IETF Logo Mail Archive

Re: [pkix] New Version Notification for draft-seantek-certfrag-00.txt

Sean Turner <turners@ieca.com> Thu, 06 November 2014 18:36 UTC

Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D80481A89FC for <pkix@ietfa.amsl.com>; Thu, 6 Nov 2014 10:36:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mg0tuQis9BeR for <pkix@ietfa.amsl.com>; Thu, 6 Nov 2014 10:36:33 -0800 (PST)
Received: from gateway12.websitewelcome.com (gateway12.websitewelcome.com [69.56.195.22]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A541A89FA for <pkix@ietf.org>; Thu, 6 Nov 2014 10:36:32 -0800 (PST)
Received: by gateway12.websitewelcome.com (Postfix, from userid 5007) id 4412E99E23F62; Thu, 6 Nov 2014 12:36:32 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway12.websitewelcome.com (Postfix) with ESMTP id 23A4199E23F16 for <pkix@ietf.org>; Thu, 6 Nov 2014 12:36:32 -0600 (CST)
Received: from [173.73.121.234] (port=52186 helo=[192.168.1.7]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1XmRv5-0001Jx-8r; Thu, 06 Nov 2014 12:36:31 -0600
Content-Type: multipart/signed; boundary="Apple-Mail=_330984D1-6328-4D56-84C6-62CFEB8691B6"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <D68BE514-5604-4D29-AF0C-CD56DE9088C9@seantek.com>
Date: Thu, 06 Nov 2014 13:36:32 -0500
Message-Id: <0A4F75A3-59E3-4953-AE0F-E77758B21ED6@ieca.com>
References: <540E0A56.7060301@seantek.com> <544D14C8.4070604@seantek.com> <1557541F-A60F-430B-8C6C-BA5474538C79@ieca.com> <D68BE514-5604-4D29-AF0C-CD56DE9088C9@seantek.com>
To: Sean Leonard <dev+ietf@seantek.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 173.73.121.234
X-Exim-ID: 1XmRv5-0001Jx-8r
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.1.7]) [173.73.121.234]:52186
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 6
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/lR_THaGmungJEagLjGTSbAROuPc
Cc: pkix@ietf.org, saag@ietf.org
Subject: Re: [pkix] New Version Notification for draft-seantek-certfrag-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 18:36:35 -0000

On Nov 06, 2014, at 03:13, Sean Leonard <dev+ietf@seantek.com> wrote:

> 
> On Nov 5, 2014, at 4:29 PM, Sean Turner <turners@ieca.com> wrote:
> 
>> Seems like a reasonable way to do what you’re trying to do, but I’ve got two questions:
>> 
>> 1) Do you really, really need the MUST?  If an implementation doesn’t follow the rules and instead uses “sN” for the serial number fragment it’s still going to work right because they’re case-insensitive?  If that’s the case then maybe you could just drop that bit.
> 
> Okay, maybe “MUST” is unduly harsh. However, I like to have consistent casing, even though it is case-insensitive. Is “SHOULD” appropriate? If not, I can drop the RFC 2119 key word and simply say “The fragments defined in the table above are case-insensitive; nevertheless for consistency, a generator is supposed to produce the fragment identifiers with the same casing as provided in this memo.”

I’d just drop the 2119 language entirely and not try to use language based on RFC6919.  I really like to lock things down when you can but in this case if there’s clearly no interop issue, I’d go for less characters in the draft ;)

>> 2) The second part of the text in the security considerations gave me pause:
>> 
>>  A certificate displaying
>>  application might zoom in on that aspect of the certificate, while a
>>  public key-processing application might use a fragment identifier
>>  like "#spki" to extract the "SubjectPublicKeyInfo" structure for
>>  further processing. 
>> 
>> Are you saying the spki would be extracted for processing from the identifier or from the certificate?  I’m hoping the later.
> 
> It’s the certificate. Proposed revised text:
> 
>   A certificate displaying
>   application might zoom in on that aspect of the certificate, while a
>   public key-processing application might use a fragment identifier
>   like "#spki" to extract the "SubjectPublicKeyInfo” structure
>   from the certificate for further processing.

How about:

… , while a public key-processing application might use a fragment identifier like "#spki" to chose which certificate from which to extract the "SubjectPublicKeyInfo” structure for further processing.

It might also be worth adding a security consideration that the values in the fragment identifier shouldn’t be used in lieu of the values they’re supposed to be identifying because they’re not part of the actual certificate - or something like that.

Then, I think you’re done.

spt

v2.23.0 | Report a Bug | By Email