RE: draft-ietf-pkix-3281update-01.txt
"BRUMBY, Ian" <ian.brumby@baesystems.com> Mon, 27 October 2008 23:31 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3033328C16C for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 27 Oct 2008 16:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.594
X-Spam-Level:
X-Spam-Status: No, score=-0.594 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgntPHqhLO4t for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 27 Oct 2008 16:31:36 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 90CCE28C235 for <pkix-archive@ietf.org>; Mon, 27 Oct 2008 16:31:35 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9RMxdap003161 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 27 Oct 2008 15:59:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9RMxdDV003160; Mon, 27 Oct 2008 15:59:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from gateway.baea.com.au (gateway.baea.com.au [202.20.20.25]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9RMxQga003124 for <ietf-pkix@imc.org>; Mon, 27 Oct 2008 15:59:37 -0700 (MST) (envelope-from ian.brumby@baesystems.com)
Received: from unknown (HELO bunya.baea.com.au) ([150.207.1.63]) by fep.baea.com.au with ESMTP; 28 Oct 2008 09:29:25 +1030
Received: from SBW3OWEX1.au.baesystems.com (exchange [150.207.4.37]) by bunya.baea.com.au (8.13.8+Sun/8.13.8) with ESMTP id m9RMxMkx027596; Tue, 28 Oct 2008 09:29:25 +1030 (CST)
Received: from brdw3ex1.au.baesystems.com ([150.207.68.10]) by SBW3OWEX1.au.baesystems.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Oct 2008 09:29:22 +1030
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C93887.A5F1213F"
Subject: RE: draft-ietf-pkix-3281update-01.txt
Date: Tue, 28 Oct 2008 09:59:21 +1100
Message-ID: <0D88367CF035304ABCB1022D82AF0753017C7CDD@brdw3ex1.au.baesystems.com>
In-Reply-To: <200810271331.m9RDVOAv028096@bunya.baea.com.au>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-3281update-01.txt
Thread-Index: Ack4OFFpTG68tGzXRhOnR53nnu36AwATHRlA
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405C@EA-EXMSG-C332.europe.corp.microsoft.com> <200810251952.m9PJqCPD001487@bunya.baea.com.au> <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com> <200810271331.m9RDVOAv028096@bunya.baea.com.au>
From: "BRUMBY, Ian" <ian.brumby@baesystems.com>
To: Russ Housley <housley@vigilsec.com>, ietf-pkix@imc.org
X-OriginalArrivalTime: 27 Oct 2008 22:59:22.0226 (UTC) FILETIME=[A6853D20:01C93887]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Since the over-the-wire encoding has been changed to be compatible with X.501, and incompatible with RFC 3281, shouldn't the OID of the attribute be changed to match X.501? ________________________________ From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley Sent: Tuesday, 28 October 2008 12:13 AM To: BRUMBY, Ian; ietf-pkix@imc.org Subject: RE: Rationales for CA clearance constraints This fact has been reported in an RFC Errata: Note that clearance was NOT defined in X.501(1993), but X.500(1997). However, X.501(2005) may be the best reference for clearance. At 08:13 PM 10/26/2008, BRUMBY, Ian wrote: The Clearance attribute is defined in the current X.501 (2001 and v6 draft) with an OID of 2.5.4.55. RFC 3281 (as referenced by draft-turner-caclearanceconstraints-01.txt) defines it as 2.5.1.5.55. It refers to X.501-1993 as the source of this definition. I've dug up the 1993 standard and can't find any reference to Clearance. If Clearance Constraints are implemented, maybe it should be clarified if it constrains X.501 (2003) Clearance attributes, if they are present in the certificate, or specifically doesn't constrain them. "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
- Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints BRUMBY, Ian
- RE: Rationales for CA clearance constraints Russ Housley
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: draft-ietf-pkix-3281update-01.txt BRUMBY, Ian
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Denis Pinkas
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: draft-ietf-pkix-3281update-01.txt Russ Housley
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Paul Hoffman
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Anders Rundgren
- Re: Rationales for CA clearance constraints Scott Rea
- Random PKI critiques [was: Rationales for CA clea… Stephen Wilson
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Jim Schaad
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Stephen Wilson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Denis Pinkas
- (Other) dubious uses of PKI technology [was: Rati… Anders Rundgren
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Eric Norman
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints David A. Cooper
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Tom Gindin
- Processing rules for non-critical extensions (Re:… David A. Cooper
- RE: Processing rules for non-critical extensions … Kemp, David P.