Re: Rationales for CA clearance constraints
Yoav Nir <ynir@checkpoint.com> Tue, 28 October 2008 12:37 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CF1E28C15C for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 05:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNvoMplkvutx for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 05:37:30 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id B3B9A28C1E8 for <pkix-archive@ietf.org>; Tue, 28 Oct 2008 05:37:29 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9SC3IO6037523 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Oct 2008 05:03:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9SC3IPa037522; Tue, 28 Oct 2008 05:03:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9SC35p2037471 for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 05:03:16 -0700 (MST) (envelope-from ynir@checkpoint.com)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id C6AF529C001; Tue, 28 Oct 2008 14:02:59 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 446EE294003; Tue, 28 Oct 2008 14:02:58 +0200 (IST)
Received: from RnD-Test.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id m9SC2vQC019002; Tue, 28 Oct 2008 14:02:57 +0200 (IST)
Cc: ietf-pkix@imc.org
Message-Id: <D3AA45CA-1124-44BD-AAA5-4CBF2AF5EA3F@checkpoint.com>
From: Yoav Nir <ynir@checkpoint.com>
To: "BRUMBY, Ian" <ian.brumby@baesystems.com>
In-Reply-To: <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-1--72442016"
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: Rationales for CA clearance constraints
Date: Tue, 28 Oct 2008 14:02:57 +0200
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405C@EA-EXMSG-C332.europe.corp.microsoft.com> <200810251952.m9PJqCPD001487@bunya.baea.com.au> <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
On Oct 27, 2008, at 2:13 AM, BRUMBY, Ian wrote: > My comments on the topic: > > The Clearance attribute is defined in the current X.501 (2001 and v6 > draft) with an OID of 2.5.4.55. RFC 3281 (as referenced by draft- > turner-caclearanceconstraints-01.txt) defines it as 2.5.1.5.55. It > refers to X.501-1993 as the source of this definition. I’ve dug up > the 1993 standard and can’t find any reference to Clearance. If > Clearance Constraints are implemented, maybe it should be clarified > if it constrains X.501 (2003) Clearance attributes, if they are > present in the certificate, or specifically doesn’t constrain them. > > With regards as to whether Clearance should be held in the > Certificate or the Directory: > I’ve heard concern that it shouldn’t be held in either. In a > Prisoner of War scenario it potentially identifies the people with > the potential to have the most knowledge. > FYI – at least one Directory vendor is using the Clearance attribute > on the Certificate that is used to bind to the Directory to control > access to the Directory. > > Ian Brumby > BAE Systems On recent discussion on the TLS mailing list, someone said that browsers will silently send a certificate if prompted to by HTTPS web servers. So your comment 2a has broader application. It's not just Iraqi insurgents capturing a US or British soldier and checking his or her certificate (terrorists as relying parties), but if a DoD employee uses their work computer to surf to, say, Amazon or gmail, their name, rank and clearance levels leak to that party. I have no idea what's the harm in telling Amazon, gmail or the Russian Mafia that you have top secret clearance, but it sounds bad.
- Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints BRUMBY, Ian
- RE: Rationales for CA clearance constraints Russ Housley
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: draft-ietf-pkix-3281update-01.txt BRUMBY, Ian
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Yoav Nir
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Denis Pinkas
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: draft-ietf-pkix-3281update-01.txt Russ Housley
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Paul Hoffman
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Paul Hoffman
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints Anders Rundgren
- Re: Rationales for CA clearance constraints Scott Rea
- Random PKI critiques [was: Rationales for CA clea… Stephen Wilson
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stefan Santesson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Rationales for CA clearance constraints Timothy J. Miller
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Yoav Nir
- Re: Rationales for CA clearance constraints Stephen Kent
- RE: Rationales for CA clearance constraints Jim Schaad
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Timothy J. Miller
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Stephen Wilson
- RE: Rationales for CA clearance constraints Stephen Kent
- Re: Rationales for CA clearance constraints Stephen Kent
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- Re: Rationales for CA clearance constraints Denis Pinkas
- (Other) dubious uses of PKI technology [was: Rati… Anders Rundgren
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Timothy J. Miller
- Re: Random PKI critiques [was: Rationales for CA … Scott Rea
- Re: Random PKI critiques [was: Rationales for CA … Moudrick M. Dadashov
- Re: Random PKI critiques [was: Rationales for CA … Eric Norman
- Re: Random PKI critiques [was: Rationales for CA … Anders Rundgren
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- Re: Rationales for CA clearance constraints David A. Cooper
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Santosh Chokhani
- RE: Rationales for CA clearance constraints Kemp, David P.
- RE: Rationales for CA clearance constraints Tom Gindin
- Processing rules for non-critical extensions (Re:… David A. Cooper
- RE: Processing rules for non-critical extensions … Kemp, David P.