Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
Massimiliano Pala <pala@cs.dartmouth.edu> Tue, 29 July 2008 16:00 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93E333A6BD2 for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 09:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqSoplrZTBnw for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 09:00:06 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id B170B28C365 for <pkix-archive@ietf.org>; Tue, 29 Jul 2008 09:00:06 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TEpH1v084024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2008 07:51:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m6TEpHwp084023; Tue, 29 Jul 2008 07:51:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.cs.dartmouth.edu (mail.cs.dartmouth.edu [129.170.212.100]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TEpGvf084016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 07:51:17 -0700 (MST) (envelope-from pala@cs.dartmouth.edu)
Received: from titan.cs.dartmouth.edu ([130.129.18.33]) (authenticated bits=0) by mail.cs.dartmouth.edu (8.14.2/8.14.2) with ESMTP id m6TEp9Kb016324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 29 Jul 2008 10:51:14 -0400
DomainKey-Signature: a=rsa-sha1; s=mail; d=cs.dartmouth.edu; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:content-type; b=QjZCbiNBltqGffl8jb9yqEok8/l5X9kuM9n6MiYS4THyN/dxR//UOUcOqb015vxfg Ag6tqFbUxDpNXYInorEvA==
Message-ID: <488F2DAB.8060607@cs.dartmouth.edu>
Date: Tue, 29 Jul 2008 15:48:11 +0100
From: Massimiliano Pala <pala@cs.dartmouth.edu>
Organization: Dartmouth College - Computer Science Department
User-Agent: Thunderbird 2.0.0.9 (X11/20071031)
MIME-Version: 1.0
To: Tom Gindin <tgindin@us.ibm.com>
CC: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
References: <OF9546E942.4985643B-ON8525748D.005788F4-8525748D.00816157@us.ibm.com>
In-Reply-To: <OF9546E942.4985643B-ON8525748D.005788F4-8525748D.00816157@us.ibm.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms090803030803000804010306"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi Tom, I do not understand how this actually applies. The dnsName is just one type of GeneralNames (if I do remember correctly), therefore considerations about AIA and SIA are not actually affected. I do, anyway, understand your point: can we add a reference in the certificate so that we know which DNS domain we shall query for DNS SRV records related to PKI resources ? I considered this, and I do really think it is a viable solution. I do have some personal concerns about using DNS for this purpose. I think DNS SRV records work great for services provided within an organization (eg., within a university .example.edu - I am not aware of anyone who is actually using DNS SRV records on public DNSs) but having PKI managers to modify the DNS servers can be painful in certain environments. Besides this, having a separate service allows us to provide signed messages (both client and server) with NONCE. Moreover, a service that is decoupled from DNS can be easier to maintain, especially in a trusted-responder multi-CAs mode. But if other people share your opinion, please let me know, so we can update the document properly. Later, Max Tom Gindin wrote: > Section 2.1 of this draft gives an overview of existing solutions > and their limitations. It does not appear that any consideration was > given to adding a new AccessDescription (to the SIA and/or AIA extensions) > for SRV record access. The argument against the use of SRV records given > in 2.1.2 is that there is not generally a fixed mapping between the > certificate and a DNS space, which does not apply to a DNSName within an > AIA or SIA extension.
- I-D ACTION:draft-ietf-pkix-prqp-00.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Anders Rundgren