RE: Rationales for CA clearance constraints
Russ Housley <housley@vigilsec.com> Mon, 27 October 2008 14:18 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B1AF3A6B68 for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 27 Oct 2008 07:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.738
X-Spam-Level:
X-Spam-Status: No, score=-97.738 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, MSGID_FROM_MTA_HEADER=0.803, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJcctNPAOZGK for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 27 Oct 2008 07:18:08 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id CCD443A6B00 for <pkix-archive@ietf.org>; Mon, 27 Oct 2008 07:16:52 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9RDKY6R080191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 27 Oct 2008 06:20:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9RDKYSi080190; Mon, 27 Oct 2008 06:20:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [8.8.40.152]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9RDKM70080143 for <ietf-pkix@imc.org>; Mon, 27 Oct 2008 06:20:33 -0700 (MST) (envelope-from housley@vigilsec.com)
Message-Id: <200810271320.m9RDKM70080143@balder-227.proper.com>
Received: (qmail 6901 invoked by uid 0); 27 Oct 2008 13:19:51 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (96.255.145.18) by woodstock.binhost.com with SMTP; 27 Oct 2008 13:19:51 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 27 Oct 2008 09:13:09 -0400
To: "BRUMBY, Ian" <ian.brumby@baesystems.com>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Rationales for CA clearance constraints
In-Reply-To: <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesy stems.com>
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405C@EA-EXMSG-C332.europe.corp.microsoft.com> <200810251952.m9PJqCPD001487@bunya.baea.com.au> <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Note that clearance was NOT defined in X.501(1993), but X.500(1997). However, X.501(2005) may be the best reference for clearance.
At 08:13 PM 10/26/2008, BRUMBY, Ian wrote:
The Clearance attribute is defined in the current X.501 (2001 and v6 draft) with an OID of 2.5.4.55. RFC 3281 (as referenced by draft-turner-caclearanceconstraints-01.txt) defines it as 2.5.1.5.55. It refers to X.501-1993 as the source of this definition. Ive dug up the 1993 standard and cant find any reference to Clearance. If Clearance Constraints are implemented, maybe it should be clarified if it constrains X.501 (2003) Clearance attributes, if they are present in the certificate, or specifically doesnt constrain them.
- Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints BRUMBY, Ian
- RE: Rationales for CA clearance constraints Russ Housley
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: draft-ietf-pkix-3281update-01.txt BRUMBY, Ian
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Denis Pinkas
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: draft-ietf-pkix-3281update-01.txt Russ Housley
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Paul Hoffman
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Anders Rundgren
- Re: Rationales for CA clearance constraints Scott Rea
- Random PKI critiques [was: Rationales for CA clea… Stephen Wilson
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Jim Schaad
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Stephen Wilson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Denis Pinkas
- (Other) dubious uses of PKI technology [was: Rati… Anders Rundgren
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Eric Norman
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints David A. Cooper
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Tom Gindin
- Processing rules for non-critical extensions (Re:… David A. Cooper
- RE: Processing rules for non-critical extensions … Kemp, David P.