = x,x+1,x+2... =20 n,n+1,n+2,n+3, n+4, n+.. = m,m+1...</FONT> </P> <P><FONT size=3D2>The issue is, the problem only exists when we = COMPARE two=20 stamps produced </FONT><BR><FONT size=3D2>by THE SAME TSS. And this = is exactly=20 where the serialNumber will help us </FONT><BR><FONT = size=3D2>out.</FONT> </P> <P><FONT size=3D2>In a situation when you compare the stamps = produced by=20 different servers, </FONT><BR><FONT size=3D2>or compare a stamp to a = 'Golden=20 Rolex' time, a one second difference should </FONT><BR><FONT = size=3D2>be=20 tolerated, as the sources are not expected to be highly synchronised = </FONT><BR><FONT size=3D2>anyway.</FONT> </P> <P><FONT size=3D2>Michael Zolotarev</FONT> <BR><FONT = size=3D2>Technical=20 Architect, Baltimore Technologies Limited (Australia)</FONT> </P> <P><FONT size=3D2>Happy Easter!</FONT> </P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT=20 size=3D2>From: Tony Bartoletti = [SMTP:azb@llnl.gov]</FONT>=20 <BR><FONT size=3D2>Sent: Thursday, April 01, 1999 4:31 = AM</FONT>=20 <BR><FONT size=3D2>To: Todd S. Glassey; Paul = Koning;=20 robert.zuccherato@entrust.com</FONT> <BR><FONT=20 size=3D2>Cc: ietf-pkix@imc.org</FONT> = <BR><FONT=20 size=3D2>Subject: Re: = Time-stamp=20 server. TimePrecision info</FONT> </P> <P><FONT size=3D2>At 07:44 PM 3/30/99 -0800, Todd S. Glassey = wrote:</FONT>=20 <BR><FONT size=3D2>>How will you deal with leap seconds?</FONT> = <BR><FONT=20 size=3D2>></FONT> </P> <P><FONT size=3D2>The only solution I can think of would be UGLY, = but would=20 preserve</FONT> <BR><FONT size=3D2>the all-important = monotonicity. At=20 least it would work when a</FONT> <BR><FONT size=3D2>leap-second is = added.=20 (Subtracting is another matter. You would</FONT> <BR><FONT=20 size=3D2>already have monotonicity, but differencing might be=20 difficult.)</FONT> </P> <P><FONT size=3D2>Add another field to the "seconds", as = little as=20 one "bit", that</FONT> <BR><FONT size=3D2>is always zero = except for=20 a leap-second, when it is "one."</FONT> </P> <P><FONT size=3D2> E.G. = leap.seconds.milliseconds</FONT>=20 </P> <P><FONT size=3D2>Now, if (say) the 23rd second of this minute had = to be=20 "repeated"</FONT> <BR><FONT size=3D2>(the clock is being = set back 1=20 second, "gaining" a leap second,)</FONT> <BR><FONT = size=3D2>then it=20 would first occur as 0.23.ms, and then a second later</FONT> = <BR><FONT=20 size=3D2>as 1.23.ms.</FONT> </P> <P><FONT size=3D2>Thus, the sequence of timestamps of seconds from = 21 to 25=20 might</FONT> <BR><FONT size=3D2>be recorded as 0.21, 0.22, 0.23, = 1.23, 0.24,=20 0.25, with</FONT> </P> <P><FONT size=3D2> 0.23 < 1.23, and 1.23 < = 0.24</FONT>=20 </P> <P><FONT size=3D2>Losing a leap-second (should that ever happen) is = another=20 matter.</FONT> <BR><FONT size=3D2>One could just drop the = "missing"=20 second as the clock advances.</FONT> <BR><FONT size=3D2>E.G.</FONT> = </P> <P><FONT size=3D2> 0.21, 0.22, 0.24, 0.25</FONT> = </P> <P><FONT size=3D2>Monotonicity is preserved. Differencing is a = headache.</FONT> </P> <P><FONT size=3D2>I wonder how they will actually deal with = this.</FONT> </P> <P><FONT size=3D2>___tony___</FONT> </P> <P><FONT size=3D2>Tony=20 = Bartoletti &nb= sp; &nbs= p;  = ; =20 LL</FONT> <BR><FONT size=3D2>Center for Information Operations and=20 Assurance LL = LL</FONT>=20 <BR><FONT size=3D2>Lawrence Livermore National=20 = Laboratory &nb= sp; =20 LL LL LL</FONT> <BR><FONT size=3D2>PO Box 808, L -=20 = 303 &nbs= p;  = ; =20 LL LL LL</FONT> <BR><FONT size=3D2>Livermore, CA=20 = 94551-9900 &nb= sp; &nbs= p; =20 LL LL LLLLLLLL</FONT> <BR><FONT size=3D2>phone: = 925-422-3881 fax:=20 = 925-423-8002 &= nbsp; =20 LL LLLLLLLL</FONT> <BR><FONT size=3D2>email:=20 = azb@llnl.gov &= nbsp; &n= bsp; =20 LLLLLLLL</FONT> </P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_015A_01BE7C1E.BAD11400-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA00882 for ietf-pkix-bks; Thu, 1 Apr 1999 08:50:02 -0800 (PST) Received: from relay1.mail.uk.psi.net (relay1.mail.uk.psi.net [154.32.105.6]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA00878 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 08:50:01 -0800 (PST) Received: from [195.152.140.4] (helo=stonewall.baltimore.com) by relay1.mail.uk.psi.net with smtp (Exim 2.02 #3) id 10SkfT-0003zb-00; Thu, 1 Apr 1999 17:50:11 +0100 To: "'Paul Koning'" <pkoning@xedia.com> Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 17:51:49 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BE7C5F.F15A3BB4" From: Paul Halliden <PHalliden@baltimore.com> Message-ID: <A92CFE655D22D211B2FB00A0C9CE01E0562A61@baltimore.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BE7C5F.F15A3BB4 Content-Type: text/plain; charset="iso-8859-1" I quite agree that hours may not be close enough in some cases. The point is that the spec specifically talks about a range of communication techniques between requester and TSS including e-mail which has a notoriously variable transit time. The timestamp gives no indication about how long the requester's message took to get to the timestamp authority. Even if it did, I don't believe that the authority would be in any position to know reliably at what time the request was made. Thus anyone who relies on a sequence of timestamps to indicate order is deluding themselves if they want precision anywhere near the transit time of the network(s) used. I would expect the timestamp authority's policy to say its service was unsuited for such precise sequencing and that some other technique for establishing the sequence of transactions should be used. Paul -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: 01 April 1999 17:05 To: PHalliden@zergo.com Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info I suspect that "close enough" may change over time, and hours may not be good enough. For example, the required accuracy for timestamps on stock trading messages is more likely to be minutes rather than hours even today. In any case, it helps to be consistent. If hours or even minutes is the outer limit of resolution needed, them milliseconds have no place in the timestamp format. As for establishing order by having a second document include the older timestamp of the first document, that's fine if I generate both documents. If the dispute is on which of the two of us generated our document first, then we'll be dealing with two independent timestamps presumably from different servers. If they aren't synchronized to UTC any better than hours, the service will not be useful in a number of interesting cases. Finally: it's a bad idea to make the specs tighter than what is achievable, but it also doesn't make a whole lot of sense to make them 4 orders of magnitude looser. Synchronizing to UTC to within a fraction of a second is easy, and network round trip times are in the range of seconds (actually, often way smaller than that). Yes, that opens the question of how you handle leap seconds. One solution is to loosen things up some more, but going from seconds to hours is really not necessary. paul ------_=_NextPart_001_01BE7C5F.F15A3BB4 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2410.0"> <TITLE>RE: Time-stamp server. TimePrecision info</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I quite agree that hours may not be close enough in = some cases. The point is that the spec specifically talks about a range = of communication techniques between requester and TSS including e-mail = which has a notoriously variable transit time. The timestamp = gives no indication about how long the requester's message took to get = to the timestamp authority. Even if it did, I don't believe that = the authority would be in any position to know reliably at what time = the request was made. Thus anyone who relies on a sequence of = timestamps to indicate order is deluding themselves if they want = precision anywhere near the transit time of the network(s) used. I = would expect the timestamp authority's policy to say its service was = unsuited for such precise sequencing and that some other technique for = establishing the sequence of transactions should be used.</FONT></P> <P><FONT SIZE=3D2>Paul</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Paul Koning [<A = HREF=3D"mailto:pkoning@xedia.com">mailto:pkoning@xedia.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: 01 April 1999 17:05</FONT> <BR><FONT SIZE=3D2>To: PHalliden@zergo.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Time-stamp server. TimePrecision = info</FONT> </P> <BR> <P><FONT SIZE=3D2>I suspect that "close enough" may change = over time, and hours may not</FONT> <BR><FONT SIZE=3D2>be good enough. For example, the required = accuracy for timestamps on</FONT> <BR><FONT SIZE=3D2>stock trading messages is more likely to be minutes = rather than hours</FONT> <BR><FONT SIZE=3D2>even today.</FONT> </P> <P><FONT SIZE=3D2>In any case, it helps to be consistent. If = hours or even minutes is</FONT> <BR><FONT SIZE=3D2>the outer limit of resolution needed, them = milliseconds have no place</FONT> <BR><FONT SIZE=3D2>in the timestamp format.</FONT> </P> <P><FONT SIZE=3D2>As for establishing order by having a second document = include the</FONT> <BR><FONT SIZE=3D2>older timestamp of the first document, that's fine = if I generate both</FONT> <BR><FONT SIZE=3D2>documents. If the dispute is on which of the = two of us generated our</FONT> <BR><FONT SIZE=3D2>document first, then we'll be dealing with two = independent timestamps</FONT> <BR><FONT SIZE=3D2>presumably from different servers. If they = aren't synchronized to UTC </FONT> <BR><FONT SIZE=3D2>any better than hours, the service will not be = useful in a number of</FONT> <BR><FONT SIZE=3D2>interesting cases. </FONT> </P> <P><FONT SIZE=3D2>Finally: it's a bad idea to make the specs tighter = than what is</FONT> <BR><FONT SIZE=3D2>achievable, but it also doesn't make a whole lot of = sense to make them</FONT> <BR><FONT SIZE=3D2>4 orders of magnitude looser. Synchronizing to = UTC to within a</FONT> <BR><FONT SIZE=3D2>fraction of a second is easy, and network round trip = times are in the</FONT> <BR><FONT SIZE=3D2>range of seconds (actually, often way smaller than = that). Yes, that</FONT> <BR><FONT SIZE=3D2>opens the question of how you handle leap = seconds. One solution is to</FONT> <BR><FONT SIZE=3D2>loosen things up some more, but going from seconds = to hours is really</FONT> <BR><FONT SIZE=3D2>not necessary.</FONT> </P> <P> <FONT = SIZE=3D2>paul</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BE7C5F.F15A3BB4-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA00854 for ietf-pkix-bks; Thu, 1 Apr 1999 08:45:12 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA00850 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 08:45:11 -0800 (PST) Received: from xedia.com by relay1.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjbu06397; Thu, 1 Apr 1999 11:44:24 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA18076; Thu, 1 Apr 99 11:40:19 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id LAA04231; Thu, 1 Apr 1999 11:44:17 -0500 Date: Thu, 1 Apr 1999 11:44:17 -0500 Message-Id: <199904011644.LAA04231@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: memcneil@got.net Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info References: <01BE7C69.6AB798E0.mzolotarev@baltimore.com.au> <37039EFD.2F356055@got.net> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Michael" == Michael McNeil <memcneil@got.net> writes: Michael> Paul Koning wrote: >> The NTP RFC (RFC 1305) has an excellent discussion on this and the >> approaches it describes would be good to use. In particular, it >> suggests using a two part date/time coding (day separate from >> time-in-day). That way the existence of leap seconds merely >> increases the range of the second field by one. (Analogy: if you >> sent the timestamp as yyyymmddhhmmss.ssss the impact is merely >> that ss can be from 0 to 60, not 0 to 59.) Michael> This approach works, but has the disadvantage of requiring Michael> numerous conversions from one unit to another (i.e., Michael> year-month-day hours- minutes-seconds-milliseconds, say), Michael> involving leap years and other calendric oddities, in order Michael> to compare the times in two timestamps. As in Tony's Michael> proposal, it also requires looking up the history of leap Michael> seconds to find out whether one has occurred between any two Michael> dates. Michael> A desirable solution ought to both maintain strict Michael> monotonicity over leap seconds (without complicated Michael> manipulations if possible) as well as not hinder comparisons Michael> down to the fractional seconds, should that be desired. Agreed. But if by comparison you mean the operators <, =, and >, then what I described (which is what's in the current draft, once you make it clear that the ss field has 60 as a legal value) works. A strcmp operation on time strings in GeneralizedTime format yields the correct answer for all cases including leap seconds. It's pretty clear why that is so: the characters in that string are in descending order of significance reading left to right... As I mentioned elsewhere, whether conversion to this format requires you to know about leap seconds depends on what you start from. If you start from NTP format then I believe it does not. In any case, that's an internal matter. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA00780 for ietf-pkix-bks; Thu, 1 Apr 1999 08:33:35 -0800 (PST) Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA00776 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 08:33:33 -0800 (PST) Received: id LAA09862; Thu, 1 Apr 1999 11:30:36 -0500 Received: by gateway id <G4CAY0RB>; Thu, 1 Apr 1999 11:32:55 -0500 Message-ID: <01E1D01C12D7D211AFC70090273D20B112BD67@sothmxs06> From: Robert Zuccherato <robert.zuccherato@entrust.com> To: PHalliden@zergo.com, "'Paul Koning'" <pkoning@xedia.com> Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 11:27:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> One point that I would like to clear up. The present timestamping draft does not consider resolution of hours to be sufficient. The reference to resolution of "less than a few hours" comes from an informative annex giving an example of how the protocol could be used. The resolution required by any particular application is not considered in the main document. Remember this document describes just the protocol to be used by the TSA. That said, I agree with Denis. I do not see the use of microseconds to be especially useful within this protocol. Robert. > ---------- > From: Paul Koning[SMTP:pkoning@xedia.com] > Sent: Thursday, April 01, 1999 11:04 AM > To: PHalliden@zergo.com > Cc: ietf-pkix@imc.org > Subject: RE: Time-stamp server. TimePrecision info > > I suspect that "close enough" may change over time, and hours may not > be good enough. For example, the required accuracy for timestamps on > stock trading messages is more likely to be minutes rather than hours > even today. > > In any case, it helps to be consistent. If hours or even minutes is > the outer limit of resolution needed, them milliseconds have no place > in the timestamp format. > > As for establishing order by having a second document include the > older timestamp of the first document, that's fine if I generate both > documents. If the dispute is on which of the two of us generated our > document first, then we'll be dealing with two independent timestamps > presumably from different servers. If they aren't synchronized to UTC > any better than hours, the service will not be useful in a number of > interesting cases. > > Finally: it's a bad idea to make the specs tighter than what is > achievable, but it also doesn't make a whole lot of sense to make them > 4 orders of magnitude looser. Synchronizing to UTC to within a > fraction of a second is easy, and network round trip times are in the > range of seconds (actually, often way smaller than that). Yes, that > opens the question of how you handle leap seconds. One solution is to > loosen things up some more, but going from seconds to hours is really > not necessary. > > paul > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA00760 for ietf-pkix-bks; Thu, 1 Apr 1999 08:31:31 -0800 (PST) Received: from always.got.net (root@always.got.net [207.111.232.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA00756 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 08:31:30 -0800 (PST) Received: from got.net (SantaCruz67.got.net [209.66.100.67]) by always.got.net (8.8.8/8.8.7/Debian/GNU) with ESMTP id IAA19336; Thu, 1 Apr 1999 08:30:13 -0800 Message-ID: <37039EFD.2F356055@got.net> Date: Thu, 01 Apr 1999 08:29:50 -0800 From: Michael McNeil <memcneil@got.net> Organization: GMT X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> CC: "'Tony Bartoletti'" <azb@llnl.gov>, "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com>, Paul Koning <pkoning@xedia.com>, "robert.zuccherato@entrust.com" <robert.zuccherato@entrust.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'slaing@baltimore.com.au'" <slaing@baltimore.com.au>, "'ashellshear@baltimore.com.au'" <ashellshear@baltimore.com.au>, ietf-stime@stime.org Subject: Re: Time-stamp server. TimePrecision info References: <01BE7C69.6AB798E0.mzolotarev@baltimore.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Michael Zolotarev wrote: >I guess there is a neater solution to the 'gain a leap second' problem, >using the serialNumber field of the response. If the serialNumebr is >properly maintained by the TSS, and returned to the client, a second >can last as long as we want it: > >time: 0.21 0.22 0.23 0.23 0.23 > 0.24 >S/N: 1,2,3,4... x,x+1,x+2... n,n+1,n+2,n+3, n+4, n+.. m,m+1... > >The issue is, the problem only exists when we COMPARE two stamps >produced by THE SAME TSS. And this is exactly where the serialNumber >will help us out. While tacking a serial number onto the seconds field of a UTC time count would work in maintaining monotonicity for that server's timestamps (and I am a supporter of including a serial number field in timestamps), I hardly think it's "neater". It works only if fractional seconds are not included in the time, and while monotonically increasing (if fractional seconds are left out), doesn't allow any comparison beyond seconds for timestamps from a single server other than one is earlier than another. One can't even determine that for timestamps from different servers. Looking at Tony Bartoletti's proposed solution, on the other hand: Tony Bartoletti wrote: >The only solution I can think of would be UGLY, but would preserve >the all-important monotonicity. At least it would work when a >leap-second is added. (Subtracting is another matter. You would >already have monotonicity, but differencing might be difficult.) > >Add another field to the "seconds", as little as one "bit", that >is always zero except for a leap-second, when it is "one." Tony proposed that a leap-second-in-progress flag bit be the logical lowest-order bit of the seconds count. This would allow monotonicity without any special coding being required, but would fuzz taking a difference between second counts (two timestamps) to simply indicating which is earlier, seconds-wise. Placing the leap second flag in another location allows timestamps (which can now include fractional seconds) to be compared, but would necessitate extra code to check the leap second flag and alter the difference if a leap second is indicated as being in progress. It requires looking up the history of leap seconds in order to determine whether one has occurred between any two dates and times. This approach is also not a "neat" solution, as Tony says, but works. Paul Koning mentioned the method of simply adding a 61st second to a year-month-day hours:minutes:seconds.fractional time representation: Paul Koning wrote: >The NTP RFC (RFC 1305) has an excellent discussion on this and the >approaches it describes would be good to use. In particular, it >suggests using a two part date/time coding (day separate from >time-in-day). That way the existence of leap seconds merely increases >the range of the second field by one. (Analogy: if you sent the >timestamp as yyyymmddhhmmss.ssss the impact is merely that ss can be >from 0 to 60, not 0 to 59.) This approach works, but has the disadvantage of requiring numerous conversions from one unit to another (i.e., year-month-day hours- minutes-seconds-milliseconds, say), involving leap years and other calendric oddities, in order to compare the times in two timestamps. As in Tony's proposal, it also requires looking up the history of leap seconds to find out whether one has occurred between any two dates. A desirable solution ought to both maintain strict monotonicity over leap seconds (without complicated manipulations if possible) as well as not hinder comparisons down to the fractional seconds, should that be desired. In my view, the easiest response to these requirements is to maintain two counters, both of whose values get emplaced in generated timestamps -- one the usual NTP UTC seconds count, including 32-bits of fractional seconds information; the other a leap seconds count field. During ordinary seconds, the UTC seconds (and fractional) count would increment as usual, but not the leap second counter. During a leap second, on the other hand, the UTC seconds count would not increment (though fractional seconds would indicate its proper value), while the leap-second count would increment. To perform comparisons between two dates and times, each UTC seconds count would first be added to the leap second count -- thus producing essentially TAI (International Atomic) time -- following which the two dates/times can be directly subtracted in a single 64-bit subtract operation. This method will work across leap seconds, including all the 32-bit fractional second information. Michael Zolotarev goes on to say: >In a situation when you compare the stamps produced by different >servers, or compare a stamp to a 'Golden Rolex' time, a one second >difference should be tolerated, as the sources are not expected to be >highly synchronised anyway. I disagree that fractional second resolution will not be important in the future. The present primitive time synchronization situation is not likely to last, in my opinion, when better and more secure time becomes widely available and a required component of secure systems. In particular, timestamping servers will be expected to issue good time. >Michael Zolotarev >Technical Architect, Baltimore Technologies Limited (Australia) > >Happy Easter! Thanks! And thanks for posting. Michael McNeil memcneil@got.net 1-831-335-2069 IETF Secure Time Working Group: http://www.stime.org Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA00494 for ietf-pkix-bks; Thu, 1 Apr 1999 08:05:35 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA00490 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 08:05:34 -0800 (PST) Received: from xedia.com by relay5.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjbs04761; Thu, 1 Apr 1999 11:04:49 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA17199; Thu, 1 Apr 99 11:00:44 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id LAA04187; Thu, 1 Apr 1999 11:04:42 -0500 Date: Thu, 1 Apr 1999 11:04:42 -0500 Message-Id: <199904011604.LAA04187@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: PHalliden@zergo.com Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info References: <A92CFE655D22D211B2FB00A0C9CE01E0562A5C@baltimore.com> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I suspect that "close enough" may change over time, and hours may not be good enough. For example, the required accuracy for timestamps on stock trading messages is more likely to be minutes rather than hours even today. In any case, it helps to be consistent. If hours or even minutes is the outer limit of resolution needed, them milliseconds have no place in the timestamp format. As for establishing order by having a second document include the older timestamp of the first document, that's fine if I generate both documents. If the dispute is on which of the two of us generated our document first, then we'll be dealing with two independent timestamps presumably from different servers. If they aren't synchronized to UTC any better than hours, the service will not be useful in a number of interesting cases. Finally: it's a bad idea to make the specs tighter than what is achievable, but it also doesn't make a whole lot of sense to make them 4 orders of magnitude looser. Synchronizing to UTC to within a fraction of a second is easy, and network round trip times are in the range of seconds (actually, often way smaller than that). Yes, that opens the question of how you handle leap seconds. One solution is to loosen things up some more, but going from seconds to hours is really not necessary. paul Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA00418 for ietf-pkix-bks; Thu, 1 Apr 1999 07:59:01 -0800 (PST) Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA00414 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 07:58:59 -0800 (PST) Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.9.1a/8.9.1) with ESMTP id RAA17140 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 17:58:45 +0100 Received: from bull.net (frcls6118.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id RAA24884 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 17:59:46 +0100 (NFT) Message-ID: <370397DF.34C4BAEF@bull.net> Date: Thu, 01 Apr 1999 17:59:28 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.06 [fr] (Win95; I) MIME-Version: 1.0 To: IETF-PXIX <ietf-pkix@imc.org> Subject: 3 Time Stamping issues Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Since I am a co-editor of the Time Stamping document, I would like to give my opinion on the various issues raised on the mailing list. 1. There has been a suggestion to possibly improve the resolution to microseconds from milliseconds. Since the delay in the transmission is at least in the millisecond order, having something more precise would give a false degree of precision. I would not go under the millisesond. 2. There has been a suggestion to possibly add a precision field. I do not think this is absolutely necessary. So I am not supportive of it since the policy can handle this. 3. There has been a suggestion to possibly add a message information field. I have arguments *against* this idea. I would realy like to keep the TSA as much ignorant as possible of the purpose of the Time Stamping. If we add that information, the TSA could know "Invoice from Alpha company to Delta company". Is this way the TSA could learn that the Delta company is doing commerce with the Delta company. This may that be a nice point to spy. So I am against the inclusion of that aditional information. However, ... I understand the concern of the linkeage and I would propose an alternative: Defining a Time Stamping Token (TST) that would be able to include that information. Basically the TST would be the concatenation of the "message information field" and of the signed portion of the information received. The TST would be constructed locally instead of being fully constructed by the TSA. We could define its structure in a normative annex. Regards, Denis Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA00345 for ietf-pkix-bks; Thu, 1 Apr 1999 07:53:06 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA00341 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 07:53:05 -0800 (PST) Received: from xedia.com by relay4.UU.NET with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQgjbr19686; Thu, 1 Apr 1999 10:50:02 -0500 (EST) Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA16898; Thu, 1 Apr 99 10:44:40 EST Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id KAA04168; Thu, 1 Apr 1999 10:48:38 -0500 Date: Thu, 1 Apr 1999 10:48:38 -0500 Message-Id: <199904011548.KAA04168@tonga.xedia.com> From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: mzolotarev@baltimore.com.au Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info References: <01BE7C69.6AB798E0.mzolotarev@baltimore.com.au> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Michael" == Michael Zolotarev <mzolotarev@baltimore.com.au> writes: Michael> In a situation when you compare the stamps produced by Michael> different servers, or compare a stamp to a 'Golden Rolex' Michael> time, a one second difference should be tolerated, as the Michael> sources are not expected to be highly synchronised anyway. I guess that works perfectly well if the inaccuracy (i.e., difference between timestamp and actual UTC) is large enough. In particular, if you ignore leap seconds then you have to report that value as one larger than the nominal amount. By the way, if that's your expectation it probably should be mentioned explicitly, because it's not obvious otherwise that it would be expected. Also, if you don't expect to be accurate to better than a second, it would be logical to remove the fractional seconds information since it is meaningless. As far as I can see you have time represented as ...hhmmss and fractional seconds. So you can clearly represent leap seconds directly. The only issue is a local implementation one: can you reliably convert internal time format to that representation? If you use NTP, then that's no problem. If you use an external time source that either uses a similar date/time format (e.g., WWV) again no problem. If you have an internal time format encoded as seconds since X, then you have several possible cases: a. If "seconds since X" really means "seconds ignoring leap seconds" then you can convert that easily to the other format but you should probably add a second to the inaccuracy to account for the possibility that there was a leap second recently that hasn't been reflected yet in the local time. b. If you really have seconds since X including leap seconds, then to convert to hhmmss... format you either need to know the number of leap seconds that have been inserted between X and now, or you have to assume the worst case (two per year) and increase the inaccuracy by that worst case. Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA28085 for ietf-pkix-bks; Thu, 1 Apr 1999 07:18:26 -0800 (PST) Received: from gmtsw.com (test.glassey.com [207.126.98.130] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA28080 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 07:18:25 -0800 (PST) Received: from brick by gmtsw.com (SMI-8.6/SMI-SVR4) id HAA11879; Thu, 1 Apr 1999 07:18:49 -0800 Message-ID: <010201be7c52$502224d0$c74bffd0@brick> From: "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com> To: "IETF PKIX" <ietf-pkix@imc.org> Subject: Re: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 07:14:17 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hey all, Sorry about the "Know Idea" pun - I thought the typo was funny -----Original Message----- From: Todd S. Glassey <Todd.Glassey@www.GMTsw.com> To: Paul Koning <pkoning@xedia.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Wednesday, March 31, 1999 1:29 PM Subject: Re: Time-stamp server. TimePrecision info >Hey Paul - >Does this mean that we are going to use NTP for timestamping? (This is not >such a bad idea and Michael McNeil and i suggested just this with the two >drafts on PKI extended NTP we did with Dave Mills), > >The real issue is how timestamps are derived from a local timebase and that >the local timebase has to deal with Leap Seconds somehow... The current >Entrust protocol toolkit assumes that the time data it is handed by the >underlying OS is "legally sufficient" to use as core for timestamping- but >the problem here is that NO COMMERCIAL OS's know about Leap Seconds and so >using the TOD clock is a gamble... that the BCP addresses these and that the >timebase services are managed out of band. > >BTW, as a simple example of how most people just believe this has already >been handled, there is a paragraph in the TimeServe addition to the NT >resource kit (timeserve.txt file) that states the accuracy of the NT clock >is at best .45S/day. That in and of itself is an issue since the PC and >Server manufacturers are all worried about the bottom line so they use the >most "cost effective" (from their $$$ viewpoint) clock chips and the like. > >My personal feeling is that without some BCP that has one dialing into the >ACTS servers at NIST on a once daily or twice daily model, we have know idea >what time it really is. > >There are no secure NTP servers out there yet but we are woking on this and, >well - Stay tuned for the first one's announcement in the next 45 days. > >Todd > > >-----Original Message----- >From: Paul Koning <pkoning@xedia.com> >To: Todd.Glassey@GMTsw.com <Todd.Glassey@GMTsw.com> >Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> >Date: Wednesday, March 31, 1999 10:03 AM >Subject: Re: Time-stamp server. TimePrecision info > > >>>>>>> "Todd" == Todd S Glassey <Todd.Glassey@www.GMTsw.com> writes: >> >> Todd> How will you deal with leap seconds? T. >> >>The NTP RFC (RFC 1305) has an excellent discussion on this and the >>approaches it describes would be good to use. In particular, it >>suggests using a two part date/time coding (day separate from >>time-in-day). That way the existence of leap seconds merely increases >>the range of the second field by one. (Analogy: if you sent the >>timestamp as yyyymmddhhmmss.ssss the impact is merely that ss can be >>from 0 to 60, not 0 to 59.) >> >> paul >> > > Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA24765 for ietf-pkix-bks; Thu, 1 Apr 1999 06:29:55 -0800 (PST) Received: from relay1.mail.uk.psi.net (relay1.mail.uk.psi.net [154.32.105.6]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA24760 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 06:29:53 -0800 (PST) From: PHalliden@zergo.com Received: from [195.152.140.4] (helo=stonewall.baltimore.com) by relay1.mail.uk.psi.net with smtp (Exim 2.02 #3) id 10SiTb-000323-00; Thu, 1 Apr 1999 15:29:47 +0100 To: "'mzolotarev@baltimore.com.au'" <mzolotarev@baltimore.com.au> Cc: ietf-pkix@imc.org Subject: RE: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 13:03:50 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BE7C37.B4D0235C" Message-ID: <A92CFE655D22D211B2FB00A0C9CE01E0562A5C@baltimore.com> Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BE7C37.B4D0235C Content-Type: text/plain; charset="iso-8859-1" Are we missing a point here? The use of a timestamp server is to resolve questions such as "At what time was a document signed?", "In what order were documents signed?" or "At what time was a document received?". A timestamp server says "I issued a timestamp for the document at xxxx date and time". In other words, there is not a precise time relationship between the event potentially in dispute and the generation of the timestamp. Appendix B of the current draft recognises this by saying that, when subsequently verifying a document is consistent with its timestamp, the evidence should only be accepted if the times are "close enough (e.g. less than a few hours)". Whilst hours may be a bit pessimistic for some systems, one only has to consider the likely method of communication between the requestor and the timestamp server to realise that a [leap] second either way is irrelevant. Certainly, two requests issued at almost the same time will not necessarily arrive at the timestamp server in the same order as they were dispatched. If we really are concerned about establishing completely unambiguously the order in which two documents are signed, a higher level protocol is required e.g. one in which the second document contains the timestamp of the first one. Paul Halliden Director for Strategic Technology ______________________________________________________________________ Baltimore, The Square, Basing View, Basingstoke, Hants, RG21 4EG, UK Tel: +44 (0) 1442 342 784 Fax: +44 (0) 1256 812901 http://www.baltimore.com Baltimore is the operating name of Zergo Holdings plc -----Original Message----- From: Michael Zolotarev [mailto:mzolotarev@baltimore.com.au] Sent: 01 April 1999 09:00 To: 'Tony Bartoletti'; Todd S. Glassey; Paul Koning; robert.zuccherato@entrust.com Cc: ietf-pkix@imc.org; 'slaing@baltimore.com.au'; 'ashellshear@baltimore.com.au' Subject: RE: Time-stamp server. TimePrecision info Tony, I guess there is a neater solution to the 'gain a leap second' problem, using the serialNumber field of the response. If the serialNumebr is properly maintained by the TSS, and returned to the client, a second can last as long as we want it: time: 0.21 0.22 0.23 0.23 0.23 0.24 S/N: 1,2,3,4... x,x+1,x+2... n,n+1,n+2,n+3, n+4, n+.. m,m+1... The issue is, the problem only exists when we COMPARE two stamps produced by THE SAME TSS. And this is exactly where the serialNumber will help us out. In a situation when you compare the stamps produced by different servers, or compare a stamp to a 'Golden Rolex' time, a one second difference should be tolerated, as the sources are not expected to be highly synchronised anyway. Michael Zolotarev Technical Architect, Baltimore Technologies Limited (Australia) Happy Easter! -----Original Message----- From: Tony Bartoletti [SMTP:azb@llnl.gov] Sent: Thursday, April 01, 1999 4:31 AM To: Todd S. Glassey; Paul Koning; robert.zuccherato@entrust.com Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info At 07:44 PM 3/30/99 -0800, Todd S. Glassey wrote: >How will you deal with leap seconds? > The only solution I can think of would be UGLY, but would preserve the all-important monotonicity. At least it would work when a leap-second is added. (Subtracting is another matter. You would already have monotonicity, but differencing might be difficult.) Add another field to the "seconds", as little as one "bit", that is always zero except for a leap-second, when it is "one." E.G. leap.seconds.milliseconds Now, if (say) the 23rd second of this minute had to be "repeated" (the clock is being set back 1 second, "gaining" a leap second,) then it would first occur as 0.23.ms, and then a second later as 1.23.ms. Thus, the sequence of timestamps of seconds from 21 to 25 might be recorded as 0.21, 0.22, 0.23, 1.23, 0.24, 0.25, with 0.23 < 1.23, and 1.23 < 0.24 Losing a leap-second (should that ever happen) is another matter. One could just drop the "missing" second as the clock advances. E.G. 0.21, 0.22, 0.24, 0.25 Monotonicity is preserved. Differencing is a headache. I wonder how they will actually deal with this. ___tony___ Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL ------_=_NextPart_001_01BE7C37.B4D0235C Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2410.0"> <TITLE>RE: Time-stamp server. TimePrecision info</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Are we missing a point here? The use of a = timestamp server is to resolve questions such as "At what time was = a document signed?", "In what order were documents = signed?" or "At what time was a document = received?". A timestamp server says "I issued a = timestamp for the document at xxxx date and time". In other = words, there is not a precise time relationship between the event = potentially in dispute and the generation of the timestamp. = Appendix B of the current draft recognises this by saying that, when = subsequently verifying a document is consistent with its timestamp, the = evidence should only be accepted if the times are "close enough = (e.g. less than a few hours)". Whilst hours may be a bit = pessimistic for some systems, one only has to consider the likely = method of communication between the requestor and the timestamp server = to realise that a [leap] second either way is irrelevant. = Certainly, two requests issued at almost the same time will not = necessarily arrive at the timestamp server in the same order as they = were dispatched. If we really are concerned about establishing = completely unambiguously the order in which two documents are signed, a = higher level protocol is required e.g. one in which the second document = contains the timestamp of the first one.</FONT></P> <BR> <P><FONT SIZE=3D2>Paul Halliden</FONT> <BR><FONT SIZE=3D2>Director for Strategic Technology</FONT> <BR><FONT = SIZE=3D2>_______________________________________________________________= _______</FONT> <BR><FONT SIZE=3D2>Baltimore, The Square, Basing View, Basingstoke, = Hants, RG21 4EG, UK</FONT> <BR><FONT SIZE=3D2>Tel: +44 (0) 1442 342 784 Fax: +44 (0) 1256 = 812901</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.baltimore.com" = TARGET=3D"_blank">http://www.baltimore.com</A></FONT> <BR><FONT SIZE=3D2>Baltimore is the operating name of Zergo Holdings = plc </FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Michael Zolotarev [<A = HREF=3D"mailto:mzolotarev@baltimore.com.au">mailto:mzolotarev@baltimore.= com.au</A>]</FONT> <BR><FONT SIZE=3D2>Sent: 01 April 1999 09:00</FONT> <BR><FONT SIZE=3D2>To: 'Tony Bartoletti'; Todd S. Glassey; Paul = Koning;</FONT> <BR><FONT SIZE=3D2>robert.zuccherato@entrust.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org; = 'slaing@baltimore.com.au';</FONT> <BR><FONT SIZE=3D2>'ashellshear@baltimore.com.au'</FONT> <BR><FONT SIZE=3D2>Subject: RE: Time-stamp server. TimePrecision = info</FONT> </P> <BR> <P><FONT SIZE=3D2>Tony,</FONT> </P> <P><FONT SIZE=3D2>I guess there is a neater solution to the 'gain a = leap second' problem, </FONT> <BR><FONT SIZE=3D2>using the serialNumber field of the response. If the = serialNumebr is </FONT> <BR><FONT SIZE=3D2>properly maintained by the TSS, and returned to the = client, a second can </FONT> <BR><FONT SIZE=3D2>last as long as we want it:</FONT> </P> <P><FONT SIZE=3D2>time: = 0.21 = 0.22 &n= bsp; 0.23 = 0.23 0.23 </FONT> <BR><FONT SIZE=3D2> 0.24</FONT> <BR><FONT SIZE=3D2>S/N: 1,2,3,4... = x,x+1,x+2... n,n+1,n+2,n+3, n+4, = n+.. m,m+1...</FONT> </P> <P><FONT SIZE=3D2>The issue is, the problem only exists when we COMPARE = two stamps produced </FONT> <BR><FONT SIZE=3D2>by THE SAME TSS. And this is exactly where the = serialNumber will help us </FONT> <BR><FONT SIZE=3D2>out.</FONT> </P> <P><FONT SIZE=3D2>In a situation when you compare the stamps produced = by different servers, </FONT> <BR><FONT SIZE=3D2>or compare a stamp to a 'Golden Rolex' time, a one = second difference should </FONT> <BR><FONT SIZE=3D2>be tolerated, as the sources are not expected to be = highly synchronised </FONT> <BR><FONT SIZE=3D2>anyway.</FONT> </P> <P><FONT SIZE=3D2>Michael Zolotarev</FONT> <BR><FONT SIZE=3D2>Technical Architect, Baltimore Technologies Limited = (Australia)</FONT> </P> <P><FONT SIZE=3D2>Happy Easter!</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Tony Bartoletti = [SMTP:azb@llnl.gov]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, April 01, 1999 4:31 = AM</FONT> <BR><FONT SIZE=3D2>To: Todd S. Glassey; Paul = Koning; robert.zuccherato@entrust.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: = Re: Time-stamp server. TimePrecision info</FONT> </P> <P><FONT SIZE=3D2>At 07:44 PM 3/30/99 -0800, Todd S. Glassey = wrote:</FONT> <BR><FONT SIZE=3D2>>How will you deal with leap seconds?</FONT> <BR><FONT SIZE=3D2>></FONT> </P> <P><FONT SIZE=3D2>The only solution I can think of would be UGLY, but = would preserve</FONT> <BR><FONT SIZE=3D2>the all-important monotonicity. At least it = would work when a</FONT> <BR><FONT SIZE=3D2>leap-second is added. (Subtracting is another = matter. You would</FONT> <BR><FONT SIZE=3D2>already have monotonicity, but differencing might be = difficult.)</FONT> </P> <P><FONT SIZE=3D2>Add another field to the "seconds", as = little as one "bit", that</FONT> <BR><FONT SIZE=3D2>is always zero except for a leap-second, when it is = "one."</FONT> </P> <P><FONT SIZE=3D2> E.G. = leap.seconds.milliseconds</FONT> </P> <P><FONT SIZE=3D2>Now, if (say) the 23rd second of this minute had to = be "repeated"</FONT> <BR><FONT SIZE=3D2>(the clock is being set back 1 second, = "gaining" a leap second,)</FONT> <BR><FONT SIZE=3D2>then it would first occur as 0.23.ms, and then a = second later</FONT> <BR><FONT SIZE=3D2>as 1.23.ms.</FONT> </P> <P><FONT SIZE=3D2>Thus, the sequence of timestamps of seconds from 21 = to 25 might</FONT> <BR><FONT SIZE=3D2>be recorded as 0.21, 0.22, 0.23, 1.23, 0.24, 0.25, = with</FONT> </P> <P><FONT SIZE=3D2> 0.23 < 1.23, and 1.23 < = 0.24</FONT> </P> <P><FONT SIZE=3D2>Losing a leap-second (should that ever happen) is = another matter.</FONT> <BR><FONT SIZE=3D2>One could just drop the "missing" second = as the clock advances.</FONT> <BR><FONT SIZE=3D2>E.G.</FONT> </P> <P><FONT SIZE=3D2> 0.21, 0.22, 0.24, 0.25</FONT> </P> <P><FONT SIZE=3D2>Monotonicity is preserved. Differencing is a = headache.</FONT> </P> <P><FONT SIZE=3D2>I wonder how they will actually deal with = this.</FONT> </P> <P><FONT SIZE=3D2>___tony___</FONT> </P> <P><FONT SIZE=3D2>Tony = Bartoletti &n= bsp; &n= bsp; &n= bsp; LL</FONT> <BR><FONT SIZE=3D2>Center for Information Operations and = Assurance LL = LL</FONT> <BR><FONT SIZE=3D2>Lawrence Livermore National = Laboratory &n= bsp; LL LL LL</FONT> <BR><FONT SIZE=3D2>PO Box 808, L - = 303 &nb= sp; &nb= sp; LL LL = LL</FONT> <BR><FONT SIZE=3D2>Livermore, CA 94551-9900  = ;  = ;  = ; LL LL LLLLLLLL</FONT> <BR><FONT SIZE=3D2>phone: 925-422-3881 fax: = 925-423-8002 = LL LLLLLLLL</FONT> <BR><FONT SIZE=3D2>email: = azb@llnl.gov = = = LLLLLLLL</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BE7C37.B4D0235C-- Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA20712 for ietf-pkix-bks; Thu, 1 Apr 1999 04:11:06 -0800 (PST) Received: from svlcapop1.ins.com (svlcapop1.ins.com [199.0.193.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA20708 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 04:11:04 -0800 (PST) Received: (from youngl_r@localhost) by svlcapop1.ins.com (8.8.8+Sun/8.8.8) id EAA18210; Thu, 1 Apr 1999 04:11:16 -0800 (PST) Message-Id: <4.1.19990401070533.00a70360@pop1.ins.com> X-Sender: youngl_r@pop1.ins.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 01 Apr 1999 07:11:12 -0500 To: "Peter Williams" <peterw@valicert.com> From: Roger Younglove <ins.com@ins.com> Subject: Re: Changes to RFC2459 Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org> In-Reply-To: <006301be7baf$2bb70320$1a03a8c0@peternt.valicert.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I agree, when an unknown certificate is introduced into your PKI the only safe way to accept it would be to check the Certificate Policy identified in cert policy id. At 02:46 PM 3/31/99 , you wrote: > >-----Original Message----- >From: Jim Schaad (Exchange) <jimsch@exchange.microsoft.com> >To: 'Stephen Kent' <kent@bbn.com>; Moshe Litvin <moshe@cale.checkpoint.com> >Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> >Date: Wednesday, March 31, 1999 3:04 PM >Subject: RE: Changes to RFC2459 > > >>Steve, >> >I think it is important to note that >>there is nothing in a certificate that says I am PKIX compliant. This >>certificate could have been issued by somebody following the boondogle X509 >>certificate profile,:) and we are interpreting it under a different >profile. >>If we make sure the profile can make explicit statements then we don't have >>this issue. > > > >The cert policy id field is surely usable as a CA-signal that a profile is >in use, >and its assurances enable one to trust that a cert conforms to a >profile. relying parties require particular extension schemas etc, by >requiring >particular cert policy ids, or local policy id mappings. > -- TTFN Roger W. Younglove Blue Cross Blue Shield Michigan Network Systems Consultant 313-225-0637 on site International Network Services 100 Galleria Officentre Ste. 220 Southfield, MI 48034 E-mail page: page_roger_younglove@ins.com Numeric page: 888.935.6755 Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA10335 for ietf-pkix-bks; Thu, 1 Apr 1999 00:00:38 -0800 (PST) Received: from stargate.zergo.com.au (root@stargate.zergo.com.au [203.2.208.130]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA10331 for <ietf-pkix@imc.org>; Thu, 1 Apr 1999 00:00:34 -0800 (PST) Received: from michaelz (dhcp-64.ws.zergo.com.au [192.168.72.64]) by stargate.zergo.com.au (8.9.1/8.8.7) with SMTP id RAA16093; Thu, 1 Apr 1999 17:59:40 +1000 Received: by localhost with Microsoft MAPI; Thu, 1 Apr 1999 17:59:41 +1000 Message-ID: <01BE7C69.6AB798E0.mzolotarev@baltimore.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com.au> Reply-To: "mzolotarev@baltimore.com.au" <mzolotarev@baltimore.com.au> To: "'Tony Bartoletti'" <azb@llnl.gov>, "Todd S. Glassey" <Todd.Glassey@www.GMTsw.com>, Paul Koning <pkoning@xedia.com>, "robert.zuccherato@entrust.com" <robert.zuccherato@entrust.com> Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "'slaing@baltimore.com.au'" <slaing@baltimore.com.au>, "'ashellshear@baltimore.com.au'" <ashellshear@baltimore.com.au> Subject: RE: Time-stamp server. TimePrecision info Date: Thu, 1 Apr 1999 17:59:39 +1000 Organization: Baltimore Pty Ltd X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tony, I guess there is a neater solution to the 'gain a leap second' problem, using the serialNumber field of the response. If the serialNumebr is properly maintained by the TSS, and returned to the client, a second can last as long as we want it: time: 0.21 0.22 0.23 0.23 0.23 0.24 S/N: 1,2,3,4... x,x+1,x+2... n,n+1,n+2,n+3, n+4, n+.. m,m+1... The issue is, the problem only exists when we COMPARE two stamps produced by THE SAME TSS. And this is exactly where the serialNumber will help us out. In a situation when you compare the stamps produced by different servers, or compare a stamp to a 'Golden Rolex' time, a one second difference should be tolerated, as the sources are not expected to be highly synchronised anyway. Michael Zolotarev Technical Architect, Baltimore Technologies Limited (Australia) Happy Easter! -----Original Message----- From: Tony Bartoletti [SMTP:azb@llnl.gov] Sent: Thursday, April 01, 1999 4:31 AM To: Todd S. Glassey; Paul Koning; robert.zuccherato@entrust.com Cc: ietf-pkix@imc.org Subject: Re: Time-stamp server. TimePrecision info At 07:44 PM 3/30/99 -0800, Todd S. Glassey wrote: >How will you deal with leap seconds? > The only solution I can think of would be UGLY, but would preserve the all-important monotonicity. At least it would work when a leap-second is added. (Subtracting is another matter. You would already have monotonicity, but differencing might be difficult.) Add another field to the "seconds", as little as one "bit", that is always zero except for a leap-second, when it is "one." E.G. leap.seconds.milliseconds Now, if (say) the 23rd second of this minute had to be "repeated" (the clock is being set back 1 second, "gaining" a leap second,) then it would first occur as 0.23.ms, and then a second later as 1.23.ms. Thus, the sequence of timestamps of seconds from 21 to 25 might be recorded as 0.21, 0.22, 0.23, 1.23, 0.24, 0.25, with 0.23 < 1.23, and 1.23 < 0.24 Losing a leap-second (should that ever happen) is another matter. One could just drop the "missing" second as the clock advances. E.G. 0.21, 0.22, 0.24, 0.25 Monotonicity is preserved. Differencing is a headache. I wonder how they will actually deal with this. ___tony___ Tony Bartoletti LL Center for Information Operations and Assurance LL LL Lawrence Livermore National Laboratory LL LL LL PO Box 808, L - 303 LL LL LL Livermore, CA 94551-9900 LL LL LLLLLLLL phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL email: azb@llnl.gov LLLLLLLL
- Confirmation for subscribe ietf-pkix Majordomo
- RE: Confirmation for subscribe ietf-pkix Kurn, David
- Re: Confirmation for subscribe ietf-pkix Christopher Stacy
- Re: Confirmation for subscribe ietf-pkix Paul Hoffman / IMC
- Re: Confirmation for subscribe ietf-pkix Christopher Stacy
- Confirmation for subscribe ietf-pkix Majordomo
- Confirmation for subscribe ietf-pkix Majordomo
- PLEASE DON'T RESPOND Re: Confirmation for subscri… Paul Hoffman / IMC