IETF Logo Mail Archive

Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item

George Michaelson <ggm@apnic.net> Thu, 06 September 2007 12:41 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITGgB-0002AU-OO for pkix-archive@lists.ietf.org; Thu, 06 Sep 2007 08:41:51 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITGgA-0005gS-8R for pkix-archive@lists.ietf.org; Thu, 06 Sep 2007 08:41:51 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l86BJNj8027849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Sep 2007 04:19:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l86BJNg0027847; Thu, 6 Sep 2007 04:19:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mint.apnic.net (mint.apnic.net [202.12.29.58]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l86BJLB9027839 for <ietf-pkix@imc.org>; Thu, 6 Sep 2007 04:19:22 -0700 (MST) (envelope-from ggm@apnic.net)
Received: from asmtp.apnic.net (unknown [169.223.7.175]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mint.apnic.net (Postfix) with ESMTP id EF25DD5F34; Thu, 6 Sep 2007 21:19:16 +1000 (EST)
Date: Thu, 06 Sep 2007 16:49:06 +0530
From: George Michaelson <ggm@apnic.net>
To: Stefan Santesson <stefans@microsoft.com>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
Message-ID: <20070906164906.77095d06@garlique.algebras.org>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF006A25BDE83@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <20070906121635.134112cf@garlique.algebras.org> <A15AC0FBACD3464E95961F7C0BCD1FF006A25BDE5E@EA-EXMSG-C307.europe.corp.microsoft.com> <20070906160757.4ccdf148@garlique.algebras.org> <A15AC0FBACD3464E95961F7C0BCD1FF006A25BDE83@EA-EXMSG-C307.europe.corp.microsoft.com>
X-Mailer: Claws Mail 2.10.0 (GTK+ 2.10.14; i386--netbsdelf)
X-Fruit-Of-The-Month-Club: persimmon
X-Face: (G*pY('2ZlP:=]{&J8["6Ibt`-M4xkya9HI%Ij0Q|PTT[qLP~"GJ:bxz>brS}WggoHS$gbYM81`^GU@icr}P?d>R\RNgjc)w:c_].{ylf,&Q,6J:esKfk!|/kr{uvQ3wDlnYxBVj; ; t7v=rA"3r>Z'w&ptd}\?5
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 27ec2ff0f5c3b18b49c722f4f1748838

On Thu, 6 Sep 2007 11:56:34 +0100
Stefan Santesson <stefans@microsoft.com> wrote:

> A few answers and comments:
> 
> > I don't see
> > aggressive use of the various existing CRL/OCSP check methods.
> 
> We must have vastly different experience then. I see a very large
> deployment of PKI based on CRL and OCSP. However large amounts of
> certs are deployed where they are not very visible, for example to
> enable VPN or wireless networks. Public PKIs are still not very
> spread with exception of web-server certificates.

right. I see webdave (that was a slip, which I will leave in for its
humour value in context) addressing the public space. 

I do not claim OCSP, CRLs are not used. I will believe you that  in
private contexts they get good deployment. I am also sure that very few
people in browserland consciously engage with CRLs or OCSP services, and
routinely click through warning boxes about server certificate name
mismatches, expiry, or lack of TA material behind the cert being
offered.


> It is my experience that OCSP and CRLs works very well in the vast
> majority of cases I see.

That's good to know. Because the SIDR WG is about testing assertions
about the totality of the information in the repository, OCSP was not
high on my radar. access to CRLs, and efficient access to repositories
is, and web or webdav, in allowing mechanisms like cache time controls,
virtual hosting and streams of data, looked like a good longterm fit. 

> 
> > I do think that webdav, being more generally deployed and useful,
> > may be enabling technology for certificate use.
> 
> More specifically, what blocking factor for PKI deployment do you
> think would go away with this solution?

public acceptance of the management side costs of maintaining
repositories. I regard the methods embedded in my current open source
systems as wildly ad-hoc. Since webdav is a given for the webserver
which is the public face of the certificate processes, making webdav be
used to publish and maintain the repository would be trivial. YMMV

> Webdav does not have the greatest security story and here we are
> depending on that technology to provide reliable trustworthy
> information. I would like to see someone being expert on this
> technology vouching for its security properties.

That is also fair. It will be abundantly clear to the rest of the list
I am a consumer of certificate expertise, not an originator. I felt
that webdav over HTTP/TLS was adequately secure. If I am wrong, that
would of course change my feelings. But only in respect of the CRL/OCSP
side for relying parties. I am still interested in its use as a
provisioning method, where you own the link to the repository from the
certificate engine.

> 
> > um. I'm not sure I understand the difference. In practice, where
> > does an OCSP server get its information about certificate
> > revokation, if not from its own trust in a repository
> > infrastructure?
> 
> I does not have to. It can use a signed CRL as source. When an OCSP
> server do access the CA database, it usually either sits on the local
> protected network together with the CA or use other security means to
> protect the integrity of that information.
> 
> This is vastly different from a user accessing the webdav server over
> the public internet.

As I said, I don't think webdav on HTTP/80 makes much sense for the
OCSP/CRL side of this. I would expect that configuring the specific
Webdav/HTTPS server certificate in was morally equivalent to accepting
the OCSP servers certification over its assertions.

My main interest is repository PROVISIONING. The necessary aspects of
defining a namespace for mapping certificate DNs into the web, for a
web view of SIA/AIA, and the definition of a protocol for using webdav
to get the material ONTO the repository is where I am looking for a win.

You are addressing the revocation side, and I do not disagree there are
issues. I would expect that a rewrite on the draft could separate into
now three parts

1) webdav as a trustable protocol, and REST models for the publishing
   process. Mainly about POST and DEL behaviours to write and remove
   information.

2) webdav as a trustable protocol, and REST models for the relying party
   side including the revokation issues. mainly about GET and the
   expectations in namespace to defined CRLs over sets of certs, beyond
   the one-cert CRL model.

3) namespace mapping from DN into the web URL. mainly about the
   principles, and the specific mapping for full DNs. As I said in
   my original mail, I don't think this is going to be applicable for
   all contexts, wide/flat namespaces may expect other mappings.

I would be able to exploit 1) and 3). I do not see 2) as such a massive
problem it could not be entertained, but I can see as WG chair you are
not drawn there.

If Dave isn't motivated to buy into this and the draft isn't going
anywhere I won't be making a stink. I just wanted to float the idea and
do a +1 on it. 

Its probably not worth more of your time right now Stefan. I won't post
any more for a bit.

 cheers

-george

> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
> 
> 
> > -----Original Message-----
> > From: George Michaelson [mailto:ggm@apnic.net]
> > Sent: den 6 september 2007 12:38
> > To: Stefan Santesson
> > Cc: ietf-pkix@imc.org
> > Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt
> > as a work item
> >
> > On Thu, 6 Sep 2007 11:12:05 +0100
> > Stefan Santesson <stefans@microsoft.com> wrote:
> >
> > >
> > > Thanks for bringing this up George.
> > >
> > > As for all solutions to problems where there already exist other
> > > solutions to the same problems, it is important to determine why
> > > we need another solution to the same problem.
> > >
> >
> > Yes. I certainly agree that 'just because we can' is not a good
> > basis for deciding to do things. However, there is something about
> > REST which I observe is being used by a wide community of people as
> > infrastructure technology, to build systems. Equally, webdav has
> > become something which is trivially available. And, it is
> > remarkably easy to deploy on the web server-side.
> >
> > So I see a useful convergence of desire (wide uptake of certificate
> > backed processes, which require access to repositories) and reality
> > (technologies which are easy to deploy, and can be used to bootstrap
> > and maintain certificate repositories). But it reflects my world
> > view. I haven't found widespread uptake of the more traditional
> > mechanisms that have been available to date. Like many others, I
> > don't see aggressive use of the various existing CRL/OCSP check
> > methods. I do think that webdav, being more generally deployed and
> > useful, may be enabling technology for certificate use.
> >
> > > There is a value to have a limited standardized set of ways to do
> > > things as it makes interoperability easier. Sometimes we choose to
> > > offer multiple solutions anyway, mostly to enable re-use of
> > > existing infrastructures.
> > >
> > > I would like to hear more about why it is important to add this to
> > > the menu of repository solutions and revocation mechanisms.
> >
> > I'm going to have to think about that. I fear I am mainly looking at
> > parochial contexts, where I have web, and webdav, and REST coding
> > models, so being able to exploit that technology makes it far easier
> > for me to deploy a repository in the system-as-a-whole compared to
> > using one of the other mechanisms.
> >
> > > My personal concern about the presented approach is that it
> > > changes the trust mechanism for certificate revocation from
> > > signed objects (CRLs and OCSP responses) to trust in a repository
> > > infrastructure.
> >
> > um. I'm not sure I understand the difference. In practice, where
> > does an OCSP server get its information about certificate
> > revokation, if not from its own trust in a repository
> > infrastructure?
> >
> > and, the WEBDAV exchange is using a signed transport. ok. I see Dave
> > did make that optional. that looks like a weakness to me. I would
> > expect that to be addressed, if the work was adopted.
> >
> > > That is, if I get a certificate in return from an expected
> > > location it is supposed to be valid. Yet, when revoked a 1 post
> > > CRL is examined making revocation CRL based. I don't think this
> > > fits with the model of CRL processing described in section 6.3 of
> > > RFC 3280.
> >
> > Yes. a side effect of REST is the applicability of an item of data
> > is very contextually bound to its name-path in the REST url.
> >
> > I would have thought that we could be discussing alternative
> > approaches to make more traditional CRLs over collections of
> > objects explicit namepoints in REST.
> >
> > But, that kinda goes back to your base question: why another method?
> >
> > -George
> >
> > > Stefan Santesson
> > > Senior Program Manager
> > > Windows Security, Standards
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > > pkix@mail.imc.org] On Behalf Of George Michaelson
> > > > Sent: den 6 september 2007 08:47
> > > > To: ietf-pkix@imc.org
> > > > Subject: request for WG to adopt draft-chadwick-webdav-00.txt
> > > > as a work item
> > > >
> > > >
> > > >
> > > > I am very interested in the construction of a systematic
> > > > framework for webdav based publication protocols to be used to
> > > > publish into repositories. Other WG areas of work are
> > > > considering adoption of certificate based models which require
> > > > large, distributed repositories to be maintained, and will
> > > > imply a repository provisioning protocol.
> > > >
> > > > I therefore wish to propose the WG adopt
> > > > draft-chadwick-webdav-00.txt as a work item.
> > > >
> > > > I would also like to ask that the document be slightly
> > > > modified, to present two distinct parts in the proposal
> > > >
> > > > 1) that part which documents use of WEBDAV as a repository
> > > > publication protocol and the use of a REST model.
> > > >
> > > > 2) that part which discusses naming of the repository objects in
> > the
> > > >    repository, eg for use in the SIA and AIA fields, and the
> > related
> > > >    REST model name mapping.
> > > >
> > > > The reason I ask that it be re-worked in this way is that there
> > > > are other models of repository naming architecture which do not
> > > > have 'deep' RDN name structure in the certificate Subject name,
> > > > and are less ameanable to a deterministic mapping as Dave has
> > > > proposed. If the document is re-worked slightly to make it
> > > > plain that this is only one of many repository naming models,
> > > > it will be easier for related work to cite this document in
> > > > reference to part 1) use of WEBDAV and to draw up a distinct
> > > > repository name mapping function reflecting part 2) in spirit.
> > > >
> > > > I have some very minor concerns with stipulating the correct TLS
> > > > version to support virtual webhost naming in a secured
> > > > connection
> > to
> > > > the server during WEBDAV binding. I am sure these can be very
> > easily
> > > > addressed.
> > > >
> > > > Thanks to Dave Chadwick for writing this draft, and presenting
> > > > it
> > at
> > > > IETF69 Chicago.
> > > >
> > > > -George
> > >
> > >
>

v2.23.0 | Report a Bug | By Email