Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt
Russ Housley <housley@vigilsec.com> Sun, 27 November 2005 21:42 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EgUIV-0005yA-Av for pkix-archive@megatron.ietf.org; Sun, 27 Nov 2005 16:42:59 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00951 for <pkix-archive@lists.ietf.org>; Sun, 27 Nov 2005 16:42:14 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jARKYrRG048400; Sun, 27 Nov 2005 12:34:53 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jARKYrlo048399; Sun, 27 Nov 2005 12:34:53 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jARKYq02048381 for <ietf-pkix@imc.org>; Sun, 27 Nov 2005 12:34:52 -0800 (PST) (envelope-from housley@vigilsec.com)
Received: (qmail 30149 invoked by uid 0); 27 Nov 2005 20:34:45 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.159.19) by woodstock.binhost.com with SMTP; 27 Nov 2005 20:34:45 -0000
Message-Id: <7.0.0.10.2.20051125125749.02cb70e8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta)
Date: Fri, 25 Nov 2005 12:58:45 -0500
To: Ulf M�ller <ulf.moeller@secardeo.com>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt
In-Reply-To: <0ML29c-1EfKNp2HP2-0000vm@mrelayeu.kundenserver.de>
References: <0ML29c-1EfKNp2HP2-0000vm@mrelayeu.kundenserver.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id QAA00951
This was just published last week as an Experimental RFC. I would like to know if people find it useful. Russ At 11:55 AM 11/24/2005, Ulf Möller wrote: >Hello, > >We have implemented a client that uses PKIXREP to locate an LDAP service for >an e-mail address. However I have not found anyone who announces their >directory in DNS according to this specification. > >If there is anyone who does, I'd appreciate a message. It would be nice if >we could perform some interoperability tests. > >The draft doesn't specify the LDAP search base. According to the expired >draft-ietf-ldapext-locate-08, you would use a DC style distinguished name. >Am I right in assuming that the same holds for PKIXREP? > >Ulf Möller > >======================================= >Secardeo GmbH >Betastrasse 9a >85774 Unterfoehring >GERMANY > >Office +49 (0)89 -18 93 58 95 >Fax +49 (0)89 -18 93 58 99 >E-mail ulf.moeller@secardeo.com >WWW http://www.secardeo.com >======================================= > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jARKYrRG048400; Sun, 27 Nov 2005 12:34:53 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jARKYrlo048399; Sun, 27 Nov 2005 12:34:53 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jARKYq02048381 for <ietf-pkix@imc.org>; Sun, 27 Nov 2005 12:34:52 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 30149 invoked by uid 0); 27 Nov 2005 20:34:45 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.159.19) by woodstock.binhost.com with SMTP; 27 Nov 2005 20:34:45 -0000 Message-Id: <7.0.0.10.2.20051125125749.02cb70e8@vigilsec.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta) Date: Fri, 25 Nov 2005 12:58:45 -0500 To: Ulf Möller <ulf.moeller@secardeo.com>, <ietf-pkix@imc.org> From: Russ Housley <housley@vigilsec.com> Subject: Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt In-Reply-To: <0ML29c-1EfKNp2HP2-0000vm@mrelayeu.kundenserver.de> References: <0ML29c-1EfKNp2HP2-0000vm@mrelayeu.kundenserver.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This was just published last week as an Experimental RFC. I would like to know if people find it useful. Russ At 11:55 AM 11/24/2005, Ulf Möller wrote: >Hello, > >We have implemented a client that uses PKIXREP to locate an LDAP service for >an e-mail address. However I have not found anyone who announces their >directory in DNS according to this specification. > >If there is anyone who does, I'd appreciate a message. It would be nice if >we could perform some interoperability tests. > >The draft doesn't specify the LDAP search base. According to the expired >draft-ietf-ldapext-locate-08, you would use a DC style distinguished name. >Am I right in assuming that the same holds for PKIXREP? > >Ulf Möller > >===================>Secardeo GmbH >Betastrasse 9a >85774 Unterfoehring >GERMANY > >Office +49 (0)89 -18 93 58 95 >Fax +49 (0)89 -18 93 58 99 >E-mail ulf.moeller@secardeo.com >WWW http://www.secardeo.com >===================> Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAOGtsst082884; Thu, 24 Nov 2005 08:55:54 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAOGtstY082883; Thu, 24 Nov 2005 08:55:54 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAOGtqbd082877 for <ietf-pkix@imc.org>; Thu, 24 Nov 2005 08:55:52 -0800 (PST) (envelope-from ulf.moeller@secardeo.com) Received: from [85.233.34.84] (helo=secmoe) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1EfKNp2HP2-0000vm; Thu, 24 Nov 2005 17:55:51 +0100 From: =?iso-8859-1?Q?Ulf_Möller?= <ulf.moeller@secardeo.com> To: <ietf-pkix@imc.org> Subject: Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt Date: Thu, 24 Nov 2005 17:55:41 +0100 Organization: Secardeo GmbH MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-index: AcXxF+bewJe6tKb9SMmRxP25DqHJeg= Message-ID: <0ML29c-1EfKNp2HP2-0000vm@mrelayeu.kundenserver.de> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:0f127e19937015e7b75cb484ac44fc0e Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id jAOGtrbd082878 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hello, We have implemented a client that uses PKIXREP to locate an LDAP service for an e-mail address. However I have not found anyone who announces their directory in DNS according to this specification. If there is anyone who does, I'd appreciate a message. It would be nice if we could perform some interoperability tests. The draft doesn't specify the LDAP search base. According to the expired draft-ietf-ldapext-locate-08, you would use a DC style distinguished name. Am I right in assuming that the same holds for PKIXREP? Ulf Möller ===================Secardeo GmbH Betastrasse 9a 85774 Unterfoehring GERMANY Office +49 (0)89 -18 93 58 95 Fax +49 (0)89 -18 93 58 99 E-mail ulf.moeller@secardeo.com WWW http://www.secardeo.com =================== Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAMIKovb002106; Tue, 22 Nov 2005 10:20:50 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAMIKoFO002105; Tue, 22 Nov 2005 10:20:50 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from newodin.ietf.org ([132.151.6.50]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAMIKl8W002094 for <ietf-pkix@imc.org>; Tue, 22 Nov 2005 10:20:47 -0800 (PST) (envelope-from apache@newodin.ietf.org) Received: from apache by newodin.ietf.org with local (Exim 4.43) id 1Eecl2-0002vn-09; Tue, 22 Nov 2005 13:20:44 -0500 X-test-idtracker: no From: The IESG <iesg-secretary@ietf.org> To: IETF-Announce <ietf-announce@ietf.org> Cc: Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>, pkix mailing list <ietf-pkix@imc.org>, pkix chair <kent@bbn.com>, pkix chair <wpolk@nist.gov> Subject: Document Action: 'Internet X.509 Public Key Infrastructure Repository Locator Service' to Experimental RFC Message-Id: <E1Eecl2-0002vn-09@newodin.ietf.org> Date: Tue, 22 Nov 2005 13:20:44 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The IESG has approved the following document: - 'Internet X.509 Public Key Infrastructure Repository Locator Service ' <draft-ietf-pkix-pkixrep-04.txt> as an Experimental RFC This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Russ Housley and Sam Hartman. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pkixrep-04.txt Technical Summary This document defines a PKI repository locator service. The service makes use of DNS SRV records defined in accordance with RFC 2782. The service enables certificate using systems to locate PKI repositories based on a domain name, identify the protocols that can be used to access the repository, and obtain addresses for the servers that host the repository service. Working Group Summary The PKIX Working Group came to consensus on this document. Protocol Quality This document was reviewed by Russell Housley for the IESG. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIKwaMX046037; Fri, 18 Nov 2005 12:58:36 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIKwalS046036; Fri, 18 Nov 2005 12:58:36 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIKwZ8H046024 for <ietf-pkix@vpnc.org>; Fri, 18 Nov 2005 12:58:35 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.106] (dhcp89-089-106.bbn.com [128.89.89.106]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jAIKwFIC025074; Fri, 18 Nov 2005 15:58:16 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230910bfa3f0575619@[128.89.89.106]> In-Reply-To: <E6107B08-5C6B-4B49-8166-E9852298E311@sendmail.com> References: <002d01c5ebc4$1f97da10$0301a8c0@Wylie> <758F81C7-D4EE-4790-A8F1-3EC21CF845AE@sendmail.com> <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> <p06230909bfa3d6fe650c@[128.89.89.106]> <E6107B08-5C6B-4B49-8166-E9852298E311@sendmail.com> Date: Fri, 18 Nov 2005 15:56:53 -0500 To: Blake Ramsdell <blake@sendmail.com> From: Stephen Kent <kent@bbn.com> Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt Cc: "Gregory S. Chudov" <chudov@cryptopro.ru>, <ietf-pkix@vpnc.org>, <lse@cryptopro.ru>, "Sean Turner" <turners@ieca.com>, <sdb@dol.ru> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 11:14 AM -0800 11/18/05, Blake Ramsdell wrote: >On Nov 18, 2005, at 11:09 AM, Stephen Kent wrote: >>Sorry. What I meant to say in my previous message was that I >>requested that a fresh (vs. expired) copy of the I-D in question be >>posted, so that we could initiate last call in PKIX. Please you >>provide a URL for that copy. > >Just to make sure we're talking about the same document -- I'm >talking about draft-ietf-pkix-gost-cppk-03 Yes, that I-D is OK. I will initiate WG last call on it. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIKwOcY046015; Fri, 18 Nov 2005 12:58:24 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIKwOvl046014; Fri, 18 Nov 2005 12:58:24 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIKwNkF045995 for <ietf-pkix@imc.org>; Fri, 18 Nov 2005 12:58:23 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.106] (dhcp89-089-106.bbn.com [128.89.89.106]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jAIKwFIE025074 for <ietf-pkix@imc.org>; Fri, 18 Nov 2005 15:58:17 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230911bfa3f0a16767@[128.89.89.106]> Date: Fri, 18 Nov 2005 15:58:41 -0500 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: Last Call Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I am initiating last call on: draft-ietf-pkix-gost-cppk-03.txt, an I-D targeted as INFORMATIONAL. Please provides comments to the list between now and the end of the month. Steve Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIJFTqb036771; Fri, 18 Nov 2005 11:15:29 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIJFT3q036770; Fri, 18 Nov 2005 11:15:29 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp-out.sendmail.com (smtp-out.sendmail.com [209.246.26.45]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIJFSwQ036764 for <ietf-pkix@vpnc.org>; Fri, 18 Nov 2005 11:15:29 -0800 (PST) (envelope-from blake@sendmail.com) Received: from [192.168.0.3] (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) (authenticated bits=0) by foon.sendmail.com (Switch-3.1.7/Switch-3.1.7) with ESMTP id jAIJEsMV007213 (version=TLSv1/SSLv3 cipher=RC4-SHA bits8 verify=NO); Fri, 18 Nov 2005 11:14:55 -0800 X-DKIM: Sendmail DKIM Filter v0.1.1 foon.sendmail.com jAIJEsMV007213 DKIM-Signature: a=rsa-sha1; c=nowsp; d=sendmail.com; s=tls.dkim; t32341296; h=X-DomainKeys:DomainKey-Signature:In-Reply-To: References:Mime-Version:Content-Type:Message-Id:Cc: Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer: X-ok-sendmail.com; b=g3GZf2Dj9RK6sVY8E1XvQmIGKEdAsozz8EdaGCDwozqE6e 3XW3evnuuRtV9hbDBRx+/l2ZBk9kiLp25HV0eriG2/zpiAV5HN1zPOyCoq6epwjD2X3 InUGOJ1JrksbCpW1Dx2SUH+8SHPh0N2ChAJ2sUq9Y/zYeAf7t/cVJ2L9+kX-DomainKeys: Sendmail DomainKeys Filter v0.3.0 foon.sendmail.com jAIJEsMV007213 DomainKey-Signature: a=rsa-sha1; s=tls; d=sendmail.com; c=nofws; q=dns; h=in-reply-to:references:mime-version:content-type:message-id:cc: content-transfer-encoding:from:subject:date:to:x-mailer:x-ok-sendmail.com; b=CibQhxUFeWnt/zQbhp20kPpLwsLVGpnNqQoRMkUmLmt4TY1zaDThfAnE8xHLdCb8n niXYCS0GtxPEsPDfaOMT6JRtb4P3vLI7ukgoUN9j/XEJ9m+hcrogpN0r/x4x1M2jaQA T5rctA41gmLsxtyamfkTmRCKNvLksg4YXqUxnzkIn-Reply-To: <p06230909bfa3d6fe650c@[128.89.89.106]> References: <002d01c5ebc4$1f97da10$0301a8c0@Wylie> <758F81C7-D4EE-4790-A8F1-3EC21CF845AE@sendmail.com> <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> <p06230909bfa3d6fe650c@[128.89.89.106]> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <E6107B08-5C6B-4B49-8166-E9852298E311@sendmail.com> Cc: "Gregory S. Chudov" <chudov@cryptopro.ru>, <ietf-pkix@vpnc.org>, <lse@cryptopro.ru>, "Sean Turner" <turners@ieca.com>, <sdb@dol.ru> Content-Transfer-Encoding: 7bit From: Blake Ramsdell <blake@sendmail.com> Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt Date: Fri, 18 Nov 2005 11:14:54 -0800 To: Stephen Kent <kent@bbn.com> X-Mailer: Apple Mail (2.746.2) X-ok-sendmail.com: Yes Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> On Nov 18, 2005, at 11:09 AM, Stephen Kent wrote: > Sorry. What I meant to say in my previous message was that I > requested that a fresh (vs. expired) copy of the I-D in question be > posted, so that we could initiate last call in PKIX. Please you > provide a URL for that copy. Just to make sure we're talking about the same document -- I'm talking about draft-ietf-pkix-gost-cppk-03 https://datatracker.ietf.org/public/idindex.cgi? command=id_detail&id620 http://www.ietf.org/internet-drafts/draft-ietf-pkix-gost-cppk-03.txt Which points to a draft submitted on 9/9 and expires March, 2006. The draft announcement to the PKIX list is here: http://www.imc.org/ietf-pkix/mail-archive/msg02783.html Blake -- Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIJA6p7036309; Fri, 18 Nov 2005 11:10:06 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIJA6QE036308; Fri, 18 Nov 2005 11:10:06 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIJA56A036284 for <ietf-pkix@vpnc.org>; Fri, 18 Nov 2005 11:10:06 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.106] (dhcp89-089-106.bbn.com [128.89.89.106]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jAIJ9OIG018491; Fri, 18 Nov 2005 14:09:32 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230909bfa3d6fe650c@[128.89.89.106]> In-Reply-To: <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> References: <002d01c5ebc4$1f97da10$0301a8c0@Wylie> <758F81C7-D4EE-4790-A8F1-3EC21CF845AE@sendmail.com> <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> Date: Fri, 18 Nov 2005 14:09:50 -0500 To: "Gregory S. Chudov" <chudov@cryptopro.ru> From: Stephen Kent <kent@bbn.com> Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt Cc: <ietf-pkix@vpnc.org>, "Blake Ramsdell" <blake@sendmail.com>, <lse@cryptopro.ru>, "Sean Turner" <turners@ieca.com>, <sdb@dol.ru> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >Greetings. > >We are ready for last call on gost-cppk too. > Sorry. What I meant to say in my previous message was that I requested that a fresh (vs. expired) copy of the I-D in question be posted, so that we could initiate last call in PKIX. Please you provide a URL for that copy. Thanks, Steve Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIGnOf5023523; Fri, 18 Nov 2005 08:49:24 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIGnOoS023522; Fri, 18 Nov 2005 08:49:24 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIGnId3023511 for <ietf-pkix@vpnc.org>; Fri, 18 Nov 2005 08:49:23 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.106] (dhcp89-089-106.bbn.com [128.89.89.106]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jAIGlxIC009709; Fri, 18 Nov 2005 11:47:59 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230905bfa3b1f3b695@[128.89.89.106]> In-Reply-To: <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> References: <002d01c5ebc4$1f97da10$0301a8c0@Wylie> <758F81C7-D4EE-4790-A8F1-3EC21CF845AE@sendmail.com> <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> Date: Fri, 18 Nov 2005 11:48:25 -0500 To: "Gregory S. Chudov" <chudov@cryptopro.ru> From: Stephen Kent <kent@bbn.com> Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt Cc: <ietf-smime@imc.org>, <ietf-pkix@vpnc.org>, "Blake Ramsdell" <blake@sendmail.com>, <lse@cryptopro.ru>, "Sean Turner" <turners@ieca.com>, <sdb@dol.ru> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 3:45 PM +0300 11/18/05, Gregory S. Chudov wrote: >Greetings. > >We are ready for last call on gost-cppk too. > I sent a message Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIGOfqf021793; Fri, 18 Nov 2005 08:24:41 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIGOfPX021792; Fri, 18 Nov 2005 08:24:41 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIGOeMg021784 for <ietf-pkix@imc.org>; Fri, 18 Nov 2005 08:24:40 -0800 (PST) (envelope-from david.lefranc@silicomp.com) Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Fri, 18 Nov 2005 17:24:38 +0100 Received: from [10.193.203.220] ([10.193.203.220]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Fri, 18 Nov 2005 17:24:38 +0100 Message-ID: <437E0045.2060908@silicomp.com> Date: Fri, 18 Nov 2005 17:24:37 +0100 From: David Lefranc <david.lefranc@silicomp.com> User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Certificates and Blind Signatures Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Nov 2005 16:24:38.0330 (UTC) FILETIME=[922A01A0:01C5EC5C] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi, I would like to use a blind RSA signature algorithm, and I am currently analyzing the best way to use X509 certificates : I need to precise that the public key will be used with such an algorithm. The easiest solution would be to create a new algorithmIdentifier identifying the Blind RSA signature algorithm so that I could use it in the field subjectPublicKeyInfo. However, since blind RSA signature and classical signature algorithms are quite similar, I think a better solution would be the following : 1. Keep the algorithmIdentifier for the classical RSA signature algorithm in the field subjectPublicKeyInfo. 2. Do not use the Key Usage extension. 3. Use the Extended Key Usage extension, set it as "non critical", and create a new KeyPurposeId for "blind signature", (and also eventually precise DigitalSignature and NonRepudiation). With this second solution, the system for blind RSA signatures that I develop SHOULD require such certificates, and the certificates could also be used in a classical way outside my system to perform classical RSA signatures. Does it seem reasonable? David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIChCST096280; Fri, 18 Nov 2005 04:43:12 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAIChCCB096279; Fri, 18 Nov 2005 04:43:12 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mx2.cryptopro.ru (mx2.cryptopro.ru [213.59.158.218]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAIChAxa096268 for <ietf-pkix@vpnc.org>; Fri, 18 Nov 2005 04:43:11 -0800 (PST) (envelope-from chudov@cryptopro.ru) Received: from fandra2k ([192.168.68.6]) by mx2.cryptopro.ru with Microsoft SMTPSVC(6.0.3790.1830); Fri, 18 Nov 2005 15:45:26 +0300 Message-ID: <01c101c5ec3d$f322c6f0$0644a8c0@cp.ru> From: "Gregory S. Chudov" <chudov@cryptopro.ru> To: <ietf-smime@imc.org>, <ietf-pkix@vpnc.org> Cc: "Blake Ramsdell" <blake@sendmail.com>, <lse@cryptopro.ru>, "Sean Turner" <turners@ieca.com>, <sdb@dol.ru> References: <002d01c5ebc4$1f97da10$0301a8c0@Wylie> <758F81C7-D4EE-4790-A8F1-3EC21CF845AE@sendmail.com> Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt Date: Fri, 18 Nov 2005 15:45:26 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="ISO-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.1830 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 X-OriginalArrivalTime: 18 Nov 2005 12:45:26.0640 (UTC) FILETIME=[F3255F00:01C5EC3D] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Greetings. We are ready for last call on gost-cppk too. ----- Original Message ----- From: "Blake Ramsdell" <blake@sendmail.com> To: <lse@CryptoPro.ru>; "Sean Turner" <turners@ieca.com>; <sdb@dol.ru> Cc: <ietf-smime@imc.org> Sent: Friday, November 18, 2005 2:04 AM Subject: Re: WG LAST CALL: draft-ietf-smime-gost-05.txt > > On Nov 17, 2005, at 2:13 PM, Turner, Sean P. wrote: >> PS there is a companion GOST documents in PKIX >> (http://ietf.org/internet-drafts/draft-ietf-pkix-gost-cppk-03.txt) >> and in >> RFC editor's queue >> (ftp://ftp.isi.edu/internet-drafts/draft-popov-cryptopro- >> cpalgs-04.txt). > > Are we going to run into another CMC / symkeydist situation here? > That is, is gost-cppk going to get stuck for any reason in PKIX? I > note that the last draft revision is 9/9/05 and I did not see > anything to indicate that there is active discussion about this draft > on the PKIX list. > > Just firing a warning shot that cppk is a normative reference that > will need to progress through PKIX before gost-05 can complete. > Authors -- can you give a quick status update about this? > > cpalgs looks pretty frictionless -- no missing normative references, > and in the editor's queue. > > Blake > -- > Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com > > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAF05OF7061905; Mon, 14 Nov 2005 16:05:24 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAF05Ojc061904; Mon, 14 Nov 2005 16:05:24 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mailhub1.dartmouth.edu (mailhub1.dartmouth.edu [129.170.16.122]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAF05NGI061894 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 16:05:24 -0800 (PST) (envelope-from Massimiliano.Pala@Dartmouth.EDU) Received: from [129.170.212.213] (dhcp-212-213.cs.dartmouth.edu [129.170.212.213]) by mailhub1.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id jAF05HAT018383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=OK) for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 19:05:19 -0500 Message-ID: <43792660.7050804@Dartmouth.EDU> Date: Mon, 14 Nov 2005 19:05:52 -0500 From: Massimiliano Pala <Massimiliano.Pala@dartmouth.edu> Organization: Dartmouth College User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> Subject: Re: RFC-3280 [Subject Information Access] References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> <4378DCBE.5080302@Dartmouth.EDU> <4378F4C0.8000000@nist.gov> In-Reply-To: <4378F4C0.8000000@nist.gov> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090706050508090406040208" X-MailScanner: Found to be clean by mailhub.Dartmouth.EDU X-MailScanner-From: massimiliano.pala@dartmouth.edu Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms090706050508090406040208 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit David A. Cooper wrote: > Massimiliano, > > At the moment, there is no way to accomplish what you are trying to do > in general. :-( > I should begin by pointing out that the text that you quoted from RFC > 3280 has been changed in 3280bis so that it no longer mentions CRLs: > > The id-ad-caRepository OID is used when the subject is a CA, and > publishes certificates it issues in a repository. The accessLocation > field is defined as a GeneralName, which can take several forms. So in 3280bis this will not provide a generalized pointer to certs AND CRLs but only to certs repositories, right ? > If a CA issues full CRLs then what you are trying to accomplish may be > possible. If the CA makes its certificates and CRLs available in a [...] > certificates could not be updated to add these new segments. Is there any chance we can define a `SubjectRevocationAccess' extension that will point to revocation informations provided by the Subject of the certificate it appears in ? Is a bad idea ? Could it be added to the 3280bis ? Thanks to all for any comment/support! -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 062 Work Phone: +1 (603) 646-9226 --o------------------------------------------------------------------------ --------------ms090706050508090406040208 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJIjCC BI0wggN1oAMCAQICAhpTMA0GCSqGSIb3DQEBBQUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0 bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNTExMDgy MDMzMDZaFw0wOTExMDkyMDMzMDZaMIHBMRMwEQYKCZImiZPyLGQBGRYDZWR1MRkwFwYKCZIm iZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENv bGxlZ2UxGjAYBgoJkiaJk/IsZAEBEwoxMjI1NjAyOTQ3MRowGAYDVQQDExFNYXNzaW1pbGlh bm8gUGFsYTEuMCwGCSqGSIb3DQEJARYfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVk dTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsv8obBpbhPixgdyIJj7UN0GYRNhsgWHB muCE5j8v8IvCSJWRF9spKoR0NBYgOfJu8DwQuKTIgrvbp0EC3ikrneotL4KTGD1IqWz/bSXL UR/bZAsc0r9PrvCUsZOi7wbijy784gOuqQUCJ2fJwKwk5SJ3RBaPnUROQXTp+LPSK8MCAwEA AaOCAVowggFWMA4GA1UdDwEB/wQEAwIF4DARBglghkgBhvhCAQEEBAMCBaAwgaIGA1UdIASB mjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0aCBDb2xs ZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0cDovL3d3 dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYwKgYDVR0R BCMwIYEfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVkdTAfBgNVHSMEGDAWgBQ/wNbH p08Afu8GmWdsvJYeTaN3EjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9j b2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQDEYIWmG3Ht wcgFiBbrYKp7YpI62hgAw9I3Dj9Ai+etQcMDZL8cWg3Kd7DwYHDkLxO7jl518HIJCk8Elk+Z 3Y2c0rR+c9WLuxE+EHEUmQg2AbgxzRGZAeMXj7jrv5w75IWiXBrW3SdDkjVH6MQFZVP1CBk7 PF3/+dzmiO6E5g4cVtphPSdK2qtnX7Sh0zdePzeE+e0BTnsWdN0yHgKabKx3dCiEnQXt96sA Jf5ckg7fFLcplohwWlWJCpk8WwnJM0QGw3xbrZvLk+kIQgyh0sn2va4FgA1ae29cJ1d2NurA Z+LMdei9/ZbzBeMoD9XPSYyj7zLuVXGLF/JQQoPywk5oMIIEjTCCA3WgAwIBAgICGlMwDQYJ KoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRh cnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYD VQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA1MTEwODIwMzMwNloXDTA5MTEwOTIwMzMw NlowgcExEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEaMBgGCgmSJomT8ixk AQETCjEyMjU2MDI5NDcxGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMS4wLAYJKoZIhvcN AQkBFh9NYXNzaW1pbGlhbm8uUGFsYUBEYXJ0bW91dGguZWR1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCy/yhsGluE+LGB3IgmPtQ3QZhE2GyBYcGa4ITmPy/wi8JIlZEX2ykqhHQ0 FiA58m7wPBC4pMiCu9unQQLeKSud6i0vgpMYPUipbP9tJctRH9tkCxzSv0+u8JSxk6LvBuKP LvziA66pBQInZ8nArCTlIndEFo+dRE5BdOn4s9IrwwIDAQABo4IBWjCCAVYwDgYDVR0PAQH/ BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIFoDCBogYDVR0gBIGaMIGXMIGUBgorBgEEAUECAQEB MIGFMD0GCCsGAQUFBwICMDEwGBYRRGFydG1vdXRoIENvbGxlZ2UwAwIBARoVRGFydG1vdXRo IENvbGxlZ2UgQ1BTMEQGCCsGAQUFBwIBFjhodHRwOi8vd3d3LmRhcnRtb3V0aC5lZHUvfnBr aWxhYi9EYXJ0bW91dGhDUFNfNFNlcDAzLnBkZjAqBgNVHREEIzAhgR9NYXNzaW1pbGlhbm8u UGFsYUBEYXJ0bW91dGguZWR1MB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8G CCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGgu ZWR1L29jc3AwDQYJKoZIhvcNAQEFBQADggEBAMRghaYbce3ByAWIFutgqntikjraGADD0jcO P0CL561BwwNkvxxaDcp3sPBgcOQvE7uOXnXwcgkKTwSWT5ndjZzStH5z1Yu7ET4QcRSZCDYB uDHNEZkB4xePuOu/nDvkhaJcGtbdJ0OSNUfoxAVlU/UIGTs8Xf/53OaI7oTmDhxW2mE9J0ra q2dftKHTN14/N4T57QFOexZ03TIeAppsrHd0KISdBe33qwAl/lySDt8UtymWiHBaVYkKmTxb CckzRAbDfFutm8uT6QhCDKHSyfa9rgWADVp7b1wnV3Y26sBn4sx16L39lvMF4ygP1c9JjKPv Mu5VcYsX8lBCg/LCTmgxggL4MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAX BgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91 dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwCQYFKw4DAhoF AKCCAdEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTE1 MDAwNTUyWjAjBgkqhkiG9w0BCQQxFgQUqz2IMZzTIcBxAeaOiGGy0mdzZIYwUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNV BAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgIa UzCBjgYLKoZIhvcNAQkQAgsxf6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJ k/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29s bGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwDQYJKoZIhvcNAQEBBQAE gYCbgc5gINjXwvThvuUyllLPvZ44cthg+crGW2TIXp1ze5QyXcsMpMcdFIzhEC1K+FQYJi40 zkmUytjpmrJi6JuK7m+MlALiYTZa+y8S1auWRc1ichd6W8YRiPfFJ/bRH7+yJyxJdVwH5YcG ETXO4AFKSfSaG+olH+OdLCSnsmTymAAAAAAAAA= --------------ms090706050508090406040208-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAENvWjN060888; Mon, 14 Nov 2005 15:57:32 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAENvWwa060887; Mon, 14 Nov 2005 15:57:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mailhub1.dartmouth.edu (mailhub1.dartmouth.edu [129.170.16.122]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAENvUc8060880 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 15:57:31 -0800 (PST) (envelope-from Massimiliano.Pala@Dartmouth.EDU) Received: from [129.170.212.213] (dhcp-212-213.cs.dartmouth.edu [129.170.212.213]) by mailhub1.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id jAENvPl5017403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=OK) for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 18:57:27 -0500 Message-ID: <43792483.6040704@Dartmouth.EDU> Date: Mon, 14 Nov 2005 18:57:55 -0500 From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU> Organization: Dartmouth College User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> Subject: Re: RFC-3280 [Subject Information Access] References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> <4378DCBE.5080302@Dartmouth.EDU> <7.0.0.10.2.20051114141325.064921b0@vigilsec.com> In-Reply-To: <7.0.0.10.2.20051114141325.064921b0@vigilsec.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000800070606020107080508" X-MailScanner: Found to be clean by mailhub.Dartmouth.EDU X-MailScanner-From: massimiliano.pala@dartmouth.edu Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms000800070606020107080508 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Russ Housley wrote: > SIA could be used to provide the pointer that you seek, but I do not > think that anyone uses it that way. In fact, I suspect that a document That was my original point, but I do agree no one is actually using it in this way... > would need to be written to tell people how to do it in an interoperable > way. If you want to pursue that, you would need to write an > internet-draft and convince the PKIX WG that it wants to adopt it as a > work item. Now the next step is to understand if this could be useful in real environments or not... well, obviously I think so, but I would like to have other opinions about this. Thanks for the answer! -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 062 Work Phone: +1 (603) 646-9226 --o------------------------------------------------------------------------ --------------ms000800070606020107080508 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJIjCC BI0wggN1oAMCAQICAhpTMA0GCSqGSIb3DQEBBQUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0 bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNTExMDgy MDMzMDZaFw0wOTExMDkyMDMzMDZaMIHBMRMwEQYKCZImiZPyLGQBGRYDZWR1MRkwFwYKCZIm iZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENv bGxlZ2UxGjAYBgoJkiaJk/IsZAEBEwoxMjI1NjAyOTQ3MRowGAYDVQQDExFNYXNzaW1pbGlh bm8gUGFsYTEuMCwGCSqGSIb3DQEJARYfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVk dTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsv8obBpbhPixgdyIJj7UN0GYRNhsgWHB muCE5j8v8IvCSJWRF9spKoR0NBYgOfJu8DwQuKTIgrvbp0EC3ikrneotL4KTGD1IqWz/bSXL UR/bZAsc0r9PrvCUsZOi7wbijy784gOuqQUCJ2fJwKwk5SJ3RBaPnUROQXTp+LPSK8MCAwEA AaOCAVowggFWMA4GA1UdDwEB/wQEAwIF4DARBglghkgBhvhCAQEEBAMCBaAwgaIGA1UdIASB mjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0aCBDb2xs ZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0cDovL3d3 dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYwKgYDVR0R BCMwIYEfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVkdTAfBgNVHSMEGDAWgBQ/wNbH p08Afu8GmWdsvJYeTaN3EjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9j b2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQDEYIWmG3Ht wcgFiBbrYKp7YpI62hgAw9I3Dj9Ai+etQcMDZL8cWg3Kd7DwYHDkLxO7jl518HIJCk8Elk+Z 3Y2c0rR+c9WLuxE+EHEUmQg2AbgxzRGZAeMXj7jrv5w75IWiXBrW3SdDkjVH6MQFZVP1CBk7 PF3/+dzmiO6E5g4cVtphPSdK2qtnX7Sh0zdePzeE+e0BTnsWdN0yHgKabKx3dCiEnQXt96sA Jf5ckg7fFLcplohwWlWJCpk8WwnJM0QGw3xbrZvLk+kIQgyh0sn2va4FgA1ae29cJ1d2NurA Z+LMdei9/ZbzBeMoD9XPSYyj7zLuVXGLF/JQQoPywk5oMIIEjTCCA3WgAwIBAgICGlMwDQYJ KoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRh cnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYD VQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA1MTEwODIwMzMwNloXDTA5MTEwOTIwMzMw NlowgcExEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEaMBgGCgmSJomT8ixk AQETCjEyMjU2MDI5NDcxGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMS4wLAYJKoZIhvcN AQkBFh9NYXNzaW1pbGlhbm8uUGFsYUBEYXJ0bW91dGguZWR1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCy/yhsGluE+LGB3IgmPtQ3QZhE2GyBYcGa4ITmPy/wi8JIlZEX2ykqhHQ0 FiA58m7wPBC4pMiCu9unQQLeKSud6i0vgpMYPUipbP9tJctRH9tkCxzSv0+u8JSxk6LvBuKP LvziA66pBQInZ8nArCTlIndEFo+dRE5BdOn4s9IrwwIDAQABo4IBWjCCAVYwDgYDVR0PAQH/ BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIFoDCBogYDVR0gBIGaMIGXMIGUBgorBgEEAUECAQEB MIGFMD0GCCsGAQUFBwICMDEwGBYRRGFydG1vdXRoIENvbGxlZ2UwAwIBARoVRGFydG1vdXRo IENvbGxlZ2UgQ1BTMEQGCCsGAQUFBwIBFjhodHRwOi8vd3d3LmRhcnRtb3V0aC5lZHUvfnBr aWxhYi9EYXJ0bW91dGhDUFNfNFNlcDAzLnBkZjAqBgNVHREEIzAhgR9NYXNzaW1pbGlhbm8u UGFsYUBEYXJ0bW91dGguZWR1MB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8G CCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGgu ZWR1L29jc3AwDQYJKoZIhvcNAQEFBQADggEBAMRghaYbce3ByAWIFutgqntikjraGADD0jcO P0CL561BwwNkvxxaDcp3sPBgcOQvE7uOXnXwcgkKTwSWT5ndjZzStH5z1Yu7ET4QcRSZCDYB uDHNEZkB4xePuOu/nDvkhaJcGtbdJ0OSNUfoxAVlU/UIGTs8Xf/53OaI7oTmDhxW2mE9J0ra q2dftKHTN14/N4T57QFOexZ03TIeAppsrHd0KISdBe33qwAl/lySDt8UtymWiHBaVYkKmTxb CckzRAbDfFutm8uT6QhCDKHSyfa9rgWADVp7b1wnV3Y26sBn4sx16L39lvMF4ygP1c9JjKPv Mu5VcYsX8lBCg/LCTmgxggL4MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAX BgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91 dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwCQYFKw4DAhoF AKCCAdEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTE0 MjM1NzU1WjAjBgkqhkiG9w0BCQQxFgQUlO3CIcC7V6k0gys/B81+fUJOoiQwUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNV BAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgIa UzCBjgYLKoZIhvcNAQkQAgsxf6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJ k/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29s bGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwDQYJKoZIhvcNAQEBBQAE gYAQS61tO0loQw2xnaeTsUZm8GS4+3m67bZSiVw23jlTTKkhFs3YgIJbAWzdO34wDw4Wxnqc 5s9nBVsOnakHiPWIMpKJiLz+R+8JTVO+Y1RRPVh7bJncsJnqS7a5ZSjN8Q773jAlPCffimJn +c0gv5ZKPOHlThZDfhpD34pXELjsRwAAAAAAAA= --------------ms000800070606020107080508-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEML8PV047679; Mon, 14 Nov 2005 14:21:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAEML8rD047678; Mon, 14 Nov 2005 14:21:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host15.websitesource.com (host15.websitesource.com [209.239.32.38]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEML7qn047672 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 14:21:08 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani3 (static-70-21-114-242.res.east.verizon.net [70.21.114.242]) by host15.websitesource.com (8.12.10/8.12.10) with ESMTP id jAEML5wp015456 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 17:21:07 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: "'pkix'" <ietf-pkix@imc.org> Subject: RE: RFC-3280 [Subject Information Access] Date: Mon, 14 Nov 2005 17:20:59 -0500 Message-ID: <018701c5e969$b459d070$9a00a8c0@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <7.0.0.10.2.20051114141325.064921b0@vigilsec.com> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id jAEML8qn047673 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> There are several issues like this for CA -- OCSP Responder communication that are not covered by 2560 and could stand some guidance or standardization in a new I-D or revision of 2560. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley Sent: Monday, November 14, 2005 2:16 PM To: Massimiliano Pala Cc: pkix Subject: Re: RFC-3280 [Subject Information Access] SIA could be used to provide the pointer that you seek, but I do not think that anyone uses it that way. In fact, I suspect that a document would need to be written to tell people how to do it in an interoperable way. If you want to pursue that, you would need to write an internet-draft and convince the PKIX WG that it wants to adopt it as a work item. Russ At 01:51 PM 11/14/2005, Massimiliano Pala wrote: >Hi Russ, > >thank for the answer, but probably due to my bad english I was not >really clear... my situation is this: > >- I have an OCSP server and I want it to be able to "auto" configure the > downloading of CRLs, provided some pointer is given in the CA cert for > its own certs, this is: > > * I have only CA2 cert > > * I want to access CRLs issued by CA2 > > * No other info is given to the server besides the CA2 cert > >The question is if there are extensions/methods to do that without >having to access at least one certificate issued by CA2 (where the CDP >will provide the pointer I need). > >My guess is that SubjectInformationAccess could be used, but its >definition is quite broad and I was looking for something more >specific... easy for the developers... > >Russ Housley wrote: >>Massimiliano: >> >>>Now I am confused... sorry I did not get your question. Let me >>>explain by using an example: >>> >>> rootCA -> CA1 -> CA2 -> UserCert >[...] >>If each of these certificates contains a CRL DP, then you do not >>need any further information. >>CA2 -> UserCert: The CRL DP in this certificate will provide a >>pointer to the CRL issued by CA2 that will include an entry for >>UserCert if it is revoked. >>CA1 -> CA2: The CRL DP in this certificate will provide a pointer >>to the CRL issued by CA1 that will include an entry for CA2 if it is revoked. >>rootCA -> CA1: The CRL DP in this certificate will provide a >>pointer to the CRL issued by rootCA that will include an entry for >>CA1 if it is revoked. > >-- > >Best Regards, > > Massimiliano Pala > >--o------------------------------------------------------------------------ >Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu > >project.manager@openca.org > >Dartmouth Computer Science Dept Tel.: +1 (603) 397-3883 >PKI/Trust >--o-------------------------------------------------------------------- >---- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEKYHsm020394; Mon, 14 Nov 2005 12:34:17 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAEKYHPd020393; Mon, 14 Nov 2005 12:34:17 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEKYGfq020382 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 12:34:17 -0800 (PST) (envelope-from david.cooper@nist.gov) Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id jAEKY5ai019101; Mon, 14 Nov 2005 15:34:06 -0500 Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id jAEKXcG3019811; Mon, 14 Nov 2005 15:33:38 -0500 (EST) Message-ID: <4378F4C0.8000000@nist.gov> Date: Mon, 14 Nov 2005 15:34:08 -0500 From: "David A. Cooper" <david.cooper@nist.gov> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050416 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU> CC: pkix <ietf-pkix@imc.org> Subject: Re: RFC-3280 [Subject Information Access] References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> <4378DCBE.5080302@Dartmouth.EDU> In-Reply-To: <4378DCBE.5080302@Dartmouth.EDU> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-NIST-MailScanner: Found to be clean X-NIST-MailScanner-From: david.cooper@nist.gov Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Massimiliano, At the moment, there is no way to accomplish what you are trying to do in general. I should begin by pointing out that the text that you quoted from RFC 3280 has been changed in 3280bis so that it no longer mentions CRLs: The id-ad-caRepository OID is used when the subject is a CA, and publishes certificates it issues in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. If a CA issues full CRLs then what you are trying to accomplish may be possible. If the CA makes its certificates and CRLs available in a directory and you know the directory and the name of the CA, then you should be able to obtain the CA's CRL if it issues a full CRL (see RFC 2587). If a CA issues full CRLs, but you cannot use this method to find the CRL, then you will need to look at the cRLDistributionPoints extension in one of the certificates issued by the CA to determine where to obtain the CRL. The biggest problem will be if the CA only issues segmented CRLs. In this case looking at a single certificate issued by the CA will not be sufficient, since different certificates will point to different CRL segments. For such a CA it would also not be possible to use some new accessMethod in the subjectInfoAccess extension since the CA may create new CRL segments as it issues certificates and the SIA extensions of certificates could not be updated to add these new segments. Dave Massimiliano Pala wrote: > Hi Russ, > > thank for the answer, but probably due to my bad english I was not really > clear... my situation is this: > > - I have an OCSP server and I want it to be able to "auto" configure the > downloading of CRLs, provided some pointer is given in the CA cert for > its own certs, this is: > > * I have only CA2 cert > > * I want to access CRLs issued by CA2 > > * No other info is given to the server besides the CA2 cert > > The question is if there are extensions/methods to do that without having > to access at least one certificate issued by CA2 (where the CDP will > provide > the pointer I need). > > My guess is that SubjectInformationAccess could be used, but its > definition > is quite broad and I was looking for something more specific... easy > for the > developers... Massimiliano Pala wrote: > Hi all, > > Is there a way for a CA to specify its own (not its issuer's) CRL > distribution point in its certificate ? > > I am asking this because the only way I found so far is by using > the Subject Information Access with id-ad-caRepository as accessMethod. > The problem is that its definition is too broad, therefore the URI I > can put in there could address a CRL or Certs repository or other > services. > > From the RFC-3280 (pp 47): > > << The id-ad-caRepository OID is used when the subject is a CA, and > publishes its certificates and CRLs (if issued) in a repository. The > accessLocation field is defined as a GeneralName, which can take > several forms. >> > > While the accessLocation is quite simple to deal with, we should have > different accessMethod ids at least for CRLs and Certificates > repositories. > > In other words, is there a method to access the CRLs of a CA from the > CA's > certificate only ? > > Am I missing something here ? > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEJuBPB012650; Mon, 14 Nov 2005 11:56:11 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAEJuBw0012649; Mon, 14 Nov 2005 11:56:11 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jAEJuBRV012641 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 11:56:11 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 24418 invoked by uid 0); 14 Nov 2005 19:55:56 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (209.82.80.118) by woodstock.binhost.com with SMTP; 14 Nov 2005 19:55:56 -0000 Message-Id: <7.0.0.10.2.20051114141325.064921b0@vigilsec.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta) Date: Mon, 14 Nov 2005 14:16:24 -0500 To: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU> From: Russ Housley <housley@vigilsec.com> Subject: Re: RFC-3280 [Subject Information Access] Cc: pkix <ietf-pkix@imc.org> In-Reply-To: <4378DCBE.5080302@Dartmouth.EDU> References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> <4378DCBE.5080302@Dartmouth.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> SIA could be used to provide the pointer that you seek, but I do not think that anyone uses it that way. In fact, I suspect that a document would need to be written to tell people how to do it in an interoperable way. If you want to pursue that, you would need to write an internet-draft and convince the PKIX WG that it wants to adopt it as a work item. Russ At 01:51 PM 11/14/2005, Massimiliano Pala wrote: >Hi Russ, > >thank for the answer, but probably due to my bad english I was not really >clear... my situation is this: > >- I have an OCSP server and I want it to be able to "auto" configure the > downloading of CRLs, provided some pointer is given in the CA cert for > its own certs, this is: > > * I have only CA2 cert > > * I want to access CRLs issued by CA2 > > * No other info is given to the server besides the CA2 cert > >The question is if there are extensions/methods to do that without having >to access at least one certificate issued by CA2 (where the CDP will provide >the pointer I need). > >My guess is that SubjectInformationAccess could be used, but its definition >is quite broad and I was looking for something more specific... easy for the >developers... > >Russ Housley wrote: >>Massimiliano: >> >>>Now I am confused... sorry I did not get your question. Let me explain by >>>using an example: >>> >>> rootCA -> CA1 -> CA2 -> UserCert >[...] >>If each of these certificates contains a CRL DP, then you do not >>need any further information. >>CA2 -> UserCert: The CRL DP in this certificate will provide a >>pointer to the CRL issued by CA2 that will include an entry for >>UserCert if it is revoked. >>CA1 -> CA2: The CRL DP in this certificate will provide a pointer >>to the CRL issued by CA1 that will include an entry for CA2 if it is revoked. >>rootCA -> CA1: The CRL DP in this certificate will provide a >>pointer to the CRL issued by rootCA that will include an entry for >>CA1 if it is revoked. > >-- > >Best Regards, > > Massimiliano Pala > >--o------------------------------------------------------------------------ >Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu > project.manager@openca.org > >Dartmouth Computer Science Dept Tel.: +1 (603) 397-3883 >PKI/Trust >--o------------------------------------------------------------------------ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEIpFO3098448; Mon, 14 Nov 2005 10:51:15 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAEIpF9E098447; Mon, 14 Nov 2005 10:51:15 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mailhub1.dartmouth.edu (mailhub1.dartmouth.edu [129.170.16.122]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAEIpEew098441 for <ietf-pkix@imc.org>; Mon, 14 Nov 2005 10:51:15 -0800 (PST) (envelope-from Massimiliano.Pala@Dartmouth.EDU) Received: from [129.170.212.213] (dhcp-212-213.cs.dartmouth.edu [129.170.212.213]) by mailhub1.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id jAEIp9n8029997 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=OK); Mon, 14 Nov 2005 13:51:10 -0500 Message-ID: <4378DCBE.5080302@Dartmouth.EDU> Date: Mon, 14 Nov 2005 13:51:42 -0500 From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU> Organization: Dartmouth College User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Russ Housley <housley@vigilsec.com> CC: pkix <ietf-pkix@imc.org> Subject: Re: RFC-3280 [Subject Information Access] References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> In-Reply-To: <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000607020907050505030602" X-MailScanner: Found to be clean by mailhub.Dartmouth.EDU X-MailScanner-From: massimiliano.pala@dartmouth.edu Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms000607020907050505030602 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Russ, thank for the answer, but probably due to my bad english I was not really clear... my situation is this: - I have an OCSP server and I want it to be able to "auto" configure the downloading of CRLs, provided some pointer is given in the CA cert for its own certs, this is: * I have only CA2 cert * I want to access CRLs issued by CA2 * No other info is given to the server besides the CA2 cert The question is if there are extensions/methods to do that without having to access at least one certificate issued by CA2 (where the CDP will provide the pointer I need). My guess is that SubjectInformationAccess could be used, but its definition is quite broad and I was looking for something more specific... easy for the developers... Russ Housley wrote: > > Massimiliano: > >> Now I am confused... sorry I did not get your question. Let me explain by >> using an example: >> >> rootCA -> CA1 -> CA2 -> UserCert [...] > If each of these certificates contains a CRL DP, then you do not need > any further information. > > CA2 -> UserCert: The CRL DP in this certificate will provide a pointer > to the CRL issued by CA2 that will include an entry for UserCert if it > is revoked. > > CA1 -> CA2: The CRL DP in this certificate will provide a pointer to > the CRL issued by CA1 that will include an entry for CA2 if it is revoked. > > rootCA -> CA1: The CRL DP in this certificate will provide a pointer to > the CRL issued by rootCA that will include an entry for CA1 if it is > revoked. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Tel.: +1 (603) 397-3883 PKI/Trust --o------------------------------------------------------------------------ --------------ms000607020907050505030602 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJIjCC BI0wggN1oAMCAQICAhpTMA0GCSqGSIb3DQEBBQUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0 bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNTExMDgy MDMzMDZaFw0wOTExMDkyMDMzMDZaMIHBMRMwEQYKCZImiZPyLGQBGRYDZWR1MRkwFwYKCZIm iZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENv bGxlZ2UxGjAYBgoJkiaJk/IsZAEBEwoxMjI1NjAyOTQ3MRowGAYDVQQDExFNYXNzaW1pbGlh bm8gUGFsYTEuMCwGCSqGSIb3DQEJARYfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVk dTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsv8obBpbhPixgdyIJj7UN0GYRNhsgWHB muCE5j8v8IvCSJWRF9spKoR0NBYgOfJu8DwQuKTIgrvbp0EC3ikrneotL4KTGD1IqWz/bSXL UR/bZAsc0r9PrvCUsZOi7wbijy784gOuqQUCJ2fJwKwk5SJ3RBaPnUROQXTp+LPSK8MCAwEA AaOCAVowggFWMA4GA1UdDwEB/wQEAwIF4DARBglghkgBhvhCAQEEBAMCBaAwgaIGA1UdIASB mjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0aCBDb2xs ZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0cDovL3d3 dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYwKgYDVR0R BCMwIYEfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVkdTAfBgNVHSMEGDAWgBQ/wNbH p08Afu8GmWdsvJYeTaN3EjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9j b2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQDEYIWmG3Ht wcgFiBbrYKp7YpI62hgAw9I3Dj9Ai+etQcMDZL8cWg3Kd7DwYHDkLxO7jl518HIJCk8Elk+Z 3Y2c0rR+c9WLuxE+EHEUmQg2AbgxzRGZAeMXj7jrv5w75IWiXBrW3SdDkjVH6MQFZVP1CBk7 PF3/+dzmiO6E5g4cVtphPSdK2qtnX7Sh0zdePzeE+e0BTnsWdN0yHgKabKx3dCiEnQXt96sA Jf5ckg7fFLcplohwWlWJCpk8WwnJM0QGw3xbrZvLk+kIQgyh0sn2va4FgA1ae29cJ1d2NurA Z+LMdei9/ZbzBeMoD9XPSYyj7zLuVXGLF/JQQoPywk5oMIIEjTCCA3WgAwIBAgICGlMwDQYJ KoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRh cnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYD VQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA1MTEwODIwMzMwNloXDTA5MTEwOTIwMzMw NlowgcExEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEaMBgGCgmSJomT8ixk AQETCjEyMjU2MDI5NDcxGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMS4wLAYJKoZIhvcN AQkBFh9NYXNzaW1pbGlhbm8uUGFsYUBEYXJ0bW91dGguZWR1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCy/yhsGluE+LGB3IgmPtQ3QZhE2GyBYcGa4ITmPy/wi8JIlZEX2ykqhHQ0 FiA58m7wPBC4pMiCu9unQQLeKSud6i0vgpMYPUipbP9tJctRH9tkCxzSv0+u8JSxk6LvBuKP LvziA66pBQInZ8nArCTlIndEFo+dRE5BdOn4s9IrwwIDAQABo4IBWjCCAVYwDgYDVR0PAQH/ BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIFoDCBogYDVR0gBIGaMIGXMIGUBgorBgEEAUECAQEB MIGFMD0GCCsGAQUFBwICMDEwGBYRRGFydG1vdXRoIENvbGxlZ2UwAwIBARoVRGFydG1vdXRo IENvbGxlZ2UgQ1BTMEQGCCsGAQUFBwIBFjhodHRwOi8vd3d3LmRhcnRtb3V0aC5lZHUvfnBr aWxhYi9EYXJ0bW91dGhDUFNfNFNlcDAzLnBkZjAqBgNVHREEIzAhgR9NYXNzaW1pbGlhbm8u UGFsYUBEYXJ0bW91dGguZWR1MB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8G CCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGgu ZWR1L29jc3AwDQYJKoZIhvcNAQEFBQADggEBAMRghaYbce3ByAWIFutgqntikjraGADD0jcO P0CL561BwwNkvxxaDcp3sPBgcOQvE7uOXnXwcgkKTwSWT5ndjZzStH5z1Yu7ET4QcRSZCDYB uDHNEZkB4xePuOu/nDvkhaJcGtbdJ0OSNUfoxAVlU/UIGTs8Xf/53OaI7oTmDhxW2mE9J0ra q2dftKHTN14/N4T57QFOexZ03TIeAppsrHd0KISdBe33qwAl/lySDt8UtymWiHBaVYkKmTxb CckzRAbDfFutm8uT6QhCDKHSyfa9rgWADVp7b1wnV3Y26sBn4sx16L39lvMF4ygP1c9JjKPv Mu5VcYsX8lBCg/LCTmgxggL4MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAX BgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91 dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwCQYFKw4DAhoF AKCCAdEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTE0 MTg1MTQyWjAjBgkqhkiG9w0BCQQxFgQUwixaRWizQi0oVQnb11xxMBBAeIcwUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNV BAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgIa UzCBjgYLKoZIhvcNAQkQAgsxf6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJ k/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29s bGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwDQYJKoZIhvcNAQEBBQAE gYA8Wr1+++oRR+CyIU3ZxM1i9Pa0XDydOzhC+0B3uyt6I1+sWxpglTGaCvlkwhJrQBBiiZP2 UCSLBR+8MkVwIo424zgPRyzuLXeGbNryQFuqdHgtHpOJT4emwyy/XBjp2qyok2VaMOU9+o2w Nm9X6BFTY/SmJNGysSgw9y2rh47glwAAAAAAAA= --------------ms000607020907050505030602-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAE05Xt9023541; Sun, 13 Nov 2005 16:05:33 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAE05XCm023540; Sun, 13 Nov 2005 16:05:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jAE05WlU023522 for <ietf-pkix@imc.org>; Sun, 13 Nov 2005 16:05:32 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 1184 invoked by uid 0); 14 Nov 2005 00:05:19 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (216.123.155.194) by woodstock.binhost.com with SMTP; 14 Nov 2005 00:05:19 -0000 Message-Id: <7.0.0.10.2.20051113185657.05faa4e0@vigilsec.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta) Date: Sun, 13 Nov 2005 19:05:25 -0500 To: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU>, pkix <ietf-pkix@imc.org> From: Russ Housley <housley@vigilsec.com> Subject: Re: RFC-3280 [Subject Information Access] In-Reply-To: <4376728C.8090007@Dartmouth.EDU> References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> <4376728C.8090007@Dartmouth.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Massimiliano: >Now I am confused... sorry I did not get your question. Let me explain by >using an example: > > rootCA -> CA1 -> CA2 -> UserCert Since you do not say anything about indirect CRLs, I'll assume that it has nothing to do with your question. My response ignores indirect CRLs. If each of these certificates contains a CRL DP, then you do not need any further information. CA2 -> UserCert: The CRL DP in this certificate will provide a pointer to the CRL issued by CA2 that will include an entry for UserCert if it is revoked. CA1 -> CA2: The CRL DP in this certificate will provide a pointer to the CRL issued by CA1 that will include an entry for CA2 if it is revoked. rootCA -> CA1: The CRL DP in this certificate will provide a pointer to the CRL issued by rootCA that will include an entry for CA1 if it is revoked. Russ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAD1ed8h068664; Sat, 12 Nov 2005 17:40:39 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAD1edgC068663; Sat, 12 Nov 2005 17:40:39 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host15.websitesource.com (host15.websitesource.com [209.239.32.38]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAD1ecCQ068656 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 17:40:39 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani3 (pcp09271453pcs.arlngt01.va.comcast.net [69.143.129.49]) by host15.websitesource.com (8.12.10/8.12.10) with ESMTP id jAD1ebwp030677 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 20:40:38 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: RFC-3280 [Subject Information Access] Date: Sat, 12 Nov 2005 20:40:29 -0500 Message-ID: <008d01c5e7f3$3dd42670$aa02a8c0@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tom, See responses in-line under [Santosh:] -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Tom Gindin Sent: Saturday, November 12, 2005 4:05 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: RFC-3280 [Subject Information Access] Santosh, Massimiliano: I'm confused by the way in which one would enable "a CA to specify its own (not its issuer's) CRL distribution point in its certificate". [Santosh: A CRL DP in a certificate will point to location(s) from which revocation information for that certificate can be obtained.] Does this mean the distribution point covering the CA (which should already be in the certificate issued to this CA) or a distribution point containing a CRL created by the CA (which gets put into the CRL DP of a certificate it creates)? [Santosh: Again, a CRL DP in certificate points to CRL that covers the status of the certificate.] And does it go into a certificate issued to the CA by another CA (in which case it can't be specified in this way), a certificate issued by the CA to somebody else (the purpose for which CRL DP's were designed, unless it's a CRL covering the CA), or a rollover self-issued certificate? [Santosh: I am not sure what you are saying above. But, a CRL DP in a certificate will point to location(s) from which revocation information for that certificate can be obtained.] A relying party certainly needs to have revocation information for an intermediate CA, and that's normally found in the intermediate CA's certificate. [Santosh; Amen] I suppose that if an intermediate CA has a certificate from which it's hard to find the CRL (e.g. a certificate with no distribution point address or with only a DN as specification) a pointer from each certificate it issues could be useful. However, this would naturally go into the AIA extension (since it references information about the issuer of the certificate) rather than into SIA, and it would have to be of lower precedence than an AIA or DP in the issuer certificate itself since the CA MUST not be able to override a revocation of its certificate. Is permitting a CA to do this really a good idea, and if so is it worthwhile? [Santosh: You can always define new extensions or add fields and options to existing extensions. But, that is not there. You should talk with the 3280bis editors if you want to have a capability in SIA or AIA to point to CRL.] Tom Gindin "Santosh Chokhani" <chokhani@orionsec.com> Sent by: owner-ietf-pkix@mail.imc.org 11/11/2005 07:29 AM To: <ietf-pkix@imc.org> cc: Subject: RE: RFC-3280 [Subject Information Access] And why would you want to do that? Generally, you need revocation information for a certificate and hence CRL DP in the certificate can and should be used to get the revocation data. Why would you want a pointer in Issuing CA certificate? -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Massimiliano Pala Sent: Friday, November 11, 2005 12:16 AM To: ietf-pkix@imc.org Subject: RFC-3280 [Subject Information Access] Hi all, Is there a way for a CA to specify its own (not its issuer's) CRL distribution point in its certificate ? I am asking this because the only way I found so far is by using the Subject Information Access with id-ad-caRepository as accessMethod. The problem is that its definition is too broad, therefore the URI I can put in there could address a CRL or Certs repository or other services. From the RFC-3280 (pp 47): << The id-ad-caRepository OID is used when the subject is a CA, and publishes its certificates and CRLs (if issued) in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. >> While the accessLocation is quite simple to deal with, we should have different accessMethod ids at least for CRLs and Certificates repositories. In other words, is there a method to access the CRLs of a CA from the CA's certificate only ? Am I missing something here ? -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] massimiliano.pala@polito.it Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jACMrcWv032229; Sat, 12 Nov 2005 14:53:38 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jACMrcGm032227; Sat, 12 Nov 2005 14:53:38 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mailhub1.dartmouth.edu (mailhub1.dartmouth.edu [129.170.16.122]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jACMrbRR032215 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 14:53:37 -0800 (PST) (envelope-from Massimiliano.Pala@Dartmouth.EDU) Received: from [129.170.212.213] (dhcp-212-213.cs.dartmouth.edu [129.170.212.213]) by mailhub1.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id jACMrV9P000605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=OK); Sat, 12 Nov 2005 17:53:32 -0500 Message-ID: <4376728C.8090007@Dartmouth.EDU> Date: Sat, 12 Nov 2005 17:54:04 -0500 From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.EDU> Organization: Dartmouth College User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> CC: Tom Gindin <tgindin@us.ibm.com> Subject: Re: RFC-3280 [Subject Information Access] References: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> In-Reply-To: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080608000000000609030908" X-MailScanner: Found to be clean by mailhub.Dartmouth.EDU X-MailScanner-From: massimiliano.pala@dartmouth.edu Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms080608000000000609030908 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Tom Gindin wrote: > Santosh, Massimiliano: > > I'm confused by the way in which one would enable "a CA to specify > its own (not its issuer's) CRL distribution point in its certificate". > Does this mean the distribution point covering the CA (which should > already be in the certificate issued to this CA) or a distribution point > containing a CRL created by the CA (which gets put into the CRL DP of a > certificate it creates)? And does it go into a certificate issued to the > CA by another CA (in which case it can't be specified in this way), a > certificate issued by the CA to somebody else (the purpose for which CRL > DP's were designed, unless it's a CRL covering the CA), or a rollover > self-issued certificate? Now I am confused... sorry I did not get your question. Let me explain by using an example: rootCA -> CA1 -> CA2 -> UserCert In this case the CRL Distribution Point extension will carry pointers to: * If in the user cert -> to the CRL issued by CA2 * If in the CA2 cert -> to the CRL issued by CA1 * If in the rootCA cert -> to the CRL issued by the issuer of rootCA, which is equivalent to the subject, therefor (this is my guess) you can put there the pointer to the CRL issued by rootCA My problem is: how do I find the CRL issued by CA2 without having to retrieve a UserCert (or a cert issued by CA2) ? I guess there is no way to do such a thing at the moment... am I wrong ? > A relying party certainly needs to have revocation information for > an intermediate CA, and that's normally found in the intermediate CA's > certificate. I suppose that if an intermediate CA has a certificate from > which it's hard to find the CRL (e.g. a certificate with no distribution > point address or with only a DN as specification) a pointer from each > certificate it issues could be useful. However, this would naturally go > into the AIA extension (since it references information about the issuer > of the certificate) rather than into SIA, and it would have to be of lower Indeed, my point was : how to search for a CRL issued by CA1 provided you only have CA1 cert ? This should go into SIA, not AIA... > precedence than an AIA or DP in the issuer certificate itself since the CA > MUST not be able to override a revocation of its certificate. Is > permitting a CA to do this really a good idea, and if so is it worthwhile? No, probably there is a misunderstanding here. What I was proposing was not to change AIA or CDP contents, instead to provide a specific extension to point to CRLs issued by the "current" CA cert (not by its issuer). This has a different purpose than searching for revocation information for the "current" certificate; I want a pointer to revocation information provided by the "current" certificate... I hope I clarified a bit what I was really asking... :-D Let me know, -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 062 (Sudikoff) Office Phone: +1 (603) 646-9226 --o------------------------------------------------------------------------ --------------ms080608000000000609030908 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJIjCC BI0wggN1oAMCAQICAhpTMA0GCSqGSIb3DQEBBQUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0 bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNTExMDgy MDMzMDZaFw0wOTExMDkyMDMzMDZaMIHBMRMwEQYKCZImiZPyLGQBGRYDZWR1MRkwFwYKCZIm iZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENv bGxlZ2UxGjAYBgoJkiaJk/IsZAEBEwoxMjI1NjAyOTQ3MRowGAYDVQQDExFNYXNzaW1pbGlh bm8gUGFsYTEuMCwGCSqGSIb3DQEJARYfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVk dTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsv8obBpbhPixgdyIJj7UN0GYRNhsgWHB muCE5j8v8IvCSJWRF9spKoR0NBYgOfJu8DwQuKTIgrvbp0EC3ikrneotL4KTGD1IqWz/bSXL UR/bZAsc0r9PrvCUsZOi7wbijy784gOuqQUCJ2fJwKwk5SJ3RBaPnUROQXTp+LPSK8MCAwEA AaOCAVowggFWMA4GA1UdDwEB/wQEAwIF4DARBglghkgBhvhCAQEEBAMCBaAwgaIGA1UdIASB mjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0aCBDb2xs ZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0cDovL3d3 dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYwKgYDVR0R BCMwIYEfTWFzc2ltaWxpYW5vLlBhbGFARGFydG1vdXRoLmVkdTAfBgNVHSMEGDAWgBQ/wNbH p08Afu8GmWdsvJYeTaN3EjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9j b2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQDEYIWmG3Ht wcgFiBbrYKp7YpI62hgAw9I3Dj9Ai+etQcMDZL8cWg3Kd7DwYHDkLxO7jl518HIJCk8Elk+Z 3Y2c0rR+c9WLuxE+EHEUmQg2AbgxzRGZAeMXj7jrv5w75IWiXBrW3SdDkjVH6MQFZVP1CBk7 PF3/+dzmiO6E5g4cVtphPSdK2qtnX7Sh0zdePzeE+e0BTnsWdN0yHgKabKx3dCiEnQXt96sA Jf5ckg7fFLcplohwWlWJCpk8WwnJM0QGw3xbrZvLk+kIQgyh0sn2va4FgA1ae29cJ1d2NurA Z+LMdei9/ZbzBeMoD9XPSYyj7zLuVXGLF/JQQoPywk5oMIIEjTCCA3WgAwIBAgICGlMwDQYJ KoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRh cnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYD VQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA1MTEwODIwMzMwNloXDTA5MTEwOTIwMzMw NlowgcExEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEaMBgGCgmSJomT8ixk AQETCjEyMjU2MDI5NDcxGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMS4wLAYJKoZIhvcN AQkBFh9NYXNzaW1pbGlhbm8uUGFsYUBEYXJ0bW91dGguZWR1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCy/yhsGluE+LGB3IgmPtQ3QZhE2GyBYcGa4ITmPy/wi8JIlZEX2ykqhHQ0 FiA58m7wPBC4pMiCu9unQQLeKSud6i0vgpMYPUipbP9tJctRH9tkCxzSv0+u8JSxk6LvBuKP LvziA66pBQInZ8nArCTlIndEFo+dRE5BdOn4s9IrwwIDAQABo4IBWjCCAVYwDgYDVR0PAQH/ BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIFoDCBogYDVR0gBIGaMIGXMIGUBgorBgEEAUECAQEB MIGFMD0GCCsGAQUFBwICMDEwGBYRRGFydG1vdXRoIENvbGxlZ2UwAwIBARoVRGFydG1vdXRo IENvbGxlZ2UgQ1BTMEQGCCsGAQUFBwIBFjhodHRwOi8vd3d3LmRhcnRtb3V0aC5lZHUvfnBr aWxhYi9EYXJ0bW91dGhDUFNfNFNlcDAzLnBkZjAqBgNVHREEIzAhgR9NYXNzaW1pbGlhbm8u UGFsYUBEYXJ0bW91dGguZWR1MB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8G CCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGgu ZWR1L29jc3AwDQYJKoZIhvcNAQEFBQADggEBAMRghaYbce3ByAWIFutgqntikjraGADD0jcO P0CL561BwwNkvxxaDcp3sPBgcOQvE7uOXnXwcgkKTwSWT5ndjZzStH5z1Yu7ET4QcRSZCDYB uDHNEZkB4xePuOu/nDvkhaJcGtbdJ0OSNUfoxAVlU/UIGTs8Xf/53OaI7oTmDhxW2mE9J0ra q2dftKHTN14/N4T57QFOexZ03TIeAppsrHd0KISdBe33qwAl/lySDt8UtymWiHBaVYkKmTxb CckzRAbDfFutm8uT6QhCDKHSyfa9rgWADVp7b1wnV3Y26sBn4sx16L39lvMF4ygP1c9JjKPv Mu5VcYsX8lBCg/LCTmgxggL4MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAX BgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91 dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwCQYFKw4DAhoF AKCCAdEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTEy MjI1NDA0WjAjBgkqhkiG9w0BCQQxFgQUvwqfakDeVCxtlXv+caiCDpsCLnEwUgYJKoZIhvcN AQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNV BAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgIa UzCBjgYLKoZIhvcNAQkQAgsxf6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJ k/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29s bGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMQICGlMwDQYJKoZIhvcNAQEBBQAE gYBGVBwYPn+cld+FmqotUgqP0fw4jwzg7TlxT/pgBLqTA0VhJr24uofu5WI5UqB9wdbfAdh/ zNogXB4RNDLloSEd3xtGtYlcokS9tMpTdzdTgnbYFt57Snh0Kgs+dMANu0za7qMZrYbbj002 P/g5YS2/IyBQyLPd8OQ9jR70cxixxwAAAAAAAA= --------------ms080608000000000609030908-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jACL4sHx016855; Sat, 12 Nov 2005 13:04:55 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jACL4sAa016851; Sat, 12 Nov 2005 13:04:54 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jACL4reJ016729 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 13:04:53 -0800 (PST) (envelope-from tgindin@us.ibm.com) Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e5.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id jACL4imd023293 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 16:04:44 -0500 Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay02.pok.ibm.com (8.12.10/NCO/VERS6.7) with ESMTP id jACL4ixb123930 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 16:04:45 -0500 Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.12.11/8.13.3) with ESMTP id jACL4iLL015475 for <ietf-pkix@imc.org>; Sat, 12 Nov 2005 16:04:44 -0500 Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av02.pok.ibm.com (8.12.11/8.12.11) with ESMTP id jACL4iOI015472; Sat, 12 Nov 2005 16:04:44 -0500 In-Reply-To: <003b01c5e6bb$a55374b0$aa02a8c0@hq.orionsec.com> To: "Santosh Chokhani" <chokhani@orionsec.com> Cc: ietf-pkix@imc.org MIME-Version: 1.0 Subject: RE: RFC-3280 [Subject Information Access] X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 From: Tom Gindin <tgindin@us.ibm.com> Message-ID: <OF32691DE4.FDC5A83A-ON852570B6.006F6075-852570B7.0073B4A3@us.ibm.com> Date: Sat, 12 Nov 2005 16:04:43 -0500 X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 6.5.4FP2 HF2|November 9, 2005) at 11/12/2005 16:04:43, Serialize complete at 11/12/2005 16:04:43 Content-Type: text/plain; charset="US-ASCII" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Santosh, Massimiliano: I'm confused by the way in which one would enable "a CA to specify its own (not its issuer's) CRL distribution point in its certificate". Does this mean the distribution point covering the CA (which should already be in the certificate issued to this CA) or a distribution point containing a CRL created by the CA (which gets put into the CRL DP of a certificate it creates)? And does it go into a certificate issued to the CA by another CA (in which case it can't be specified in this way), a certificate issued by the CA to somebody else (the purpose for which CRL DP's were designed, unless it's a CRL covering the CA), or a rollover self-issued certificate? A relying party certainly needs to have revocation information for an intermediate CA, and that's normally found in the intermediate CA's certificate. I suppose that if an intermediate CA has a certificate from which it's hard to find the CRL (e.g. a certificate with no distribution point address or with only a DN as specification) a pointer from each certificate it issues could be useful. However, this would naturally go into the AIA extension (since it references information about the issuer of the certificate) rather than into SIA, and it would have to be of lower precedence than an AIA or DP in the issuer certificate itself since the CA MUST not be able to override a revocation of its certificate. Is permitting a CA to do this really a good idea, and if so is it worthwhile? Tom Gindin "Santosh Chokhani" <chokhani@orionsec.com> Sent by: owner-ietf-pkix@mail.imc.org 11/11/2005 07:29 AM To: <ietf-pkix@imc.org> cc: Subject: RE: RFC-3280 [Subject Information Access] And why would you want to do that? Generally, you need revocation information for a certificate and hence CRL DP in the certificate can and should be used to get the revocation data. Why would you want a pointer in Issuing CA certificate? -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Massimiliano Pala Sent: Friday, November 11, 2005 12:16 AM To: ietf-pkix@imc.org Subject: RFC-3280 [Subject Information Access] Hi all, Is there a way for a CA to specify its own (not its issuer's) CRL distribution point in its certificate ? I am asking this because the only way I found so far is by using the Subject Information Access with id-ad-caRepository as accessMethod. The problem is that its definition is too broad, therefore the URI I can put in there could address a CRL or Certs repository or other services. From the RFC-3280 (pp 47): << The id-ad-caRepository OID is used when the subject is a CA, and publishes its certificates and CRLs (if issued) in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. >> While the accessLocation is quite simple to deal with, we should have different accessMethod ids at least for CRLs and Certificates repositories. In other words, is there a method to access the CRLs of a CA from the CA's certificate only ? Am I missing something here ? -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] massimiliano.pala@polito.it Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jABCU8oG089214; Fri, 11 Nov 2005 04:30:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jABCU8AF089213; Fri, 11 Nov 2005 04:30:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host15.websitesource.com (host15.websitesource.com [209.239.32.38]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jABCU8t1089207 for <ietf-pkix@imc.org>; Fri, 11 Nov 2005 04:30:08 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani3 (pcp09271453pcs.arlngt01.va.comcast.net [69.143.129.49]) by host15.websitesource.com (8.12.10/8.12.10) with ESMTP id jABCU5U0032392 for <ietf-pkix@imc.org>; Fri, 11 Nov 2005 07:30:07 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: RFC-3280 [Subject Information Access] Date: Fri, 11 Nov 2005 07:29:59 -0500 Message-ID: <003b01c5e6bb$a55374b0$aa02a8c0@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal In-Reply-To: <43742909.8030707@polito.it> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id jABCU8t1089208 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> And why would you want to do that? Generally, you need revocation information for a certificate and hence CRL DP in the certificate can and should be used to get the revocation data. Why would you want a pointer in Issuing CA certificate? -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Massimiliano Pala Sent: Friday, November 11, 2005 12:16 AM To: ietf-pkix@imc.org Subject: RFC-3280 [Subject Information Access] Hi all, Is there a way for a CA to specify its own (not its issuer's) CRL distribution point in its certificate ? I am asking this because the only way I found so far is by using the Subject Information Access with id-ad-caRepository as accessMethod. The problem is that its definition is too broad, therefore the URI I can put in there could address a CRL or Certs repository or other services. From the RFC-3280 (pp 47): << The id-ad-caRepository OID is used when the subject is a CA, and publishes its certificates and CRLs (if issued) in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. >> While the accessLocation is quite simple to deal with, we should have different accessMethod ids at least for CRLs and Certificates repositories. In other words, is there a method to access the CRLs of a CA from the CA's certificate only ? Am I missing something here ? -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] massimiliano.pala@polito.it Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAB5FSYm012307; Thu, 10 Nov 2005 21:15:28 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAB5FSb8012306; Thu, 10 Nov 2005 21:15:28 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from polito.it (anacreon.polito.it [130.192.3.82]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAB5FPQD012285 for <ietf-pkix@imc.org>; Thu, 10 Nov 2005 21:15:27 -0800 (PST) (envelope-from massimiliano.pala@polito.it) X-AttachExt: p7s X-ExtScanner: Niversoft's FindAttachments (free) Received: from [129.170.210.181] ([129.170.210.181] verified) by polito.it (CommuniGate Pro SMTP 5.0.1) with ESMTPS id 137608 for ietf-pkix@imc.org; Fri, 11 Nov 2005 06:15:23 +0100 Message-ID: <43742909.8030707@polito.it> Date: Fri, 11 Nov 2005 00:15:53 -0500 From: Massimiliano Pala <massimiliano.pala@polito.it> Organization: Politecnico di Torino User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: RFC-3280 [Subject Information Access] References: <200511081852.jA8IqJh8006705@host15.websitesource.com> <4370FE49.2030108@drh-consultancy.demon.co.uk> In-Reply-To: <4370FE49.2030108@drh-consultancy.demon.co.uk> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030303090006000509010605" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms030303090006000509010605 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi all, Is there a way for a CA to specify its own (not its issuer's) CRL distribution point in its certificate ? I am asking this because the only way I found so far is by using the Subject Information Access with id-ad-caRepository as accessMethod. The problem is that its definition is too broad, therefore the URI I can put in there could address a CRL or Certs repository or other services. From the RFC-3280 (pp 47): << The id-ad-caRepository OID is used when the subject is a CA, and publishes its certificates and CRLs (if issued) in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. >> While the accessLocation is quite simple to deal with, we should have different accessMethod ids at least for CRLs and Certificates repositories. In other words, is there a method to access the CRLs of a CA from the CA's certificate only ? Am I missing something here ? -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] massimiliano.pala@polito.it Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------ --------------ms030303090006000509010605 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIU7zCC BIMwggNroAMCAQICAQswDQYJKoZIhvcNAQEFBQAwQTEQMA4GA1UEChMHRXVyb1BLSTEtMCsG A1UEAxMkRXVyb1BLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAxMTIxMjEw MDAwMFoXDTA2MTIzMTEwMDAwMFowUTELMAkGA1UEBhMCSVQxEDAOBgNVBAoTB0V1cm9QS0kx MDAuBgNVBAMTJ0V1cm9QS0kgSXRhbGlhbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAP7ay1Eyxgv7fW1lpkRT4bljS3Cf7Z5m/KaX pQEsMQfihBXvocVGVqYCTbXl1u+9rbyVV8MtoaZFE2Eb+8tKTA6D2UJpVln2GinHi1Cs+wIV 6Sz55wKaN3tKzGMw3L/H3ADNiYottP//ge3S1P6j0bcGhQ/p/xOGzmALt8CB7KCtn9+VHV8D vcmOqmmQVcymUz9MCN68ZzfLvefAnUzWoIN72fxJDRG8szLj1IYxHOPsoLVID20yGDdyppHt Vr1xUY4rGo5jPCuI79/QxNhQeDyWQo2x2jqM3nVmVXDFRJIms1j7BWpuiEhs0ZJWkaQXd29g mBeZopvMKyAXO3XDDv8CAwEAAaOCAXQwggFwMEwGCWCGSAGG+EIBDQQ/Fj1Jc3N1ZWQgdW5k ZXIgcG9saWN5OgogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9yb290L2Nwcy8xLjEvMDgG CCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXVyb3BraS5vcmc6ODAy NjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3Jvb3QvY3Js L2NybC5kZXIwTgYDVR0gBEcwRTBDBgorBgEEAakHAQEBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6 Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9jcHMvMS4xLzAfBgNVHSMEGDAWgBSM3IuxpUqQ 506Icxg8ndVefuSyzTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB9jAdBgNVHQ4EFgQUqjwT yUkLXM240yDgxZWXMzNdJBMwDQYJKoZIhvcNAQEFBQADggEBAGuphjJQE0RQ28euKSOZ7Q4b vGgPeO8WgGiUHrpZ6vI2+/knSqqK0AQ7j5+4viGMJgm2x8JnYq9ZYy1i0wFrYIxE/G2fw8cW 1P/8sCNzqTj+SO0/2KpJ0BkvuTSG2r1NTeg6a5r61a4jUqp4upKxuzgu6unsw/+RkU2KzlNm 053JOcsM82dIN3NBr+hZs/0IFiMW1GJB2P7225WWDF01OtQcmLYspoiffUPy2g+g4FD5IxHF HKvCG1b9zHmfJoaDn5y+kQQpHs/ZIZeUyNe9ULifu3GgGQKp9sj6bpbGfjW3LAhhG6Ldhf8+ Azi6vNmzQwCbegU26NFazErhLS5qDXQwggU+MIIEJqADAgECAgIBaDANBgkqhkiG9w0BAQUF ADBRMQswCQYDVQQGEwJJVDEQMA4GA1UEChMHRXVyb1BLSTEwMC4GA1UEAxMnRXVyb1BLSSBJ dGFsaWFuIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAxMTIxNDEwMDAwMFoXDTA2MTIz MTA5MDAwMFowZTELMAkGA1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNuaWNvIGRpIFRvcmlu bzE2MDQGA1UEAxMtUG9saXRlY25pY28gZGkgVG9yaW5vIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9sfcfWMG/mS8O69abPfnUWci 6TfUncSlfs8SzpwAsoW1/OJpGVtxq1yKQrP8WqiixEcZWSvnlOcyRj/C0tz3JLQKSAyrHKGS Dkn5Md4HCue+L1JHQ3Ba14eQOj7rAugFgE+6LenTAvguOQl74/t9C93Ldm1NY+t1Fs36oPhP JQ5inrZ6D8P9ol4s/ecyPhhQaU1tioqQy1d01gXTrmI2eH6Ui0AkyexVcxFpXR7qnvPV7huE +ZTDU77t9jx24smmJuSxlA8HQS8I+qCytDhOYsKm676n1a4wpE9VunoVAm/+7tajm31ZYaxT njX891kfFGoFi/J3tIRc67vh8Joy+wIDAQABo4ICCjCCAgYwdQYJYIZIAYb4QgENBGgWZklz c3VlZCB1bmRlciBwb2xpY2llczoKIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9j cHMvMS4xLwogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcHMvMS4xLzBcBggrBgEF BQcBAQRQME4wKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmV1cm9wa2kub3JnOjgwMjYwIgYI KwYBBQUHMAKGFmh0dHA6Ly93d3cuZXVyb3BraS5vcmcwOwYDVR0fBDQwMjAwoC6gLIYqaHR0 cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcmwwMi9jcmwuZGVyMIGTBgNVHSAEgYswgYgw QwYKKwYBBAGpBwEBATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3LmV1cm9wa2kub3JnL2Nh L3Jvb3QvY3BzLzEuMS8wQQYKKwYBBAGpBwIBATAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3 LmV1cm9wa2kub3JnL2NhL2l0L2Nwcy8xLjEvMB8GA1UdIwQYMBaAFKo8E8lJC1zNuNMg4MWV lzMzXSQTMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgH2MB0GA1UdDgQWBBT0DG1tnl9M YlY5geDe+Y8vN6CExTANBgkqhkiG9w0BAQUFAAOCAQEAXx26gpm/oiG7ti2+e1Lwmnqn6jk0 ihxIxccazoTAjWzq60x+MhIJsIgRfGtv5U2XzEWc15UZru6srk8TqctT6EbqRMTCtx6mxPd6 RpKp3jepigGOkwnJsnjjUPC/tHmfJHNcll3Rk6a4OIvazlwOoCuQ8D0N9sAGtx35+T+tAyph NU9yHtC3dpvQotLmJFo2Pr6sTy2ijCqQnHxJ2sZUEAlNEunKFP8y3uPfwvE0FEC7lONkUx+U 79yAlwPvBvASUopIQPy7BQ9IMupkj/1DmUvml/05f+DYv2x7UbiUlp1ksQXzs+WLxB2NADfn CaPNvqphRz5KhJGOTJpc8CZ+UDCCBY8wggR3oAMCAQICAgFnMA0GCSqGSIb3DQEBBQUAMGUx CzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xpdGVjbmljbyBkaSBUb3Jpbm8xNjA0BgNVBAMT LVBvbGl0ZWNuaWNvIGRpIFRvcmlubyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDAy MDMxNTAwMDBaFw0wNTEyMzExMjAwMDBaMH0xCzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xp dGVjbmljbyBkaSBUb3Jpbm8xMTAvBgNVBAsTKERpcGFydGltZW50byBkaSBBdXRvbWF0aWNh IGUgSW5mb3JtYXRpY2ExGzAZBgNVBAMTEk1hc3NpbWlsaWFubyAgUGFsYTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAq9EaJRA7cRia5n0014UeruZBPwDwNyEpWxIvWqVG6taEt1P1 wApd7oKi7yhUL8yUpX2eEQdLj/yjCQOr1NqmkL5MwiZhVtwcli3/3G0OayKu/i6yRIW24SM5 sbNLO4hhZYSiHAMlZ/U5Y6r6zFvxRbIK9/mB/wrJ6HIzOzC+xncCAwEAAaOCArMwggKvMIGV BglghkgBhvhCAQ0EgYcWgYRJc3N1ZWQgdW5kZXIgcG9saWNpZXM6CiBodHRwOi8vd3d3LmV1 cm9wa2kub3JnL2NhL3Jvb3QvY3BzLzEuMS8KIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Ev aXQvY3BzLzEuMS8KIGh0dHA6Ly9jYS5wb2xpdG8uaXQvY3BzLzIuMS8wEQYJYIZIAYb4QgEB BAQDAgCwMGMGCCsGAQUFBwEBBFcwVTAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXVyb3Br aS5vcmc6ODAyNjApBggrBgEFBQcwAoYdaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC8w MgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NhLnBvbGl0by5pdC9jcmwwMi9jcmwuZGVyMAwG A1UdEwEB/wQCMAAwPgYDVR0RBDcwNYEbbWFzc2ltaWxpYW5vLnBhbGFAcG9saXRvLml0oBYG CisGAQQBlWICAQGgCBYGMTIxNTc1MIHNBgNVHSAEgcUwgcIwQwYKKwYBBAGpBwEBATA1MDMG CCsGAQUFBwIBFidodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3Jvb3QvY3BzLzEuMS8wQQYK KwYBBAGpBwIBATAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL2l0 L2Nwcy8xLjEvMDgGCisGAQQBlWIBAgEwKjAoBggrBgEFBQcCARYcaHR0cDovL2NhLnBvbGl0 by5pdC9jcHMvMi4xLzALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFKBsBAutUrWisrKMhGDw86gH WDoSMB8GA1UdIwQYMBaAFPQMbW2eX0xiVjmB4N75jy83oITFMA0GCSqGSIb3DQEBBQUAA4IB AQDrwXGLgvcDvhk2w6AFLp3DIhWl4zX9G6W4v9gis9vBHkIHQUg2iBmbVEeCn9XrSIXtuleH uyYI+uu+KUdoCqt9XEFlL6eYnvrZNc7wWkH+msZwc11C+8UibhzaUezlEqTm9l+08xucAJER 4q489+2ZY7Kf8tFB1n4edgtg8rxrlNX++ZqqrJCnYWQvv0e4Hmav+CKnuMT+Y1qVv3BW6HDD OBljhSEx6+cmooIPoWy8/5W/aGl5WEr1aCUZ/o8DODPxUIwEcUHV+m4EuQz7j0XLLcyC62Lc FCx7+itzdJ61epbCmOgTNSWJFryVPClhlM3YFzFxL9Ae7mFmTdUbkdyKMIIFjzCCBHegAwIB AgICAWcwDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNu aWNvIGRpIFRvcmlubzE2MDQGA1UEAxMtUG9saXRlY25pY28gZGkgVG9yaW5vIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MB4XDTA0MDIwMzE1MDAwMFoXDTA1MTIzMTEyMDAwMFowfTELMAkG A1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNuaWNvIGRpIFRvcmlubzExMC8GA1UECxMoRGlw YXJ0aW1lbnRvIGRpIEF1dG9tYXRpY2EgZSBJbmZvcm1hdGljYTEbMBkGA1UEAxMSTWFzc2lt aWxpYW5vICBQYWxhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr0RolEDtxGJrmfTTX hR6u5kE/APA3ISlbEi9apUbq1oS3U/XACl3ugqLvKFQvzJSlfZ4RB0uP/KMJA6vU2qaQvkzC JmFW3ByWLf/cbQ5rIq7+LrJEhbbhIzmxs0s7iGFlhKIcAyVn9TljqvrMW/FFsgr3+YH/Csno cjM7ML7GdwIDAQABo4ICszCCAq8wgZUGCWCGSAGG+EIBDQSBhxaBhElzc3VlZCB1bmRlciBw b2xpY2llczoKIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9jcHMvMS4xLwogaHR0 cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcHMvMS4xLwogaHR0cDovL2NhLnBvbGl0by5p dC9jcHMvMi4xLzARBglghkgBhvhCAQEEBAMCALAwYwYIKwYBBQUHAQEEVzBVMCgGCCsGAQUF BzABhhxodHRwOi8vb2NzcC5ldXJvcGtpLm9yZzo4MDI2MCkGCCsGAQUFBzAChh1odHRwOi8v d3d3LmV1cm9wa2kub3JnL2NhL2l0LzAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY2EucG9s aXRvLml0L2NybDAyL2NybC5kZXIwDAYDVR0TAQH/BAIwADA+BgNVHREENzA1gRttYXNzaW1p bGlhbm8ucGFsYUBwb2xpdG8uaXSgFgYKKwYBBAGVYgIBAaAIFgYxMjE1NzUwgc0GA1UdIASB xTCBwjBDBgorBgEEAakHAQEBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZXVyb3BraS5v cmcvY2Evcm9vdC9jcHMvMS4xLzBBBgorBgEEAakHAgEBMDMwMQYIKwYBBQUHAgEWJWh0dHA6 Ly93d3cuZXVyb3BraS5vcmcvY2EvaXQvY3BzLzEuMS8wOAYKKwYBBAGVYgECATAqMCgGCCsG AQUFBwIBFhxodHRwOi8vY2EucG9saXRvLml0L2Nwcy8yLjEvMAsGA1UdDwQEAwIE8DAdBgNV HQ4EFgQUoGwEC61StaKysoyEYPDzqAdYOhIwHwYDVR0jBBgwFoAU9AxtbZ5fTGJWOYHg3vmP LzeghMUwDQYJKoZIhvcNAQEFBQADggEBAOvBcYuC9wO+GTbDoAUuncMiFaXjNf0bpbi/2CKz 28EeQgdBSDaIGZtUR4Kf1etIhe26V4e7Jgj6674pR2gKq31cQWUvp5ie+tk1zvBaQf6axnBz XUL7xSJuHNpR7OUSpOb2X7TzG5wAkRHirjz37Zljsp/y0UHWfh52C2DyvGuU1f75mqqskKdh ZC+/R7geZq/4Iqe4xP5jWpW/cFbocMM4GWOFITHr5yaigg+hbLz/lb9oaXlYSvVoJRn+jwM4 M/FQjARxQdX6bgS5DPuPRcstzILrYtwULHv6K3N0nrV6lsKY6BM1JYkWvJU8KWGUzdgXMXEv 0B7uYWZN1RuR3IoxggLAMIICvAIBATBrMGUxCzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xp dGVjbmljbyBkaSBUb3Jpbm8xNjA0BgNVBAMTLVBvbGl0ZWNuaWNvIGRpIFRvcmlubyBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eQICAWcwCQYFKw4DAhoFAKCCAaswGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTExMDUxNTUzWjAjBgkqhkiG9w0BCQQx FgQUax4iG7iINjVrt7YhP1NlvAA74pcwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw egYJKwYBBAGCNxAEMW0wazBlMQswCQYDVQQGEwJJVDEeMBwGA1UEChMVUG9saXRlY25pY28g ZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBUb3Jpbm8gQ2VydGlmaWNhdGlv biBBdXRob3JpdHkCAgFnMHwGCyqGSIb3DQEJEAILMW2gazBlMQswCQYDVQQGEwJJVDEeMBwG A1UEChMVUG9saXRlY25pY28gZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBU b3Jpbm8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCAgFnMA0GCSqGSIb3DQEBAQUABIGAptCn lXH7TUVItxOHVeyy7SsjZ2fWCGLCt2qYtIIyhtA4MZsZjnc3XCrYlMTJvG74z9uZw0FST10R 2bnQSUhbmBBnJzwlcypIxhbhlCITXlA7PU+dNgfCZ3y7pDaoMwIs29safdLVl4xopvmKYXH9 Mg2LU2waYg5t/59gLr86QbsAAAAAAAA--------------ms030303090006000509010605-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAADk2P9061368; Thu, 10 Nov 2005 05:46:02 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jAADk2T9061367; Thu, 10 Nov 2005 05:46:02 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jAADk0Gm061348 for <ietf-pkix@imc.org>; Thu, 10 Nov 2005 05:46:01 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jAADjpi08188; Thu, 10 Nov 2005 14:45:51 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Thu, 10 Nov 2005 14:45:51 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id OAA16308; Thu, 10 Nov 2005 14:45:50 +0100 (MET) Message-ID: <43734F0E.3040700@edelweb.fr> Date: Thu, 10 Nov 2005 14:45:50 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org, hartmans-ietf@mit.edu Subject: Re: draft minutes (SCVP part) References: <p06230900bf95711e723c@[128.89.89.106]> <4370FEC4.6040101@edelweb.fr> <p06230904bf96b8df23f8@[209.52.105.172]> <4371D6BC.408@edelweb.fr> <p06230908bf97e5a7fa62@[209.52.105.172]> In-Reply-To: <p06230908bf97e5a7fa62@[209.52.105.172]> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms070605070908040502050701" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms070605070908040502050701 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit SCVP-21 was made as a result of a discussion of one hour between Tim, Denis and me, where Tim took notes. During three months there was no exchange to clarify anything. one week before the deadline of the submission we were informed about an editors draft and had three days to comment, the obvious thing was that several points were misunderstood or that the authors were afraid to change something, or they referred to existing implementations, etc. Nothing, really nothing to explain what is wrong, in particular when some requests have been partially treated and retreated in the past. I don't think that it is unfair to ask why the authors (who are as I understand not implementors) continue to find arguments other than technical to refuse request which they technically already admit as useful, ending with a remark Given the tone and content of your message, I have finally recognized that you will never be happy with SCVP (or any document I am involved with.) You are clearly determined to disagree with whatever is in the specification, so I have given up on addressing your comments. There are far too many demands on my time for such wasted effort. I have got to concentrate my efforts where they have *some* chance of success. SCVP 21 finally after years of pointing to the requirement a server can return another SCVP response. Good. There is the n-th iterator of changed handling identities in the request and response, resulting this time in a respondername in a request, the encodings and semantics of the fields were changed from octet strings to generalname, good, but, I did only see recently that two drafts ago an already existing responder identity in the request was removed. It is not very pleasing to see, first, total rejection, then partial support, then a bit more, then partial removal, etc. It may be that my request is totally uninterpretable or what? Peter -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms070605070908040502050701 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTEwMTM0NTUwWjAjBgkqhkiG9w0B CQQxFgQUXyEukMzISAjjbhjZr1Ce12FiMmQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAJHXKNMY8ugRCcRWw Gk/pFJC0VCqzZSLAf53uzuzho2u/X8mPrX5gnc+X9nOxqWMdIyWyyQBxtkMPKCfoWsSxsK3o IzX14Z23B6Z6BXWhp/o080aw4I7mYe9T1aN3AO+VYop97y7CSmJFwU/xui70iK52erFMGgC+ URUK9fHhkx8AAAAAAAA--------------ms070605070908040502050701-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA9LT8DU094657; Wed, 9 Nov 2005 13:29:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA9LT8sQ094656; Wed, 9 Nov 2005 13:29:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA9LT6jN094646 for <ietf-pkix@imc.org>; Wed, 9 Nov 2005 13:29:07 -0800 (PST) (envelope-from kent@bbn.com) Received: from [209.52.105.172] (dommiel.bbn.com [192.1.122.15]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA9LStIC023063; Wed, 9 Nov 2005 16:28:56 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230908bf97e5a7fa62@[209.52.105.172]> In-Reply-To: <4371D6BC.408@edelweb.fr> References: <p06230900bf95711e723c@[128.89.89.106]> <4370FEC4.6040101@edelweb.fr> <p06230904bf96b8df23f8@[209.52.105.172]> <4371D6BC.408@edelweb.fr> Date: Wed, 9 Nov 2005 16:28:18 -0500 To: Peter Sylvester <Peter.Sylvester@edelweb.fr> From: Stephen Kent <kent@bbn.com> Subject: Re: draft minutes (SCVP part) Cc: ietf-pkix@imc.org, hartmans-ietf@mit.edu Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, I reread your message and realize that when you used the phrase "... the notes taken by Tim Polk ..." you were not referring to the meeting minutes. My error. I had assumed you were, because the message was sent with a subject line of "draft minutes (SCVP part)." >... >Do you want me to resend? > I would like the material I requested in the private message re SCVP, sent a a private response. The 6 points in your message don't follow the format of what I requested, i.e., reference to section of SCVP-21, explanation of why is is not compliant with 3379 OR with a request that you or Denis made in subsequent messages. None of the points references a section number in SCVP-21, nor provides cross references to 3379, for example. steve Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA9B0N2I099109; Wed, 9 Nov 2005 03:00:23 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA9B0Nuf099108; Wed, 9 Nov 2005 03:00:23 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA9B0MB0099101 for <ietf-pkix@imc.org>; Wed, 9 Nov 2005 03:00:23 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA9B0Di10947; Wed, 9 Nov 2005 12:00:13 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Wed, 9 Nov 2005 12:00:13 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id MAA15297; Wed, 9 Nov 2005 12:00:12 +0100 (MET) Message-ID: <4371D6BC.408@edelweb.fr> Date: Wed, 09 Nov 2005 12:00:12 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org, hartmans-ietf@mit.edu Subject: Re: draft minutes (SCVP part) References: <p06230900bf95711e723c@[128.89.89.106]> <4370FEC4.6040101@edelweb.fr> <p06230904bf96b8df23f8@[209.52.105.172]> In-Reply-To: <p06230904bf96b8df23f8@[209.52.105.172]> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080704030206020704070507" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms080704030206020704070507 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Stephen Kent wrote: > Peter, > > First, I am the editor of the minutes, not Tim. Did I say that? > > I'm afraid that your comments are not germane to the meeting minutes, > the primary goal of which is to accurately represent what was said by > the presenters and WG attendees in the course of the meeting. > Objective, factual errors related to what was said are valid a basis > for comments on meeting minutes. However, a detailed debate about a > contentious issue like this is not appropriate for meeting minute > comments & corrections. Indeed, this is not a comment for minutes. Throw into a black hole, wait until they evaporate as a part of the detailed discussion. You have asked in a private message to send a comment, you may thus just consider that I have forgotten to change the comment into something more appropriate and that I used the minutes as a starting point. Do you want me to resend? -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms080704030206020704070507 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTA5MTEwMDEyWjAjBgkqhkiG9w0B CQQxFgQUI8cZmH5H6uttxGAqipkHQAdHGsUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAMEpccY5SlodwoJ1Y zrNUcgi+Tb8sWANQx83/d6CPXzItoe2ToYB3VE/AA5/rN32f0vDJgZkH5H7VWd2AJNZempMg qUpwC2MzIm0BwFz+6pLzDxHXsXq3+OWXDE7DnKrY+w8069tyiKgZ3ZxS9Lz7+vA+UIZdk8MX VaAuWEzeNgwAAAAAAAA--------------ms080704030206020704070507-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA92Ouxs012259; Tue, 8 Nov 2005 18:24:56 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA92OuJe012258; Tue, 8 Nov 2005 18:24:56 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA92Otk9012168 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 18:24:55 -0800 (PST) (envelope-from kent@bbn.com) Received: from [209.52.105.172] (dommiel.bbn.com [192.1.122.15]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA92OcIC006854 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 21:24:45 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230905bf970e520849@[209.52.105.172]> Date: Tue, 8 Nov 2005 21:24:51 -0500 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: WG meeting presentations now posted Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> https://onsite.ietf.org/public/meeting_materials.cgi?meeting_numd Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8KX0bj058875; Tue, 8 Nov 2005 12:33:00 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA8KX0rm058874; Tue, 8 Nov 2005 12:33:00 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8KWxfn058804 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 12:33:00 -0800 (PST) (envelope-from kent@bbn.com) Received: from [209.52.105.172] (dommiel.bbn.com [192.1.122.15]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA8KWpIC022617; Tue, 8 Nov 2005 15:32:51 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230904bf96b8df23f8@[209.52.105.172]> In-Reply-To: <4370FEC4.6040101@edelweb.fr> References: <p06230900bf95711e723c@[128.89.89.106]> <4370FEC4.6040101@edelweb.fr> Date: Tue, 8 Nov 2005 15:32:28 -0500 To: Peter Sylvester <Peter.Sylvester@edelweb.fr> From: Stephen Kent <kent@bbn.com> Subject: Re: draft minutes (SCVP part) Cc: ietf-pkix@imc.org, hartmans-ietf@mit.edu Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, First, I am the editor of the minutes, not Tim. I'm afraid that your comments are not germane to the meeting minutes, the primary goal of which is to accurately represent what was said by the presenters and WG attendees in the course of the meeting. Objective, factual errors related to what was said are valid a basis for comments on meeting minutes. However, a detailed debate about a contentious issue like this is not appropriate for meeting minute comments & corrections. Steve Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8Jd29k052659; Tue, 8 Nov 2005 11:39:02 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA8Jd2mk052658; Tue, 8 Nov 2005 11:39:02 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8Jd1ei052651 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 11:39:02 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA8Jcji27280; Tue, 8 Nov 2005 20:38:45 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Tue, 8 Nov 2005 20:38:45 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id UAA14710; Tue, 8 Nov 2005 20:38:44 +0100 (MET) Message-ID: <4370FEC4.6040101@edelweb.fr> Date: Tue, 08 Nov 2005 20:38:44 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org, hartmans-ietf@mit.edu Subject: Re: draft minutes (SCVP part) References: <p06230900bf95711e723c@[128.89.89.106]> In-Reply-To: <p06230900bf95711e723c@[128.89.89.106]> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090104030100020405010305" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms090104030100020405010305 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Stephen Kent wrote: > Please send me a message with any requested corrections before 11/28: > > Steve > ----- > > > PKIX WG Meeting 11/7/05 > > Edited by Steve Kent > > > > SCVP rev 21- David Cooper (NIST) > Text was added to clarify conformance requirements. WantBack > items were made optional. New, optional items were added to allow an > SCVP server to relay responses from other SCVP servers, and to label > responses with an identity specified by a requestor, if the server has > multiple identities. The reference to validation policies was > tightened, so that only OIDs, not URIs, are accepted. Policy > parameters, in addition to validation algorithm parameters, are now > supported, but the optional validation policy attributes were removed, > since no examples have been provided and the need for this facility > was not well established. The authors have spend three months to get out an editors after the Paris meeting and after Denis and me spend an hour to explain Tim Polk our issues. During the following months that was no interaction, and just a week before the submission deadline, there was a editors draft shown to us to comment it within three days. This draft showed that the notes taken by Tim Polk do not reflect the issues, and, not surprisong, they were either ignored or only partially interpreted. The mentioned 'server has multiple identities' has never been stated as such, and the requested implementation (something which I have been asking for since years) is continuously misunderstood, either refused, then partially implement, and then withdrawn. Point 1: What I have been requesting is that the CVrequest, and the CVResponse carry two sequences of identifiers for the requestors and the responders. For the CVRequest, the requestorName sequence indicates who is acting as client or for whom the client is acting. A server may use the list to determine whether one of the authentication methods matches with one of the entities. For the CVRequest, the responderName sequence indicates who the client believs should participate in the response. (this seems to be close to the current text). But the indication should be a list, in order to allow for proxies chaining or other. it is up to the server to determine what to do with the field, and how to respond with an appropriate authentication method. For the CVResponse, the the requestorName sequence is essentially a copy of the last CVrequest (e.g. if chaining was used). The server may add an identification, if the initial client has not provide one, and if it can be derived from a networking identification or an authentication method, all this controlled by a policy where a client can be allowed to stay anonymous through a proxy. For the CVResponse, the the responderName sequence (a responder field had been introduced in the past and then removed again), indicates the identities of parties that have participated in the creation of the response. This allows a client to show them immediately without the need of interpreting the details of the result which is difficult if not impossible in case of muiltiple identities of servers. The various drafts cover all this partially, but each time only a part, a different one. Or, in CVRequest ::= SEQUENCE { cvRequestVersion INTEGER DEFAULT 1, query Query, requestorRef [0] GeneralNames OPTIONAL, requestNonce [1] OCTET STRING OPTIONAL, requestorName [2] GeneralName OPTIONAL, responderName [3] GeneralName OPTIONAL, requestExtensions [4] Extensions OPTIONAL } CVResponse ::= SEQUENCE { cvResponseVersion INTEGER, serverConfigurationID INTEGER, producedAt GeneralizedTime, responseStatus ResponseStatus, respValidationPolicy [0] RespValidationPolicy OPTIONAL, requestRef [1] RequestReference OPTIONAL, requestorRef [2] GeneralNames OPTIONAL, requestorName [3] GeneralNames OPTIONAL, replyObjects [4] ReplyObjects OPTIONAL, respNonce [5] OCTET STRING OPTIONAL, serverContextInfo [6] OCTET STRING OPTIONAL, cvResponseExtensions [7] Extensions OPTIONAL } there should be requestorName [x] GeneralNames OPTIONAL, responderName [y] GeneralNames OPTIONAL, (There was once a responder in the response structure.) Point 2: I have asked to explain the need for the MUST concerning If the default values for all of the flags are used, then the response flags item MUST NOT be included in the request. responseFlags ResponseFlags OPTIONAL, you can have the same effect using responseFlags ResponseFlags DEFAULT {} , (modulo syntax errors introduced by my limited knowledge). i.e. a MUST important for interop test is replaced by a standard feature of ASN.1 My suggestion of 'elegance', i.e. the one that I made a strawman in Paris was to change the definition of ResponseFlags ::= SEQUENCE { fullRequestInResponse [0] BOOLEAN DEFAULT FALSE, responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE, protectResponse [2] BOOLEAN DEFAULT TRUE, cachedResponse [3] BOOLEAN DEFAULT TRUE } to a bitstring with named values, and thus avoiding nested DEFAULT specs. I can live with that, just write the DEFAULT as indicated above, and you have one test les for interop. On the other hand, there are compilers that may have problems with nested defaults. so ResponseFlags ::= BIT STRING { fullRequestInResponse(0), responseValidationPolByRef(1) protectResponse(2) cachedResponse (3) } and an appropriate DEFAULT (responseValidationPolByRef,protectResponse,cachedResponse) or DEFAULT '0111'B I repeat, the original point is the MUST about the empty sequence implying an unncessary addition explicit test for conformance which you can handle by a spec of DEFAULT { }. point 3; After 2 years or so, none of the authors ever answered why there is: ReplyWantBacks ::= SEQUENCE OF ReplyWantBack ReplyWantBack::= SEQUENCE { wb OBJECT IDENTIFIER, value OCTET STRING } where some of the octet strings contain certificat lists and crls for example. What is the security risk or advantage to force client to invoke a parser individually each time. I simply propose: ReplyWantBack::= SEQUENCE { wbType OBJECT IDENTIFIER, wbValue ANY DEFINED BY wbType } (or in fact the correct corresponding current ASN.1 which may be a bit difficult to understand for some people.) There are minimal changes in the text that follows this definition, i.e. instead of saying the octet string contains you says the type used is ... Compare this with a similar construct in the request. RevocationInfo ::= CHOICE { crl [0] CertificateList, delta-crl [1] CertificateList, ocsp [2] OCSPResponse, other [3] OtherRevInfo } OtherRevInfo ::= SEQUENCE { riType OBJECT IDENTIFIER, riValue ANY DEFINED BY riType } Point 4: Use current ASN1. Free tools to validate the syntax exist. Point 5: Policy issues: I leave this mainly to Denis, but IMO the policy definitions are intended to be usable for a client to determine *ALL* the required or possible parameters. By no way it is acceptable that a client try be required to make a trial to detrmline whether a something is necessary or required. Otherwise the whole point of having a protocol for policy discovery is useless. Point 6: Since this is ther from the very beginning, some error codes are represented as integer, although one would rather use an enumeration. Integers are for values that be be used for counting. But well, I won't die because of that. > > The one remaining problem here is how to make this protocol agile with > regard to the hash algorithm employed for certificate references. > Today SHA-1 is hardwired. Updating the spec to specify another hash > function does not satisfy the new algorithm agility requirement. Steve > Kent suggested that the hash function can be an aspect of the server's > validation policy, to satisfy the agility requirement. Russ Housley > suggested that the OID of the hash employed be explicitly returned, in > case the server's policy changes over time (but the policy OID does > not). A straw poll was conducted to get a sense of the room for the > two alternatives described in the last slide in this presentation. The > first alternative received 12 votes, vs. 0 for the second. (Slides) Why are these alternatives? A client should be able to detect CURRENT hash algorithm in a policy lookup. A server response and request are self containing entities. No additional information should be required to interprete the content, in particular, it an octet string containing a hash always needs to be accompanied by an algorithm identifier (unless the the protocol or version specific default is used. Peter -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms090104030100020405010305 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTA4MTkzODQ0WjAjBgkqhkiG9w0B CQQxFgQU7WgM/2+iIGWUS7f6MGIyFYos2LcwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAoH/r4Ckyp06PXQIY s3K+niDo+kHlbzF8mm7iwogYKOqPzcQwt/8g5E5dMszuU1WITomrhcFpkbe1A0V1JQeXDaR0 qxiDDIwwsbp2iKJFLJMxsxgI7+uqlMRquKNVnsMSMTu5O2OZ+8RRZmpyg+uPG5eeeUZkIXye SvOvawCwBXwAAAAAAAA--------------ms090104030100020405010305-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8JaM8G052468; Tue, 8 Nov 2005 11:36:22 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA8JaMKe052467; Tue, 8 Nov 2005 11:36:22 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from anchor-post-30.mail.demon.net (anchor-post-30.mail.demon.net [194.217.242.88]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8JaLan052460 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 11:36:21 -0800 (PST) (envelope-from shenson@drh-consultancy.demon.co.uk) Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-30.mail.demon.net with esmtp (Exim 4.42) id 1EZZGV-000IHu-31 for ietf-pkix@imc.org; Tue, 08 Nov 2005 19:36:20 +0000 Message-ID: <4370FE49.2030108@drh-consultancy.demon.co.uk> Date: Tue, 08 Nov 2005 19:36:41 +0000 From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: OCSP revision References: <200511081852.jA8IqJh8006705@host15.websitesource.com> In-Reply-To: <200511081852.jA8IqJh8006705@host15.websitesource.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Carl Wallace wrote: > At the meeting yesterday, OCSP revisions to address algorithm agility were > discussed. Since the doc is being revised, I suggest an extension or field > be added to enable clients to ask the responder to include the responder's > certificate in the response (similar to the certReq field in RFC3161). > Could other OCSP revisions be incorporated at the same time or just "algorithm agility"? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8IqMNQ047852; Tue, 8 Nov 2005 10:52:22 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA8IqMGR047851; Tue, 8 Nov 2005 10:52:22 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host15.websitesource.com (host15.websitesource.com [209.239.32.38]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA8IqLIk047845 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 10:52:22 -0800 (PST) (envelope-from cwallace@orionsec.com) Received: from wcwallace (pp110-146.bctel.ca [209.52.110.146]) by host15.websitesource.com (8.12.10/8.12.10) with ESMTP id jA8IqJh8006705 for <ietf-pkix@imc.org>; Tue, 8 Nov 2005 13:52:20 -0500 Message-Id: <200511081852.jA8IqJh8006705@host15.websitesource.com> From: "Carl Wallace" <cwallace@orionsec.com> To: <ietf-pkix@imc.org> Subject: OCSP revision Date: Tue, 8 Nov 2005 13:52:20 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcXklYwiQ8sOu2HPT52Ro6Z8EtHhsA= Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At the meeting yesterday, OCSP revisions to address algorithm agility were discussed. Since the doc is being revised, I suggest an extension or field be added to enable clients to ask the responder to include the responder's certificate in the response (similar to the certReq field in RFC3161). Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA7MF4Y2030009; Mon, 7 Nov 2005 14:15:05 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA7MF4fQ030007; Mon, 7 Nov 2005 14:15:04 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA7MF4Td029864 for <ietf-pkix@imc.org>; Mon, 7 Nov 2005 14:15:04 -0800 (PST) (envelope-from kent@bbn.com) Received: from [209.52.105.172] (dommiel.bbn.com [192.1.122.15]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA7MCxIC000314 for <ietf-pkix@imc.org>; Mon, 7 Nov 2005 17:13:45 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230900bf95711e723c@[128.89.89.106]> Date: Mon, 7 Nov 2005 16:03:57 -0500 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: draft minutes Content-Type: multipart/alternative; boundary="======_-1080720781=_ma======" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --======_-1080720781=_ma====== Content-Type: text/plain; charset="us-ascii" ; format="flowed" Please send me a message with any requested corrections before 11/28: Steve ----- PKIX WG Meeting 11/7/05 Edited by Steve Kent Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov> The PKIX WG met once during the 64th IETF. A total of approximately 45 individuals participated in the meeting. Document status - Tim Polk (NIST) Three RFCs just issued: 4158, 4210, and 4211. Three documents in the RFC editor's queue: CertStore HTTP, 3770bis, and CRL AIA. Two documents with the ADs: AC Policies & PKIX Repository Locator. Other documents: - SIM is undergoing revisions to address WG co-chair comments before being forwarded to the IESG. - The authors are being asked to create a matrix - A new version of 3280bis will be submitted after this meeting. - The WG chairs have requested a new version of the GOST algorithms to be posted, before initiating a last call (Slides) PKIX WG Document Presentations RFC 2797bis, CMC transport, and CMC Compliance - Jim Schaad (Soaring Hawk) Last call will be initiated for all three after this meeting. Updates include features to support SIM certificate requests. (Slides) SCVP rev 21- David Cooper (NIST) Text was added to clarify conformance requirements. WantBack items were made optional. New, optional items were added to allow an SCVP server to relay responses from other SCVP servers, and to label responses with an identity specified by a requestor, if the server has multiple identities. The reference to validation policies was tightened, so that only OIDs, not URIs, are accepted. Policy parameters, in addition to validation algorithm parameters, are now supported, but the optional validation policy attributes were removed, since no examples have been provided and the need for this facility was not well established. The one remaining problem here is how to make this protocol agile with regard to the hash algorithm employed for certificate references. Today SHA-1 is hardwired. Updating the spec to specify another hash function does not satisfy the new algorithm agility requirement. Steve Kent suggested that the hash function can be an aspect of the server's validation policy, to satisfy the agility requirement. Russ Housley suggested that the OID of the hash employed be explicitly returned, in case the server's policy changes over time (but the policy OID does not). A straw poll was conducted to get a sense of the room for the two alternatives described in the last slide in this presentation. The first alternative received 12 votes, vs. 0 for the second. (Slides) SHA-1 Collisions & OCSP - Russ Housley (Vigil Security) Based on the recent NIST hash workshop, Russ suggests that we begin making plans to move away from SHA-1, with a 2010 target for transition. NIST will begin work on a successor to SHA-256, but a new algorithm may be 5 years away. The only good alternative now is SHA-256. From an algorithm agility perspective, OCSP request/response exchange needs to provide a way for the requestor to know which algorithms the responder (server) supports. This could be supported by adding a new protocol to negotiate the hash algorithm prior to entering into the OCSP exchange. Alternatively, the responder's certificate could have an extension that specified supported hash algorithms. This also might be addressed via configuration at the requestor, although this is problematic given the intent of changing the algorithm twice over the next 10 years. Russ suggests a request extension that allows the requestor to specify which hash functions (and signature algorithms) it supports. There is still a need to select one of the three approaches cited above, to allow a requestor to determine which algorithms are supported by the responder. Russ suggests that the WG find volunteers to update OCSP, and to examine other PKIX protocols to determine whether they exhibit similar problems and, if so, how to fix them. Stephen Farrell asks whether there may be a way to solve this problem more generically, rather than engineering a solution for each protocol in PKIX, and in other WGs. (Slides) SHA-2 Support in PKIX - Tim Polk (NIST) We currently specify how to use SHA-2 (SHA-256 & SHA-512) for RSA (RFC 4055), but not for DSA or EC-DSA. Tim suggests that two new drafts be generated, one for DSA and one for ECDSA, because the two algorithms are at different stages of NIST publication. NIST has volunteered to write these two drafts, but additional co-editors are welcome. (Slides) Service Names as Subject Alt Names - Stefan Santesson (Microsoft) The draft has been revised since its initial version. It no longer is bound as tightly to the DNS SRV record example. The assumption here is that the user (host) knows the service name and domain name and determines whether the server to which it connects is appropriate, based on the server's certificate. Steve Kent suggests that we need to revisit the security implications of use of this facility, given the revised definition of the use model. Stefan suggests that use of name constraints for this extension may be appropriate. Since the string comparison is against the locally configured service name, not the DNS SRV string, UTF8 seems to be the right encoding choice. (Slides) Related Specifications & Liaison Presentations Carl Wallace (Orion Security) - LTANS WG status LTANS is meeting the same day (in the same room) at this IETF. Carl requests review by PKIX WG members of the evidence record I-D and an archive protocol I-D from LTANS. Note potential relationships between SCVP and LTNANS work. (no slides) --======_-1080720781=_ma====== Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>draft minutes</title></head><body> <div>Please send me a message with any requested corrections before 11/28:</div> <div><br></div> <div>Steve</div> <div>-----</div> <div><br></div> <div><font face="Times New Roman" size="+1" color="#000000"><br> </font><font color="#000000">PKIX WG Meeting 11/7/05<br> <br> Edited by Steve Kent<br> <br> Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov><br> <br> The PKIX WG met once during the 64th IETF. A total of approximately 45 individuals participated in the meeting.<br> <br> <br> Document status - Tim Polk (NIST)<br> Three RFCs just issued: 4158, 4210, and 4211.<br> Three documents in the RFC editor's queue: CertStore HTTP, 3770bis, and CRL AIA.<br> Two documents with the ADs: AC Policies & PKIX Repository Locator.<br> Other documents:<br> -<font face="Arial"><x-tab> </x-tab></font>SIM is undergoing revisions to address WG co-chair comments before being forwarded to the IESG.<br> -<font face="Arial"><x-tab> </x-tab></font>The authors are being asked to create a matrix<br> -<font face="Arial"><x-tab> </x-tab></font>A new version of 3280bis will be submitted after this meeting.<br> -<font face="Arial"><x-tab> </x-tab></font>The WG chairs have requested a new version of the GOST algorithms to be posted, before initiating a last call<br> (Slides)<br> <br> <br> PKIX WG Document Presentations<br> <br> <br> RFC 2797bis, CMC transport, and CMC Compliance - Jim Schaad (Soaring Hawk)<br> Last call will be initiated for all three after this meeting. Updates include features to support SIM certificate requests. (Slides)<br> <br> <br> SCVP rev 21- David Cooper (NIST)<br> <x-tab> </x-tab>Text was added to clarify conformance requirements. WantBack items were made optional. New, optional items were added to allow an SCVP server to relay responses from other SCVP servers, and to label responses with an identity specified by a requestor, if the server has multiple identities. The reference to validation policies was tightened, so that only OIDs, not URIs, are accepted. Policy parameters, in addition to validation algorithm parameters, are now supported, but the optional validation policy attributes were removed, since no examples have been provided and the need for this facility was not well established.<br> <br> The one remaining problem here is how to make this protocol agile with regard to the hash algorithm employed for certificate references. Today SHA-1 is hardwired. Updating the spec to specify another hash function does not satisfy the new algorithm agility requirement. Steve Kent suggested that the hash function can be an aspect of the server's validation policy, to satisfy the agility requirement. Russ Housley suggested that the OID of the hash employed be explicitly returned, in case the server's policy changes over time (but the policy OID does not). A straw poll was conducted to get a sense of the room for the two alternatives described in the last slide in this presentation. The first alternative received 12 votes, vs. 0 for the second. (Slides)<br> <br> <br> SHA-1 Collisions & OCSP - Russ Housley (Vigil Security)<br> <x-tab> </x-tab> Based on the recent NIST hash workshop, Russ suggests that we begin making plans to move away from SHA-1, with a 2010 target for transition. NIST will begin work on a successor to SHA-256, but a new algorithm may be 5 years away. The only good alternative now is SHA-256.<br> <br> <x-tab> </x-tab>From an algorithm agility perspective, OCSP request/response exchange needs to provide a way for the requestor to know which algorithms the responder (server) supports. This could be supported by adding a new protocol to negotiate the hash algorithm prior to entering into the OCSP exchange. Alternatively, the responder's certificate could have an extension that specified supported hash algorithms. This also might be addressed via configuration at the requestor, although this is problematic given the intent of changing the algorithm twice over the next 10 years. Russ suggests a request extension that allows the requestor to specify which hash functions (and signature algorithms) it supports. There is still a need to select one of the three approaches cited above, to allow a requestor to determine which algorithms are supported by the responder.<br> <br> <x-tab> </x-tab>Russ suggests that the WG find volunteers to update OCSP, and to examine other PKIX protocols to determine whether they exhibit similar problems and, if so, how to fix them. Stephen Farrell asks whether there may be a way to solve this problem more generically, rather than engineering a solution for each protocol in PKIX, and in other WGs. (Slides)</font></div> <div><font color="#000000"><br> <br> SHA-2 Support in PKIX - Tim Polk (NIST)<br> We currently specify how to use SHA-2 (SHA-256 & SHA-512) for RSA (RFC 4055), but not for DSA or EC-DSA. Tim suggests that two new drafts be generated, one for DSA and one for ECDSA, because the two algorithms are at different stages of NIST publication. NIST has volunteered to write these two drafts, but additional co-editors are welcome. (Slides)<br> <br> <br> Service Names as Subject Alt Names - Stefan Santesson (Microsoft)<br> The draft has been revised since its initial version. It no longer is bound as tightly to the DNS SRV record example. The assumption here is that the user (host) knows the service name and domain name and determines whether the server to which it connects is appropriate, based on the server's certificate. Steve Kent suggests that we need to revisit the security implications of use of this facility, given the revised definition of the use model. Stefan suggests that use of name constraints for this extension may be appropriate. Since the string comparison is against the locally configured service name, not the DNS SRV string, UTF8 seems to be the right encoding choice. (Slides)<br> <br> <br> Related Specifications & Liaison Presentations<br> <br> Carl Wallace (Orion Security) - LTANS WG status<br> <x-tab> </x-tab>LTANS is meeting the same day (in the same room) at this IETF. Carl requests review by PKIX WG members of the evidence record I-D and an archive protocol I-D from LTANS. Note potential relationships between SCVP and LTNANS work. (no slides)</font></div> </body> </html> --======_-1080720781=_ma======-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA7LRErX020755; Mon, 7 Nov 2005 13:27:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA7LRE4j020754; Mon, 7 Nov 2005 13:27:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA7LRDwf020731 for <ietf-pkix@imc.org>; Mon, 7 Nov 2005 13:27:13 -0800 (PST) (envelope-from kent@bbn.com) Received: from [209.52.105.172] (dommiel.bbn.com [192.1.122.15]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA7LPVIC027759 for <ietf-pkix@imc.org>; Mon, 7 Nov 2005 16:26:03 -0500 (EST) Mime-Version: 1.0 Message-Id: <p06230900bf95711e723c@[128.89.89.106]> Date: Mon, 7 Nov 2005 16:03:57 -0500 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: draft minutes Content-Type: multipart/alternative; boundary="======_-1080723712=_ma======" X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41 X-Virus-Status: Clean Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --======_-1080723712=_ma====== Content-Type: text/plain; charset="us-ascii" ; format="flowed" Please send me a message with any requested corrections before 11/28: Steve ----- PKIX WG Meeting 11/7/05 Edited by Steve Kent Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov> The PKIX WG met once during the 64th IETF. A total of approximately 45 individuals participated in the meeting. Document status - Tim Polk (NIST) Three RFCs just issued: 4158, 4210, and 4211. Three documents in the RFC editor's queue: CertStore HTTP, 3770bis, and CRL AIA. Two documents with the ADs: AC Policies & PKIX Repository Locator. Other documents: - SIM is undergoing revisions to address WG co-chair comments before being forwarded to the IESG. - The authors are being asked to create a matrix - A new version of 3280bis will be submitted after this meeting. - The WG chairs have requested a new version of the GOST algorithms to be posted, before initiating a last call (Slides) PKIX WG Document Presentations RFC 2797bis, CMC transport, and CMC Compliance - Jim Schaad (Soaring Hawk) Last call will be initiated for all three after this meeting. Updates include features to support SIM certificate requests. (Slides) SCVP rev 21- David Cooper (NIST) Text was added to clarify conformance requirements. WantBack items were made optional. New, optional items were added to allow an SCVP server to relay responses from other SCVP servers, and to label responses with an identity specified by a requestor, if the server has multiple identities. The reference to validation policies was tightened, so that only OIDs, not URIs, are accepted. Policy parameters, in addition to validation algorithm parameters, are now supported, but the optional validation policy attributes were removed, since no examples have been provided and the need for this facility was not well established. The one remaining problem here is how to make this protocol agile with regard to the hash algorithm employed for certificate references. Today SHA-1 is hardwired. Updating the spec to specify another hash function does not satisfy the new algorithm agility requirement. Steve Kent suggested that the hash function can be an aspect of the server's validation policy, to satisfy the agility requirement. Russ Housley suggested that the OID of the hash employed be explicitly returned, in case the server's policy changes over time (but the policy OID does not). A straw poll was conducted to get a sense of the room for the two alternatives described in the last slide in this presentation. The first alternative received 12 votes, vs. 0 for the second. (Slides) SHA-1 Collisions & OCSP - Russ Housley (Vigil Security) Based on the recent NIST hash workshop, Russ suggests that we begin making plans to move away from SHA-1, with a 2010 target for transition. NIST will begin work on a successor to SHA-256, but a new algorithm may be 5 years away. The only good alternative now is SHA-256. From an algorithm agility perspective, OCSP request/response exchange needs to provide a way for the requestor to know which algorithms the responder (server) supports. This could be supported by adding a new protocol to negotiate the hash algorithm prior to entering into the OCSP exchange. Alternatively, the responder's certificate could have an extension that specified supported hash algorithms. This also might be addressed via configuration at the requestor, although this is problematic given the intent of changing the algorithm twice over the next 10 years. Russ suggests a request extension that allows the requestor to specify which hash functions (and signature algorithms) it supports. There is still a need to select one of the three approaches cited above, to allow a requestor to determine which algorithms are supported by the responder. Russ suggests that the WG find volunteers to update OCSP, and to examine other PKIX protocols to determine whether they exhibit similar problems and, if so, how to fix them. Stephen Farrell asks whether there may be a way to solve this problem more generically, rather than engineering a solution for each protocol in PKIX, and in other WGs. (Slides) SHA-2 Support in PKIX - Tim Polk (NIST) We currently specify how to use SHA-2 (SHA-256 & SHA-512) for RSA (RFC 4055), but not for DSA or EC-DSA. Tim suggests that two new drafts be generated, one for DSA and one for ECDSA, because the two algorithms are at different stages of NIST publication. NIST has volunteered to write these two drafts, but additional co-editors are welcome. (Slides) Service Names as Subject Alt Names - Stefan Santesson (Microsoft) The draft has been revised since its initial version. It no longer is bound as tightly to the DNS SRV record example. The assumption here is that the user (host) knows the service name and domain name and determines whether the server to which it connects is appropriate, based on the server's certificate. Steve Kent suggests that we need to revisit the security implications of use of this facility, given the revised definition of the use model. Stefan suggests that use of name constraints for this extension may be appropriate. Since the string comparison is against the locally configured service name, not the DNS SRV string, UTF8 seems to be the right encoding choice. (Slides) Related Specifications & Liaison Presentations Carl Wallace (Orion Security) - LTANS WG status LTANS is meeting the same day (in the same room) at this IETF. Carl requests review by PKIX WG members of the evidence record I-D and an archive protocol I-D from LTANS. Note potential relationships between SCVP and LTNANS work. (no slides) --======_-1080723712=_ma====== Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>draft minutes</title></head><body> <div>Please send me a message with any requested corrections before 11/28:</div> <div><br></div> <div>Steve</div> <div>-----</div> <div><br></div> <div><font face="Times New Roman" size="+1" color="#000000"><br> </font><font color="#000000">PKIX WG Meeting 11/7/05<br> <br> Edited by Steve Kent<br> <br> Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov><br> <br> The PKIX WG met once during the 64th IETF. A total of approximately 45 individuals participated in the meeting.<br> <br> <br> Document status - Tim Polk (NIST)<br> Three RFCs just issued: 4158, 4210, and 4211.<br> Three documents in the RFC editor's queue: CertStore HTTP, 3770bis, and CRL AIA.<br> Two documents with the ADs: AC Policies & PKIX Repository Locator.<br> Other documents:<br> -<font face="Arial"><x-tab> </x-tab></font>SIM is undergoing revisions to address WG co-chair comments before being forwarded to the IESG.<br> -<font face="Arial"><x-tab> </x-tab></font>The authors are being asked to create a matrix<br> -<font face="Arial"><x-tab> </x-tab></font>A new version of 3280bis will be submitted after this meeting.<br> -<font face="Arial"><x-tab> </x-tab></font>The WG chairs have requested a new version of the GOST algorithms to be posted, before initiating a last call<br> (Slides)<br> <br> <br> PKIX WG Document Presentations<br> <br> <br> RFC 2797bis, CMC transport, and CMC Compliance - Jim Schaad (Soaring Hawk)<br> Last call will be initiated for all three after this meeting. Updates include features to support SIM certificate requests. (Slides)<br> <br> <br> SCVP rev 21- David Cooper (NIST)<br> <x-tab> </x-tab>Text was added to clarify conformance requirements. WantBack items were made optional. New, optional items were added to allow an SCVP server to relay responses from other SCVP servers, and to label responses with an identity specified by a requestor, if the server has multiple identities. The reference to validation policies was tightened, so that only OIDs, not URIs, are accepted. Policy parameters, in addition to validation algorithm parameters, are now supported, but the optional validation policy attributes were removed, since no examples have been provided and the need for this facility was not well established.<br> <br> The one remaining problem here is how to make this protocol agile with regard to the hash algorithm employed for certificate references. Today SHA-1 is hardwired. Updating the spec to specify another hash function does not satisfy the new algorithm agility requirement. Steve Kent suggested that the hash function can be an aspect of the server's validation policy, to satisfy the agility requirement. Russ Housley suggested that the OID of the hash employed be explicitly returned, in case the server's policy changes over time (but the policy OID does not). A straw poll was conducted to get a sense of the room for the two alternatives described in the last slide in this presentation. The first alternative received 12 votes, vs. 0 for the second. (Slides)<br> <br> <br> SHA-1 Collisions & OCSP - Russ Housley (Vigil Security)<br> <x-tab> </x-tab> Based on the recent NIST hash workshop, Russ suggests that we begin making plans to move away from SHA-1, with a 2010 target for transition. NIST will begin work on a successor to SHA-256, but a new algorithm may be 5 years away. The only good alternative now is SHA-256.<br> <br> <x-tab> </x-tab>From an algorithm agility perspective, OCSP request/response exchange needs to provide a way for the requestor to know which algorithms the responder (server) supports. This could be supported by adding a new protocol to negotiate the hash algorithm prior to entering into the OCSP exchange. Alternatively, the responder's certificate could have an extension that specified supported hash algorithms. This also might be addressed via configuration at the requestor, although this is problematic given the intent of changing the algorithm twice over the next 10 years. Russ suggests a request extension that allows the requestor to specify which hash functions (and signature algorithms) it supports. There is still a need to select one of the three approaches cited above, to allow a requestor to determine which algorithms are supported by the responder.<br> <br> <x-tab> </x-tab>Russ suggests that the WG find volunteers to update OCSP, and to examine other PKIX protocols to determine whether they exhibit similar problems and, if so, how to fix them. Stephen Farrell asks whether there may be a way to solve this problem more generically, rather than engineering a solution for each protocol in PKIX, and in other WGs. (Slides)</font></div> <div><font color="#000000"><br> <br> SHA-2 Support in PKIX - Tim Polk (NIST)<br> We currently specify how to use SHA-2 (SHA-256 & SHA-512) for RSA (RFC 4055), but not for DSA or EC-DSA. Tim suggests that two new drafts be generated, one for DSA and one for ECDSA, because the two algorithms are at different stages of NIST publication. NIST has volunteered to write these two drafts, but additional co-editors are welcome. (Slides)<br> <br> <br> Service Names as Subject Alt Names - Stefan Santesson (Microsoft)<br> The draft has been revised since its initial version. It no longer is bound as tightly to the DNS SRV record example. The assumption here is that the user (host) knows the service name and domain name and determines whether the server to which it connects is appropriate, based on the server's certificate. Steve Kent suggests that we need to revisit the security implications of use of this facility, given the revised definition of the use model. Stefan suggests that use of name constraints for this extension may be appropriate. Since the string comparison is against the locally configured service name, not the DNS SRV string, UTF8 seems to be the right encoding choice. (Slides)<br> <br> <br> Related Specifications & Liaison Presentations<br> <br> Carl Wallace (Orion Security) - LTANS WG status<br> <x-tab> </x-tab>LTANS is meeting the same day (in the same room) at this IETF. Carl requests review by PKIX WG members of the evidence record I-D and an archive protocol I-D from LTANS. Note potential relationships between SCVP and LTNANS work. (no slides)</font></div> </body> </html> --======_-1080723712=_ma======-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6NUiPk098220; Sun, 6 Nov 2005 15:30:44 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA6NUia6098219; Sun, 6 Nov 2005 15:30:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jA6NUhc2098212 for <ietf-pkix@imc.org>; Sun, 6 Nov 2005 15:30:43 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 24131 invoked by uid 0); 6 Nov 2005 23:30:35 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (209.52.108.226) by woodstock.binhost.com with SMTP; 6 Nov 2005 23:30:35 -0000 Message-Id: <7.0.0.10.2.20051106182904.0368ae60@vigilsec.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta) Date: Sun, 06 Nov 2005 18:30:32 -0500 To: Terry Hayes <tdchayes@gmail.com>, ietf-pkix@imc.org From: Russ Housley <housley@vigilsec.com> Subject: RE: Public key validation and Proof of possession In-Reply-To: <4701d76c0510271418p28eb9362l8cfcdeba1182a6fc@mail.gmail.co m> References: <BF9309599A71984CAC5BAC5ECA62994403653217@EUR-MSG-11.europe.corp.microsoft.com> <4701d76c0510271416i3e73cf63i74696df0009477cb@mail.gmail.com> <4701d76c0510271418p28eb9362l8cfcdeba1182a6fc@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> <html> <body> RFC 3280 says:<br><br> To promote interoperability, this profile RECOMMENDS that policy<br> information terms consist of only an OID. Where an OID alone is<br> insufficient, this profile strongly recommends that use of qualifiers<br> be limited to those identified in this section. When qualifiers are<br> used with the special policy anyPolicy, they MUST be limited to the<br> qualifiers identified in this section.<br><br> Russ<br><br> At 04:18 PM 10/27/2005, Terry Hayes wrote:<br> <blockquote type=cite class=cite cite="">What's wrong with defining a new policy qualifier?<br> <br> id-qt-ietf-pkix-key-validation-performed<br> id-qt-ietf-pkix-proof-of-posession-performed (owner-posession-of-key-assured?)<br> <br> These would generally be asserted only in the end-entity certificates.<br> <br> Terry Hayes<br><br> <br> On 10/27/05, <b>Stefan Santesson</b> <<a href="mailto:stefans@microsoft.com">stefans@microsoft.com </a>> wrote: <br> <dl><br> <dd>It is not a proposal.<br> <dd>I just wanted to add it to the picture.<br><br> <dd>I'm just generally worried about adding new extensions for every <br> <dd>specific certificate policy aspect that can be argued to be useful to<br> <dd>have explicitly encoded.<br><br> <dd>If we go that path, we may need to consider a common framework for it.<br> <dd>qcStatement is one, suitable or not.<br><br> <br> <dd>Stefan Santesson<br> <dd>Program Manager, Standards Liaison<br> <dd>Windows Security<br><br> </dl></blockquote></body> </html> Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6NLHD5097332; Sun, 6 Nov 2005 15:21:17 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA6NLGln097331; Sun, 6 Nov 2005 15:21:16 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from eagle.unknowndns.net (IDENT:U2FsdGVkX19kxnavTMOEWCPLDqz/DlkDDleMwJKwXSA@eagle.unknowndns.net [221.133.206.175]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6NLEur097318 for <ietf-pkix@imc.org>; Sun, 6 Nov 2005 15:21:15 -0800 (PST) (envelope-from steven.legg@eb2bcom.com) Received: from cust3103.vic01.dataco.com.au ([202.63.62.31] helo=[192.168.1.156]) by eagle.unknowndns.net with esmtpa (Exim 4.52) id 1EYtod-0002J8-NO; Mon, 07 Nov 2005 09:20:48 +1000 Message-ID: <436E8FCE.7060101@eb2bcom.com> Date: Mon, 07 Nov 2005 10:20:46 +1100 From: Steven Legg <steven.legg@eb2bcom.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tom Yu <tlyu@MIT.EDU> CC: Peter Sylvester <Peter.Sylvester@edelweb.fr>, =?ISO-8859-1?Q?Love_H?= =?ISO-8859-1?Q?örnquist_Åstrand?= <lha@kth.se>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@MIT.EDU>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <4367B0BC.6090601@edelweb.fr> <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> <43694DC7.2090308@eb2bcom.com> <4369DA6D.7030300@edelweb.fr> <ldvhdaqiacd.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldvhdaqiacd.fsf@cathode-dark-space.mit.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - eagle.unknowndns.net X-AntiAbuse: Original Domain - imc.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - eb2bcom.com X-Source: X-Source-Args: X-Source-Dir: Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tom, Tom Yu wrote: >>>>>>"Peter" = Peter Sylvester <Peter.Sylvester@edelweb.fr> writes: > > > Peter> Steven Legg wrote: > > >>>Love, et al, >>> >>>Love Hörnquist Åstrand wrote: >>> >>> >>>>Lets take another example: >>>> >>>>PA-PK-AS-REQ ::= SEQUENCE { >>>>signedAuthPack [0] IMPLICIT OCTET STRING, >>>>-- Contains a CMS type ContentInfo encoded >>>>-- according to [RFC3852]. >>>>-- The contentType field of the type ContentInfo >>>>-- is id-signedData (1.2.840.113549.1.7.2), >>>>-- and the content field is a SignedData. >>>> >>>>With you syntax this should be >>>> >>>>signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo >>>> >>>>Now, ContentInfo in a CMS type, and is allowed to be encoded in BER. >>>>Kerberos datatypes uses DER. >>>> >>>>How is that expressed in a formal way ? >>> >>> >>>signedAuthPack IMPLICIT OCTET STRING > > > "IMPLICIT" only goes after a tag, so the above should contain something > like "[0] IMPLICIT" Quite right. I was focussed on the constraint and didn't notice the tag had been dropped. or drop the IMPLICIT completely. Dropping the > context-specific tag would cause a change in wire encoding from > pkinit-29. > > >>>(CONTAINING ContentInfo >>>ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2) >>>distinguished-encoding(1)}) >>>OPTIONAL >>> >>>The OID after the "ENCODED BY" is the OID that identifies DER. > > > Except here, we are using a CMS message, which is permitted to be > encoded in BER, and pkinit requires DER, so you really want something > like > > PA-PK-AS-REQ ::= SEQUENCE { > signedAuthPack [0] IMPLICIT OCTET STRING > (CONTAINING ContentInfo ENCODED BY { > joint-iso-itu-t asn1 (1) basic-encoding (1) > }) > } I'm not an expert on this but it would seem that as far as pkinit is concerned, the encoding of a ContentInfo value contained in the signedAuthPack component of a PA-PK-AS-REQ value is always a DER encoding. It doesn't matter what encoding rules CMS uses to encode values of ContentInfo, and the constraint has no effect whatsoever on encodings of ContentInfo values outside the signedAuthPack component. > > You'll need to normatively reference X.682, because the "CONTAINING" > constraint isn't in X.680. Yes. > > >>>>Just saying IMPORT and CONTANING and expect the right thing to >>>>happen when >>>>given to a compiler seems very naive. >>> >>> >>>There's a better chance that the compiler can do something useful than if >>>the requirements are expressed informally as a comment. >>> >>>Regards, >>>Steven >>> >>> >>>>Love >>>> > > > What one can expect from the compiler depends on what sort of compiler > one is using. The open-source ASN.1 toolkits with acceptable license > conditions often omit much of the functionality of the full ASN.1 > standard. And they always will if ASN.1 specifications always pander to the lowest common denominator. Contents constraints are a nudge in the right direction. Regards, Steven > > ---Tom > > > > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6K92Pt068073; Sun, 6 Nov 2005 12:09:02 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA6K92lA068072; Sun, 6 Nov 2005 12:09:02 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6K8v0X068048 for <ietf-pkix@imc.org>; Sun, 6 Nov 2005 12:09:00 -0800 (PST) (envelope-from olivier.dubuisson@francetelecom.com) Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Nov 2005 21:08:50 +0100 Received: from [10.193.106.41] ([10.193.106.41]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Nov 2005 21:08:50 +0100 Message-ID: <436E62D1.5010103@francetelecom.com> Date: Sun, 06 Nov 2005 21:08:49 +0100 From: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com> Organization: France Telecom - Research & Development User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Sylvester <Peter.Sylvester@edelweb.fr> CC: ietf-pkix@imc.org, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ib m.com> <436A1A6A.3020802@francetelecom.com> <7.0.0.10.2.20051103105023.05ad1e58@vigilsec.com> <436E1DC1.5080403@edelweb.fr> In-Reply-To: <436E1DC1.5080403@edelweb.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Nov 2005 20:08:50.0510 (UTC) FILETIME=[E754C6E0:01C5E30D] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter Sylvester wrote: > > The message was not necessarily to promote AUTOMATIC, but a question > why there is a different tagging regime involved which is not totally > respected > because OCTET STRINGS are IMPLICIT tagged when the contain other > syntaxes. What do you mean here? Which clause of the ASN.1 standard states that "OCTET STRINGS are IMPLICIT tagged when the contain other syntaxes". Also, what does "contain other syntaxes" mean? Do you mean "contain the encoding of an ASN.1 value"? -- Olivier DUBUISSON France Telecom Recherche & Developpement R&D/MAPS/AMS - 22307 Lannion Cedex - France t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6FJSbn017544; Sun, 6 Nov 2005 07:19:28 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA6FJShU017543; Sun, 6 Nov 2005 07:19:28 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6FJRPC017536 for <ietf-pkix@imc.org>; Sun, 6 Nov 2005 07:19:28 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA6FEIi09203; Sun, 6 Nov 2005 16:14:18 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Sun, 6 Nov 2005 16:14:18 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id QAA12824; Sun, 6 Nov 2005 16:14:17 +0100 (MET) Message-ID: <436E1DC9.9090602@edelweb.fr> Date: Sun, 06 Nov 2005 16:14:17 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Steven Legg <steven.legg@eb2bcom.com> CC: ietf-pkix@imc.org, Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ib m.com> <4367B0BC.6090601@edelweb.fr> <436A23DD.8010306@francetelecom.com> <436A9574.9000207@eb2bcom.com> In-Reply-To: <436A9574.9000207@eb2bcom.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010906020804060804020307" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms010906020804060804020307 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit BTW: Since SNACC is mentioned. There is one application thta uses SNACC, and in order to decode soem data encapsulated in an OCTET STRING the author has changed the syntax to something like [UNIVERSAL 4] IMPLICIT SEQUENCE {data TheType} and then changed in the generated code the generation/parsing of the constructed bit by hand. If the syntax would not have the addition OCTET STRING encapsulation such a hack wouldn't be necessary. Steven Legg wrote: > > Olivier Dubuisson wrote: > >> The right syntax is: >> subjectName [0] IMPLICIT OCTET STRING(CONTAINING Name) OPTIONAL >> >> It would be even better to add an "ENCODED BY oid" after "CONTAINING >> Name" with 'oid' being the OID of the binary encoding rules used to >> encode 'Name'. >> >> But I can already hear some people saying: This is not supported by >> Snacc :( > > > Since the constraint does not change the bits on the wire for BER the > simple retort is: "If your ASN.1 compiler does not support > CONTAINING constraints then comment them out". The hardship caused to > users of dumber ASN.1 toolkits is negligible in a case like this. > > Regards, > Steven > > -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms010906020804060804020307 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTA2MTUxNDE3WjAjBgkqhkiG9w0B CQQxFgQUXkmFoCfMQU9t0jvLQzhMmmi+Sj4wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGA3oRSLPeYDnOUklXW WEaa1X89m/rtXqILHB+TOKNIwDKIUrS85jAO2f9ceoxAK6ZbfEOu22Ct5F4IosL0djpWcOdd WTJ3rh5cc5GRrqPsr5FQD2dknfEQe8yn5JewxT3W+GBil+ssMeOnmxX0HZ9WapWMTpeG7enB eDMC8+IoYv8AAAAAAAA--------------ms010906020804060804020307-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6FEN8d016747; Sun, 6 Nov 2005 07:14:23 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA6FENq0016746; Sun, 6 Nov 2005 07:14:23 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA6FEKGL016726 for <ietf-pkix@imc.org>; Sun, 6 Nov 2005 07:14:21 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA6FEAi09188; Sun, 6 Nov 2005 16:14:10 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Sun, 6 Nov 2005 16:14:10 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id QAA12820; Sun, 6 Nov 2005 16:14:09 +0100 (MET) Message-ID: <436E1DC1.5080403@edelweb.fr> Date: Sun, 06 Nov 2005 16:14:09 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Russ Housley <housley@vigilsec.com> CC: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <436A1A6A.3020802@francetelecom.com> <7.0.0.10.2.20051103105023.05ad1e58@vigilsec.com> In-Reply-To: <7.0.0.10.2.20051103105023.05ad1e58@vigilsec.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040409080102030803000206" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms040409080102030803000206 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit I think we may have a different opinion of what could be maintenance. Feel free to explain. Anyway, You can do exactly what AUTOMATIC does with concrete tags. The message was not necessarily to promote AUTOMATIC, but a question why there is a different tagging regime involved which is not totally respected because OCTET STRINGS are IMPLICIT tagged when the contain other syntaxes. Russ Housley wrote: > > I find AUTOMATIC TAGS to be more difficult later down the line when > one is doing maintenance. In my opinion, it hides too much. > > Russ > > At 09:10 AM 11/3/2005, Olivier Dubuisson wrote: > >> Tom Gindin wrote: >> >>> If it isn't too late to fix this without breaking lots of >>> implementations, the ASN.1 in this specification is over-tagged. In >>> section 3.2.1, all three of the tags in PA-PK-AS-REQ are >>> unnecessary, and the one on signedAuthPack is actually slightly >>> harmful. None of the tags in PKAuthenticator do any good either. The >>> OCTET STRING wrappings for subjectName and issuerAndSerialNumber are >>> not really appropriate, and subjectName doesn't need a tag. Even in >>> AuthPack, pkAuthenticator and clientDHNonce don't need tags. >>> Similarly, in 3.2.3, there is no reason for any of the tags in >>> PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack >>> in 3.2.3.2 also seem unnecessary. >> >> >> The easiest thing would be to put "AUTOMATIC TAGS" in the module >> header (instead of "EXPLICIT TAGS") and not bother with tags, for >> "AUTOMATIC TAGS" would tag where necessary. But I understand from >> another response that the Kerberos team doesn't want to deviate from >> their historical choice... >> -- >> Olivier DUBUISSON >> France Telecom >> Recherche & Developpement >> R&D/MAPS/AMS - 22307 Lannion Cedex - France >> t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ >> >> > > > -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms040409080102030803000206 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTA2MTUxNDA5WjAjBgkqhkiG9w0B CQQxFgQUdiJuuUe23fyMeGgIc0uNbTWwtcgwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGA0XZGWr0Q+K7Xf6uQ CNH0dTU3yDwCt3RQUf59e6GtjyfNo/Pz0h58ji2NOn82gsbQq8mGDkKWRZN6ISpuzhCHdZ0S D+9FQXByJq1F7fZSqx15+UGSK9+OkdPDLYMsLgZc45gqOQtWIga1gL5YquaRU8H9U3aEIuO0 OoIT16EyrUYAAAAAAAA--------------ms040409080102030803000206-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA661vlF019064; Sat, 5 Nov 2005 22:01:57 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA661vBc019063; Sat, 5 Nov 2005 22:01:57 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA661rvh019040 for <ietf-pkix@imc.org>; Sat, 5 Nov 2005 22:01:54 -0800 (PST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.12.4/8.9.2) with ESMTP id jA661G1p017779; Sun, 6 Nov 2005 01:01:19 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bitsV) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.1/8.12.4) with ESMTP id jA66167c027217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=NOT); Sun, 6 Nov 2005 01:01:07 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9) id jA6616S2020236; Sun, 6 Nov 2005 01:01:06 -0500 (EST) To: Peter Sylvester <Peter.Sylvester@edelweb.fr> Cc: Steven Legg <steven.legg@eb2bcom.com>, =?iso-8859-1?q?Love_Hörnquist_Åstrand?= <lha@kth.se>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@MIT.EDU>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <4367B0BC.6090601@edelweb.fr> <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> <43694DC7.2090308@eb2bcom.com> <4369DA6D.7030300@edelweb.fr> From: Tom Yu <tlyu@MIT.EDU> Date: Sun, 06 Nov 2005 01:01:06 -0500 In-Reply-To: <4369DA6D.7030300@edelweb.fr> (Peter Sylvester's message of "Thu, 03 Nov 2005 10:37:49 +0100") Message-ID: <ldvhdaqiacd.fsf@cathode-dark-space.mit.edu> Lines: 77 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Spam-Score: 1.217 X-Spam-Level: * (1.217) X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id jA661svh019042 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Peter" = Peter Sylvester <Peter.Sylvester@edelweb.fr> writes: Peter> Steven Legg wrote: >> Love, et al, >> >> Love Hörnquist Åstrand wrote: >> >>> Lets take another example: >>> >>> PA-PK-AS-REQ ::= SEQUENCE { >>> signedAuthPack [0] IMPLICIT OCTET STRING, >>> -- Contains a CMS type ContentInfo encoded >>> -- according to [RFC3852]. >>> -- The contentType field of the type ContentInfo >>> -- is id-signedData (1.2.840.113549.1.7.2), >>> -- and the content field is a SignedData. >>> >>> With you syntax this should be >>> >>> signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo >>> >>> Now, ContentInfo in a CMS type, and is allowed to be encoded in BER. >>> Kerberos datatypes uses DER. >>> >>> How is that expressed in a formal way ? >> >> >> signedAuthPack IMPLICIT OCTET STRING "IMPLICIT" only goes after a tag, so the above should contain something like "[0] IMPLICIT" or drop the IMPLICIT completely. Dropping the context-specific tag would cause a change in wire encoding from pkinit-29. >> (CONTAINING ContentInfo >> ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2) >> distinguished-encoding(1)}) >> OPTIONAL >> >> The OID after the "ENCODED BY" is the OID that identifies DER. Except here, we are using a CMS message, which is permitted to be encoded in BER, and pkinit requires DER, so you really want something like PA-PK-AS-REQ ::= SEQUENCE { signedAuthPack [0] IMPLICIT OCTET STRING (CONTAINING ContentInfo ENCODED BY { joint-iso-itu-t asn1 (1) basic-encoding (1) }) } You'll need to normatively reference X.682, because the "CONTAINING" constraint isn't in X.680. >>> Just saying IMPORT and CONTANING and expect the right thing to >>> happen when >>> given to a compiler seems very naive. >> >> >> There's a better chance that the compiler can do something useful than if >> the requirements are expressed informally as a comment. >> >> Regards, >> Steven >> >>> >>> Love >>> What one can expect from the compiler depends on what sort of compiler one is using. The open-source ASN.1 toolkits with acceptable license conditions often omit much of the functionality of the full ASN.1 standard. ---Tom Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3Mu1bj047455; Thu, 3 Nov 2005 14:56:01 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3Mu1YW047454; Thu, 3 Nov 2005 14:56:01 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from eagle.unknowndns.net (IDENT:U2FsdGVkX18CXweBo8oeSMJqHXp35d089vwPxVhbgSA@eagle.unknowndns.net [221.133.206.175]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3MtwZ3047438 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 14:55:59 -0800 (PST) (envelope-from steven.legg@eb2bcom.com) Received: from cust3103.vic01.dataco.com.au ([202.63.62.31] helo=[192.168.1.156]) by eagle.unknowndns.net with esmtpa (Exim 4.52) id 1EXnzq-0000iz-86; Fri, 04 Nov 2005 08:55:50 +1000 Message-ID: <436A9574.9000207@eb2bcom.com> Date: Fri, 04 Nov 2005 09:55:48 +1100 From: Steven Legg <steven.legg@eb2bcom.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-pkix@imc.org CC: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com>, Peter Sylvester <Peter.Sylvester@edelweb.fr>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ib m.com> <4367B0BC.6090601@edelweb.fr> <436A23DD.8010306@francetelecom.com> In-Reply-To: <436A23DD.8010306@francetelecom.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - eagle.unknowndns.net X-AntiAbuse: Original Domain - imc.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - eb2bcom.com X-Source: X-Source-Args: X-Source-Dir: Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Olivier Dubuisson wrote: > The right syntax is: > subjectName [0] IMPLICIT OCTET STRING(CONTAINING Name) OPTIONAL > > It would be even better to add an "ENCODED BY oid" after "CONTAINING > Name" with 'oid' being the OID of the binary encoding rules used to > encode 'Name'. > > But I can already hear some people saying: This is not supported by > Snacc :( Since the constraint does not change the bits on the wire for BER the simple retort is: "If your ASN.1 compiler does not support CONTAINING constraints then comment them out". The hardship caused to users of dumber ASN.1 toolkits is negligible in a case like this. Regards, Steven Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3GHGbg094906; Thu, 3 Nov 2005 08:17:17 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3GHGjU094905; Thu, 3 Nov 2005 08:17:16 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id jA3GHF0H094899 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 08:17:15 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 8930 invoked by uid 0); 3 Nov 2005 16:17:08 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.190.163) by woodstock.binhost.com with SMTP; 3 Nov 2005 16:17:08 -0000 Message-Id: <7.0.0.10.2.20051103105023.05ad1e58@vigilsec.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.10 (Beta) Date: Thu, 03 Nov 2005 10:51:51 -0500 To: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com>, Tom Gindin <tgindin@us.ibm.com> From: Russ Housley <housley@vigilsec.com> Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos Cc: Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov In-Reply-To: <436A1A6A.3020802@francetelecom.com> References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <436A1A6A.3020802@francetelecom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I find AUTOMATIC TAGS to be more difficult later down the line when one is doing maintenance. In my opinion, it hides too much. Russ At 09:10 AM 11/3/2005, Olivier Dubuisson wrote: >Tom Gindin wrote: >> If it isn't too late to fix this without breaking lots of >> implementations, the ASN.1 in this specification is >> over-tagged. In section 3.2.1, all three of the tags in >> PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack is >> actually slightly harmful. None of the tags in PKAuthenticator do >> any good either. The OCTET STRING wrappings for subjectName and >> issuerAndSerialNumber are not really appropriate, and subjectName >> doesn't need a tag. Even in AuthPack, pkAuthenticator and >> clientDHNonce don't need tags. >> Similarly, in 3.2.3, there is no reason for any of the >> tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in >> ReplyKeyPack in 3.2.3.2 also seem unnecessary. > >The easiest thing would be to put "AUTOMATIC TAGS" in the module >header (instead of "EXPLICIT TAGS") and not bother with tags, for >"AUTOMATIC TAGS" would tag where necessary. But I understand from >another response that the Kerberos team doesn't want to deviate from >their historical choice... >-- >Olivier DUBUISSON >France Telecom >Recherche & Developpement >R&D/MAPS/AMS - 22307 Lannion Cedex - France >t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ > > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3EpEjx085710; Thu, 3 Nov 2005 06:51:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3EpEdu085709; Thu, 3 Nov 2005 06:51:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3EpCoU085703 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 06:51:13 -0800 (PST) (envelope-from olivier.dubuisson@francetelecom.com) Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Nov 2005 15:51:10 +0100 Received: from [10.193.13.149] ([10.193.13.149]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Nov 2005 15:51:09 +0100 Message-ID: <436A23DD.8010306@francetelecom.com> Date: Thu, 03 Nov 2005 15:51:09 +0100 From: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com> Organization: France Telecom - Research & Development User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Sylvester <Peter.Sylvester@edelweb.fr> CC: Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ib m.com> <4367B0BC.6090601@edelweb.fr> In-Reply-To: <4367B0BC.6090601@edelweb.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Nov 2005 14:51:09.0989 (UTC) FILETIME=[0722D550:01C5E086] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter Sylvester wrote: > I think I second Tom Gindin. > > Itseems strange to me to have pieces of the specification > as comments of the asn.1. > > example: > > subjectName [0] IMPLICIT OCTET STRING OPTIONAL, > -- Contains a PKIX type Name encoded according to > -- [RFC3280]. > -- Identifies the certificate subject by the > -- distinguished subject name. > -- REQUIRED when there is a distinguished subject > -- name present in the certificate. > > > The first two lines are syntactic specification, it was common > to have such syntactical restrictions until some years ago. > The others don't belong to the syntax at all. > > The first one can be replaced by > > subjectName [0] IMPLICIT OCTET STRING OPTIONAL > CONTAINING Name The right syntax is: subjectName [0] IMPLICIT OCTET STRING(CONTAINING Name) OPTIONAL It would be even better to add an "ENCODED BY oid" after "CONTAINING Name" with 'oid' being the OID of the binary encoding rules used to encode 'Name'. But I can already hear some people saying: This is not supported by Snacc :( > and an IMPORT that imports Name from an appropiate module. IMPORT*S* > There are lots of exemples of useless tagging iKDCDHKeyInfo or > PKAuthenticator All base tags are different, and there is only one > optional field. > Well, that'a a matter of style as well as the global EXPLICIT default. Not only, an EXPLICIT tagging takes more bytes because you can encode more than one tag per value. -- Olivier DUBUISSON France Telecom Recherche & Developpement R&D/MAPS/AMS - 22307 Lannion Cedex - France t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3EB12E081528; Thu, 3 Nov 2005 06:11:01 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3EB1ci081526; Thu, 3 Nov 2005 06:11:01 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3EAvGu081503 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 06:11:00 -0800 (PST) (envelope-from olivier.dubuisson@francetelecom.com) Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Nov 2005 15:10:52 +0100 Received: from [10.193.13.149] ([10.193.13.149]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Nov 2005 15:10:52 +0100 Message-ID: <436A1A6A.3020802@francetelecom.com> Date: Thu, 03 Nov 2005 15:10:50 +0100 From: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com> Organization: France Telecom - Research & Development User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tom Gindin <tgindin@us.ibm.com> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> In-Reply-To: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Nov 2005 14:10:52.0239 (UTC) FILETIME=[660B75F0:01C5E080] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Tom Gindin wrote: > If it isn't too late to fix this without breaking lots of > implementations, the ASN.1 in this specification is over-tagged. In > section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and > the one on signedAuthPack is actually slightly harmful. None of the tags > in PKAuthenticator do any good either. The OCTET STRING wrappings for > subjectName and issuerAndSerialNumber are not really appropriate, and > subjectName doesn't need a tag. Even in AuthPack, pkAuthenticator and > clientDHNonce don't need tags. > Similarly, in 3.2.3, there is no reason for any of the tags in > PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack in > 3.2.3.2 also seem unnecessary. The easiest thing would be to put "AUTOMATIC TAGS" in the module header (instead of "EXPLICIT TAGS") and not bother with tags, for "AUTOMATIC TAGS" would tag where necessary. But I understand from another response that the Kerberos team doesn't want to deviate from their historical choice... -- Olivier DUBUISSON France Telecom Recherche & Developpement R&D/MAPS/AMS - 22307 Lannion Cedex - France t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3DBtt0074587; Thu, 3 Nov 2005 05:11:55 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3DBtxa074585; Thu, 3 Nov 2005 05:11:55 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3DBsx6074576 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 05:11:54 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA3DBri03282 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 14:11:53 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Thu, 3 Nov 2005 14:11:53 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id OAA10112 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 14:11:52 +0100 (MET) Message-ID: <436A0C98.5060603@edelweb.fr> Date: Thu, 03 Nov 2005 14:11:52 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-scvp-21.txt References: <OFD0E067A0.5D3EB74E-ONC12570AE.00407CC4-C12570AE.00407CE0@frcl.bull.fr> In-Reply-To: <OFD0E067A0.5D3EB74E-ONC12570AE.00407CC4-C12570AE.00407CE0@frcl.bull.fr> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010506020400030704010003" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms010506020400030704010003 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The current text has some improvements and simplifications, addressing some points that I have been repeating since years. but does not address adequately all the issues that had been discussed after the Paris meeting with Tim Polk, in particular some are misunderstood. --------------ms010506020400030704010003 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTAzMTMxMTUyWjAjBgkqhkiG9w0B CQQxFgQUZQTO2huHpq7yFay1ufAaIB6v+FAwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGA4pRgW5TxmUbxXKfv dNlV0dVvUsp8xoxd8rLs7LLxop0wRvplnbp5Xc8yvdP6GAMYlaFq0gRExkuLChUp/qte09Pw W/f3tmU8RiqcRU47XIdCQpWY5h+Oyda94snCAsVuv6DhuyXMnigtJK73UwbKlgBW+ZF2F+xg Grp1HBOuBywAAAAAAAA--------------ms010506020400030704010003-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3BhiEr063183; Thu, 3 Nov 2005 03:43:44 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA3BhiCK063182; Thu, 3 Nov 2005 03:43:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA3BhhuN063161 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 03:43:43 -0800 (PST) (envelope-from denis.pinkas@bull.net) Received: from cln-m001.frcl.bull.fr (cln-m001.frcl.bull.fr [129.182.91.40]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id NAA13068 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 13:01:08 +0100 Importance: Normal X-Priority: 3 (Normal) Subject: Re: I-D ACTION:draft-ietf-pkix-scvp-21.txt MIME-Version: 1.0 From: denis.pinkas@bull.net To: ietf-pkix@imc.org Date: Thu, 3 Nov 2005 12:44:22 +0100 Message-ID: <OFD0E067A0.5D3EB74E-ONC12570AE.00407CC4-C12570AE.00407CE0@frcl.bull.fr> X-MIMETrack: Serialize by Router on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 03/11/2005 12:44:24 MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: base64 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> PEZPTlQgZmFjZT0iRGVmYXVsdCBTYW5zIFNlcmlmLCBWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNh LCBzYW5zLXNlcmlmIiBzaXplPTI+PGRpdj5UbyB0aGUgbGlzdCw8L2Rpdj48RElWPiZuYnNwOzwv RElWPjxESVY+T25lIG9mIHRoZSBtYWpvciBkaXNwdXRlcyBpcyByZWxhdGVkIHRvIHRoZSBkZWZp bml0aW9uIG9mIFZhbGlkYXRpb25Qb2xpY3kuPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPk1v c3QgdmFsaWRhdGlvbiBwb2xpY2llcyB3aWxsIG9ubHkgYmUgcmVmZXJlbmNlZCBieSBhIGNsaWVu dCB1c2luZyBhbiBPSUQuIDwvRElWPjxESVY+SW4gYSBmZXcgY2FzZXMsJm5ic3A7b25lIG9yIHR3 byBwYXJhbWV0ZXJzIHdoaWNoIGFyZSBzcGVjaWZpYyB0byB0aGUgdmFsaWRhdGlvbiBwb2xpY2ll cyB3aWxsIGJlIG5lZWRlZCAoYWxsIG90aGVyIHBhcmFtZXRlcnMgYmVpbmcgZml4ZWQpLjwvRElW PjxESVY+Jm5ic3A7PC9ESVY+PERJVj5QYXJhbWV0ZXJzIGRlZmluZWQgYnkgdGhlIG1hZ2ljIHNl bnRlbmNlIEFOWSBERUZJTkVEIEJZIGFyZSBub3QgdGhhdCBlYXN5IHRvIGhhbmRsZSwgdW5sZXNz IGZvciBwcmVkZWZpbmVkIHZhbGlkYXRpb24gcG9saWNpZXMuPC9ESVY+PERJVj4mbmJzcDs8L0RJ Vj48RElWPlRoaXMgbWF5IGJlIHRoZSBjYXNlIGZvciB0aGUgImJhc2ljIHZhbGlkYXRpb24gcG9s aWN5Ii48L0RJVj48RElWPiZuYnNwOzwvRElWPjxESVY+SGVyZWFmdGVyIGlzIGEgcHJvcG9zYWwg OjwvRElWPjxESVY+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7 IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVz Ij48Rk9OVCBzaXplPTM+Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9ESVY+PERJVj48UCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9 IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPjxTUEFOIHN0 eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7IDwvU1BBTj5WYWxpZGF0aW9uUG9s aWN5IDo6PSBDSE9JQ0UgezxCUj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8L1NQQU4+dmFsaWRhdGlvblBvbGljeURl ZjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BB Tj5bMF08U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyA8L1NQQU4+ VmFsaWRhdGlvblBvbGljeURlZiw8QlI+PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4m bmJzcDsmbmJzcDsmbmJzcDsgPC9TUEFOPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9TUEFOPjwvU1BBTj48U1BBTiBzdHlsZT0iRk9OVC1GQU1JTFk6 IENvdXJpZXIiPnByZURlZmluZWRWPC9TUEFOPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQt RkFNSUxZOiBDb3VyaWVyOyBtc28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPmFsUG9sPFNQQU4gc3R5 bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgPC9TUEFOPlsxXTxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7 IDwvU1BBTj5QPC9TUEFOPjxTUEFOIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllciI+cmVEZWZp bmVkVjwvU1BBTj48U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllcjsg bXNvLWFuc2ktbGFuZ3VhZ2U6IEVOLVVTIj5hbFBvbCB9PD94bWw6bmFtZXNwYWNlIHByZWZpeCA9 IG8gbnMgPSAidXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiAvPjxvOnA+ PC9vOnA+PC9TUEFOPjwvUD48UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBj bSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28t YW5zaS1sYW5ndWFnZTogRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9TUEFOPjwvUD48UCBjbGFz cz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMg c3R5bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPjxv OnA+PC9vOnA+PC9TUEFOPjwvUD48UFJFPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtU0la RTogMTJwdDsgRk9OVC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+ PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsgPC9TUEFOPlZhbGlk YXRpb25Qb2xpY3lEZWYgOjo9IFNFUVVFTkNFIHs8QlI+PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1 bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9TUEFOPnZhbFBvbElkPFNQQU4gc3R5 bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9TUEFOPk9CSkVD VCBJREVOVElGSUVSLDxCUj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyA8L1NQQU4+dmFsUG9sUGFyYW1zPFNQQU4gc3R5bGU9Im1zby1zcGFj ZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9T UEFOPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7PC9TUEFOPlNF UVVFTkNFIE9GIFZhbFBvbFBhcmFtPFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJz cDsgPC9TUEFOPk9QVElPTkFMIH08bzpwPjwvbzpwPjwvU1BBTj48L1BSRT48UCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9 IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPjxvOnA+Jm5i c3A7PC9vOnA+PC9TUEFOPjwvUD48UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNt IDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBt c28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPi0tIFZhbGlkYXRpb25Qb2xpY3lEZWYgYXZvaWRzIHRo ZSB1c2Ugb2YgIjwvU1BBTj48U1BBTiBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXIiPkFOWSBE RUZJTkVEIEJZIi48bzpwPjwvbzpwPjwvU1BBTj48L1A+PFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxl PSJNQVJHSU46IDBjbSAwY20gMHB0Ij48U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlM WTogQ291cmllcjsgbXNvLWFuc2ktbGFuZ3VhZ2U6IEVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwv U1BBTj48L1A+PFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSJNQVJHSU46IDBjbSAwY20gMHB0Ij48 U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllcjsgbXNvLWFuc2ktbGFu Z3VhZ2U6IEVOLVVTIj48bzpwPjwvbzpwPjwvU1BBTj48U1BBTiBzdHlsZT0iRk9OVC1TSVpFOiAx MnB0OyBGT05ULUZBTUlMWTogQ291cmllciI+Jm5ic3A7Jm5ic3A7IFByZURlZmluZWRWPC9TUEFO PjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtU0laRTogMTJwdDsgRk9OVC1GQU1JTFk6IENv dXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+YWxQb2w8L1NQQU4+PFNQQU4gc3R5bGU9 IkZPTlQtU0laRTogMTJwdDsgRk9OVC1GQU1JTFk6IENvdXJpZXIiPiA6Oj0gU0VRVUVOQ0UgezxC Uj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAmbmJzcDsgPC9TUEFOPnZhbEFsZ0lkPFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjog eWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9TUEFOPk9CSkVDVCBJREVOVElGSUVSLDxCUj48 U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyA8L1NQQU4+cGFyYW1ldGVyczxTUEFOIHN0eWxlPSJtc28tc3BhY2Vy dW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BBTj5BTlkgREVGSU5FRCBCWSB2YWxBbGdJZCBPUFRJT05B TCB9PC9TUEFOPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtU0laRTogMTJwdDsgRk9OVC1G QU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PG86cD48L286cD48L1NQ QU4+PC9QPjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQ QU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1 YWdlOiBFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L1NQQU4+PC9QPjxQIGNsYXNzPU1zb05vcm1h bCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9O VC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PFNQQU4gc3R5bGU9 Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDs8L1NQQU4+LS0gQmFzaWNWYWxQb2wgaXMgdGhlIHBv bGljeSBkZXNjcmliZWQgaW4gc2VjdGlvbiAzLjIuNC4yLjE8bzpwPjwvbzpwPjwvU1BBTj48L1A+ PFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSJNQVJHSU46IDBjbSAwY20gMHB0Ij48U1BBTiBsYW5n PUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllcjsgbXNvLWFuc2ktbGFuZ3VhZ2U6IEVO LVVTIj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOzwvU1BBTj4tLSBpdCBj b21lcyB3aXRoIGl0cyBvd24gT0lEIGFuZCBpdHMgb3duIHBhcmFtZXRlcnMgYW5kIDxvOnA+PC9v OnA+PC9TUEFOPjwvUD48UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAw cHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28tYW5z aS1sYW5ndWFnZTogRU4tVVMiPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7 PC9TUEFOPi0tIG1heSBiZSBzdXBwb3J0ZWQgdXNpbmcgPC9TUEFOPjxTUEFOIHN0eWxlPSJGT05U LUZBTUlMWTogQ291cmllciI+UHJlRGVmaW5lZFY8L1NQQU4+PFNQQU4gbGFuZz1FTi1VUyBzdHls ZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+YWxQb2wu PG86cD48L286cD48L1NQQU4+PC9QPjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFSR0lOOiAw Y20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7 IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L1NQQU4+PC9QPjxQ IGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1F Ti1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1V UyI+PG86cD4mbmJzcDs8L286cD48L1NQQU4+PC9QPjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0i TUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6 IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+Jm5ic3A7Jm5ic3A7IFZhbFBvbFBh cmFtIDo9IFNFUVVFTkNFIHsgPG86cD48L286cD48L1NQQU4+PC9QPjxQIGNsYXNzPU1zb05vcm1h bCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9O VC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PFNQQU4gc3R5bGU9 Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7 IDwvU1BBTj5pZDxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BBTj5PQkpFQ1Qg SURFTlRJRklFUiw8QlI+PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7PC9TUEFOPnZhbHVlPFNQQU4gc3R5bGU9 Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgPC9TUEFOPkJhc2VPYmplY3QgfTxvOnA+PC9vOnA+PC9TUEFOPjwvUD48UCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9 IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBtc28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPjxvOnA+Jm5i c3A7PC9vOnA+PC9TUEFOPjwvUD48UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNt IDBjbSAwcHQiPjxTUEFOIGxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyOyBt c28tYW5zaS1sYW5ndWFnZTogRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9TUEFOPjwvUD48UCBj bGFzcz1Nc29Ob3JtYWwgc3R5bGU9Ik1BUkdJTjogMGNtIDBjbSAwcHQiPjxTUEFOIHN0eWxlPSJG T05ULUZBTUlMWTogQ291cmllciI+Jm5ic3A7Jm5ic3A7IEJhc2VPYmplY3QgOjo9IENIT0lDRSB7 PEJSPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyA8L1NQQU4+b2JqZWN0bGlzdDxTUEFOIHN0eWxlPSJtc28t c3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BB Tj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOzwvU1BBTj5TRVFVRU5DRSBP RiBTaW1wbGVPYmplY3QsPEJSPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BBTj5vYmplY3Qg PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8L1NQQU4+U2ltcGxlT2Jq ZWN0IH08L1NQQU4+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7 IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PG86cD48L286cD48L1NQQU4+PC9QPjxQIGNsYXNz PU1zb05vcm1hbCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBz dHlsZT0iRk9OVC1GQU1JTFk6IENvdXJpZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PG86 cD4mbmJzcDs8L286cD48L1NQQU4+PC9QPjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFSR0lO OiAwY20gMGNtIDBwdCI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IENvdXJp ZXI7IG1zby1hbnNpLWxhbmd1YWdlOiBFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L1NQQU4+PC9Q PjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFSR0lOOiAwY20gMGNtIDBwdCI+PFNQQU4gc3R5 bGU9IkZPTlQtRkFNSUxZOiBDb3VyaWVyIj4mbmJzcDsmbmJzcDsgU2ltcGxlT2JqZWN0IDo6PSBD SE9JQ0UgezxCUj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAmbmJzcDs8L1NQQU4+PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjog eWVzIj4mbmJzcDs8L1NQQU4+aW50IDxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9TUEFOPklOVEVHRVIsPEJSPjxTUEFOIHN0eWxlPSJtc28t c3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyA8L1NQQU4+PFNQ QU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDs8L1NQQU4+c3RyaW5nIDxTUEFOIHN0 eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9TUEFOPlVURjhTdHJpbmcsPEJSPjxTUEFO IHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7PC9TUEFOPjxTUEFOIHN0eWxlPSJtc28t c3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOzwvU1BB Tj5vaWQgPFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8L1NQQU4+PFNQQU4gc3R5bGU9Im1z by1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8L1NQQU4+T0JKRUNU IElERU5USUZJRVIsPEJSPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyA8L1NQQU4+ZmxhZyA8U1BBTiBzdHlsZT0ibXNv LXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzwvU1BBTj5CT09MRUFOLDxCUj48U1BB TiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAmbmJzcDs8L1NQQU4+Yml0c3RyaW5nIDxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46 IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9TUEFO PkJJVCBTVFJJTkcsPEJSPjxTUEFOIHN0eWxlPSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOzwvU1BBTj5vY3RldHMgPFNQQU4gc3R5 bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8L1NQQU4+T0NURVQgU1RSSU5HLDxCUj48U1BB TiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAmbmJzcDs8L1NQQU4+ZGF0ZXRpbWUgPFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjog eWVzIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8 L1NQQU4+R0VORVJBTElaRURUSU1FLDxCUj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMi PiZuYnNwOzwvU1BBTj48U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8L1NQQU4+cEtDUmVmZXJlbmNlIDxTUEFOIHN0eWxl PSJtc28tc3BhY2VydW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9TUEFOPlswXSA8U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5 ZXMiPiZuYnNwOzwvU1BBTj5QS0NSZWZlcmVuY2UsPEJSPjxTUEFOIHN0eWxlPSJtc28tc3BhY2Vy dW46IHllcyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvU1BB Tj5hdHRyaWJ1dGVDZXJ0aWZpY2F0ZSA8U1BBTiBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZu YnNwOzwvU1BBTj5bMV0gPFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDs8L1NQ QU4+QXR0cmlidXRlQ2VydGlmaWNhdGUgfTwvU1BBTj48U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJG T05ULUZBTUlMWTogQ291cmllcjsgbXNvLWFuc2ktbGFuZ3VhZ2U6IEVOLVVTIj48bzpwPjwvbzpw PjwvU1BBTj48L1A+PFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSJNQVJHSU46IDBjbSAwY20gMHB0 Ij48U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllcjsgbXNvLWFuc2kt bGFuZ3VhZ2U6IEVOLVVTIj48bzpwPjwvbzpwPjwvU1BBTj48L1A+PFAgY2xhc3M9TXNvTm9ybWFs IHN0eWxlPSJNQVJHSU46IDBjbSAwY20gMHB0Ij48L0ZPTlQ+PC9TUEFOPjwvU1BBTj48U1BBTiBs YW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQ291cmllcjsgbXNvLWFuc2ktbGFuZ3VhZ2U6 IEVOLVVTIj48bzpwPjxGT05UIHNpemU9Mz4mbmJzcDs8L0ZPTlQ+PC9vOnA+PC9TUEFOPjwvUD48 L0RJVj48RElWPkRlbmlzPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48L0ZPTlQ+ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA39c4cW046595; Thu, 3 Nov 2005 01:38:04 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA39c43E046594; Thu, 3 Nov 2005 01:38:04 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA39c1TJ046584 for <ietf-pkix@imc.org>; Thu, 3 Nov 2005 01:38:02 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA39bqi00137; Thu, 3 Nov 2005 10:37:52 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Thu, 3 Nov 2005 10:37:52 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id KAA09977; Thu, 3 Nov 2005 10:37:50 +0100 (MET) Message-ID: <4369DA6D.7030300@edelweb.fr> Date: Thu, 03 Nov 2005 10:37:49 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Steven Legg <steven.legg@eb2bcom.com> CC: =?ISO-8859-1?Q?Love_Hörnquist_Åstrand?= <lha@kth.se>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <4367B0BC.6090601@edelweb.fr> <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> <43694DC7.2090308@eb2bcom.com> In-Reply-To: <43694DC7.2090308@eb2bcom.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050504060708090503010803" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms050504060708090503010803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi, I stand corrected (for the syntax). For the rest, I am not sure whether I could have given an explanation as precisely as Steve. :-) Peter Steven Legg wrote: > > > Love, et al, > > Love Hörnquist Åstrand wrote: > >> Peter Sylvester <Peter.Sylvester@edelweb.fr> writes: >> >> >>> The first one can be replaced by >>> >>> subjectName [0] IMPLICIT OCTET STRING OPTIONAL >>> CONTAINING Name >> > > The correct syntax here is: > > subjectName [0] IMPLICIT OCTET STRING (CONTAINING Name) > OPTIONAL > >> >> >> Lets take another example: >> >> PA-PK-AS-REQ ::= SEQUENCE { >> signedAuthPack [0] IMPLICIT OCTET STRING, >> -- Contains a CMS type ContentInfo encoded >> -- according to [RFC3852]. >> -- The contentType field of the type ContentInfo >> -- is id-signedData (1.2.840.113549.1.7.2), >> -- and the content field is a SignedData. >> >> With you syntax this should be >> >> signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo >> >> Now, ContentInfo in a CMS type, and is allowed to be encoded in BER. >> Kerberos datatypes uses DER. >> >> How is that expressed in a formal way ? > > > signedAuthPack IMPLICIT OCTET STRING > (CONTAINING ContentInfo > ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2) > distinguished-encoding(1)}) > OPTIONAL > > The OID after the "ENCODED BY" is the OID that identifies DER. > >> >> Just saying IMPORT and CONTANING and expect the right thing to happen >> when >> given to a compiler seems very naive. > > > There's a better chance that the compiler can do something useful than if > the requirements are expressed informally as a comment. > > Regards, > Steven > >> >> Love >> > > > -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms050504060708090503010803 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTAzMDkzNzQ5WjAjBgkqhkiG9w0B CQQxFgQUSS+ERu3NSioTntmkwwbHXPlLENUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAYfF9eDoa2MHxnrMv DLtFZdiPVGxMBL4xdA+h2HANF2eLoOK7/aIz37W82TkThTW2ywKEoDn0ciK/y4yLcyWISbRM 6uaniDrA67hgbehP0U55Itq5igYYZ/hDegJnjH92wSHIjPoK9Xc67G8cnrnniltFk+kzB8TM MKSH3j0/gesAAAAAAAA--------------ms050504060708090503010803-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2NcNK1086676; Wed, 2 Nov 2005 15:38:23 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2NcNGj086675; Wed, 2 Nov 2005 15:38:23 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from eagle.unknowndns.net (IDENT:U2FsdGVkX18dQ0snfkPiMtMFJV1gneaZZ+7MZewK0bc@eagle.unknowndns.net [221.133.206.175]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2NcKni086664 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 15:38:21 -0800 (PST) (envelope-from steven.legg@eb2bcom.com) Received: from cust3103.vic01.dataco.com.au ([202.63.62.31] helo=[192.168.1.156]) by eagle.unknowndns.net with esmtpa (Exim 4.52) id 1EXSAr-0005eM-3Q; Thu, 03 Nov 2005 09:37:45 +1000 Message-ID: <43694DC7.2090308@eb2bcom.com> Date: Thu, 03 Nov 2005 10:37:43 +1100 From: Steven Legg <steven.legg@eb2bcom.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Love_Hörnquist_Åstrand?= <lha@kth.se> CC: Peter Sylvester <Peter.Sylvester@edelweb.fr>, Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <4367B0BC.6090601@edelweb.fr> <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> In-Reply-To: <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - eagle.unknowndns.net X-AntiAbuse: Original Domain - imc.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - eb2bcom.com X-Source: X-Source-Args: X-Source-Dir: Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Love, et al, Love Hörnquist Åstrand wrote: > Peter Sylvester <Peter.Sylvester@edelweb.fr> writes: > > >>The first one can be replaced by >> >> subjectName [0] IMPLICIT OCTET STRING OPTIONAL CONTAINING Name The correct syntax here is: subjectName [0] IMPLICIT OCTET STRING (CONTAINING Name) OPTIONAL > > > Lets take another example: > > PA-PK-AS-REQ ::= SEQUENCE { > signedAuthPack [0] IMPLICIT OCTET STRING, > -- Contains a CMS type ContentInfo encoded > -- according to [RFC3852]. > -- The contentType field of the type ContentInfo > -- is id-signedData (1.2.840.113549.1.7.2), > -- and the content field is a SignedData. > > With you syntax this should be > > signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo > > Now, ContentInfo in a CMS type, and is allowed to be encoded in BER. > Kerberos datatypes uses DER. > > How is that expressed in a formal way ? signedAuthPack IMPLICIT OCTET STRING (CONTAINING ContentInfo ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2) distinguished-encoding(1)}) OPTIONAL The OID after the "ENCODED BY" is the OID that identifies DER. > > Just saying IMPORT and CONTANING and expect the right thing to happen when > given to a compiler seems very naive. There's a better chance that the compiler can do something useful than if the requirements are expressed informally as a comment. Regards, Steven > > Love > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2K184I055883; Wed, 2 Nov 2005 12:01:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2K18eA055882; Wed, 2 Nov 2005 12:01:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from amsfep18-int.chello.nl (amsfep18-int.chello.nl [213.46.243.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2K15Dn055863 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 12:01:06 -0800 (PST) (envelope-from lha@it.su.se) Received: from c80-217-232-48.cm-upc.chello.se ([80.217.232.48]) by amsfep18-int.chello.nl (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20051102200059.JQNT13238.amsfep18-int.chello.nl@c80-217-232-48.cm-upc.chello.se>; Wed, 2 Nov 2005 21:00:59 +0100 Received: by c80-217-232-48.cm-upc.chello.se (Postfix, from userid 501) id 6E08335F222; Wed, 2 Nov 2005 21:00:58 +0100 (CET) To: Peter Sylvester <Peter.Sylvester@edelweb.fr> Cc: Sam Hartman <hartmans-ietf@mit.edu>, Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <tslpspkbfzz.fsf@cz.mit.edu> <4368E229.9000706@edelweb.fr> From: =?iso-8859-1?q?Love_Hörnquist_Åstrand?= <lha@kth.se> Date: Wed, 02 Nov 2005 21:00:56 +0100 In-Reply-To: <4368E229.9000706@edelweb.fr> (Peter Sylvester's message of "Wed, 02 Nov 2005 16:58:33 +0100") Message-ID: <m2acgmrf9j.fsf@c80-217-232-48.cm-upc.chello.se> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --=-=- Peter, > Tagging is a matter of ket's say "taste", in fact, it is a matter of > implementation > experience. ASN.1 after many years has come with AUTOMATIC tags > allowing automatically unambiguous and non-excessive explicit tagging. The excessive amount of tagging seems like minor nit, its bloaty, sure, its like rest of the Kerberos protocol. > Wrapping: Strong boundaries would make sense if you don't have to > cross them > > Interoperability note: Some implementations may not be able to decode > wrapped CMS objects encoded with BER but not DER; specifically, they > may not be able to decode infinite length encodings. > > > > something that seems to be necessary according to the previous citation. > > As soon as you have the data structure that you wrap, > you can also encode them in DER. I doubt that you just have the > octet string contents only available as blobs. The CMS implemtetion might use another asn1-package then then Kerberos implemetation, I think today that this is the common case. You call CMS package, get back blob, and you have no clue about the encoding it used used. Love --=-=-Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iQEVAwUAQ2ka+to1gLFKFEjAAQIgQwf8CfqEn+VTKEos0XqFQhSqDpmnsJkY2r4R Xp1jgCj9dr7eqKbIXdABKHVhT/z5Ox7bhy3N6ssJlvrhOFV8qqG9sQNIkxYlO9wp iCPm26JVacz3v4P/ryMKO4rJoWVzrO6S5HWnC4Mo76zRIkOmfutJOLKxXdNpajPG J89wM3canq3V9ExaVqd42ffGGXaiGGxi4EBHwyRsgNot2fd9nWR7kc7BM5E0zXvt PRHgE07c9qqeJuMWgnNvp3jEV/HTpiXNPiyXESBPQe3bEM03SJshSaAyTrwsqbfG sodIuN7KDYrFtsyP6Ct6NoSd56Qzf9H62JkN24A7JxaxegFJavTACg= =iQPg -----END PGP SIGNATURE----- --=-=-=-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2JsvuH055396; Wed, 2 Nov 2005 11:54:57 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2JsvlZ055395; Wed, 2 Nov 2005 11:54:57 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from amsfep19-int.chello.nl (amsfep11-int.chello.nl [213.46.243.19]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2JstwL055361 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 11:54:56 -0800 (PST) (envelope-from lha@it.su.se) Received: from c80-217-232-48.cm-upc.chello.se ([80.217.232.48]) by amsfep19-int.chello.nl (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20051102195353.LTWJ17379.amsfep19-int.chello.nl@c80-217-232-48.cm-upc.chello.se>; Wed, 2 Nov 2005 20:53:53 +0100 Received: by c80-217-232-48.cm-upc.chello.se (Postfix, from userid 501) id 221DD35F20B; Wed, 2 Nov 2005 20:53:50 +0100 (CET) To: Peter Sylvester <Peter.Sylvester@edelweb.fr> Cc: Tom Gindin <tgindin@us.ibm.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <4367B0BC.6090601@edelweb.fr> From: =?iso-8859-1?q?Love_Hörnquist_Åstrand?= <lha@kth.se> Date: Wed, 02 Nov 2005 20:53:44 +0100 In-Reply-To: <4367B0BC.6090601@edelweb.fr> (Peter Sylvester's message of "Tue, 01 Nov 2005 19:15:24 +0100") Message-ID: <m2ek5yrflj.fsf@c80-217-232-48.cm-upc.chello.se> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --=-=- Peter Sylvester <Peter.Sylvester@edelweb.fr> writes: > The first one can be replaced by > > subjectName [0] IMPLICIT OCTET STRING OPTIONAL CONTAINING Name Lets take another example: PA-PK-AS-REQ ::= SEQUENCE { signedAuthPack [0] IMPLICIT OCTET STRING, -- Contains a CMS type ContentInfo encoded -- according to [RFC3852]. -- The contentType field of the type ContentInfo -- is id-signedData (1.2.840.113549.1.7.2), -- and the content field is a SignedData. With you syntax this should be signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo Now, ContentInfo in a CMS type, and is allowed to be encoded in BER. Kerberos datatypes uses DER. How is that expressed in a formal way ? Just saying IMPORT and CONTANING and expect the right thing to happen when given to a compiler seems very naive. Love --=-=-Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iQEVAwUAQ2kZTto1gLFKFEjAAQID/Af+OWQT87mcOtSKqYXb0aTmnNWuO2BIBhdd rnTZhrPeeej8nTlKIY6XoV3LcK3sy8Qbsqjl/4l66WlXCLwjwjSh06kRUpui04Xx 9Ssf3MiMkOCij0N0gn2DH9a2W/GPeZpClhg7Stb+VHatcgvF4FFTsRBEIDWybqD2 XZyUw803BCezh6PACpll/wi1EBJVF1+XjR8pG7tUSxnUwnceeshRQeO8AMjwacu6 aWgkwgNjipugE/5nOu6+tnS9s6+FtPmQS0c+J2MyIN76hJcYIslkcO2Ym5w/5kSF xiKlN9SoNgEenpwlW90beQd9iKlPtgCF89+pbNBwqZAFTZhVDM6iXA= =mlWA -----END PGP SIGNATURE----- --=-=-=-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2IKYAD039591; Wed, 2 Nov 2005 10:20:34 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2IKYjp039590; Wed, 2 Nov 2005 10:20:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net [204.127.131.115]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2IKXxf039574 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 10:20:33 -0800 (PST) (envelope-from todd.glassey@att.net) Received: from 204.127.135.41 ([204.127.135.41]) by worldnet.att.net (mtiwmhc11) with SMTP id <2005110218202211100n91kce>; Wed, 2 Nov 2005 18:20:27 +0000 Received: from [64.127.102.91] by 204.127.135.41; Wed, 02 Nov 2005 18:20:19 +0000 From: todd.glassey@att.net To: denis.pinkas@bull.net, Sam Hartman <hartmans-ietf@mit.edu> Cc: Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov, housley@vigilsec.com Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos Date: Wed, 02 Nov 2005 18:20:19 +0000 Message-Id: <110220051820.1090.43690363000717A5000004422158766720970A9C9C0E0409D20B0B019B@att.net> X-Mailer: AT&T Message Center Version 1 (Oct 30 2005) X-Authenticated-Sender: dG9kZC5nbGFzc2V5QGF0dC5uZXQMIME-Version: 1.0 Content-Type: multipart/mixed; boundary="NextPart_Webmail_9m3u9jl4l_1090_1130955619_0" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart_Webmail_9m3u9jl4l_1090_1130955619_0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Denis - doesnt the idea that the IETF as a whole needs to sign off on ASN.1 Notation in order for their to be any responsibility of any A-D's anywhere to push it seem reasonable to you? Or does PKIX rule the IETF still? Todd Glassey --NextPart_Webmail_9m3u9jl4l_1090_1130955619_0 Content-Type: message/rfc822 From: denis.pinkas@bull.net To: Sam Hartman <hartmans-ietf@mit.edu> Cc: Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov, housley@vigilsec.com Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos Date: Wed, 2 Nov 2005 17:03:36 +0000 Content-Type: Multipart/mixed; boundary="NextPart_Webmail_9m3u9jl4l_1090_1130955619_1" --NextPart_Webmail_9m3u9jl4l_1090_1130955619_1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: base64 PEZPTlQgZmFjZT0iRGVmYXVsdCBTYW5zIFNlcmlmLCBWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNh LCBzYW5zLXNlcmlmIiBzaXplPTI+PERJVj5JIHNlY29uZCBUb20gYW5kIFBldGVyIHBvc2l0aW9u cy48L0RJVj48RElWPiZuYnNwOzwvRElWPjxESVY+U2luY2UgeW91IGFza2VkLCB5b3UgZ290IHRo cmVlIGNvbnNpc3RhbnQgYW5zd2Vycy48QlI+SXQgaXMgbm90Jm5ic3A7YXBwcm9wcmlhdGUgdG8g b3ZlciB0YWcgYW5kIG92ZXIgY29tbWVudCBpbiB0aGUgQVNOLjEgc3ludGF4LjwvRElWPjxESVY+ Jm5ic3A7PC9ESVY+PERJVj5JIGJlbGlldmUgdGhhdCB0aGUgQS1EcyBzaG91bGQgbWFrZSBzdXJl IHRoZSBBU04uMSBkZXNjcmlwdGlvbnMgY29taW5nIGZyb20gZGlmZmVyZW50IFdHcyBoYXZlIHRo ZSBzYW1lIGxvb2sgYW5kIGZlZWwuPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPkluIGFkZGl0 aW9uOjwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5Gcm9tIHRoZSBpbnRyb2R1Y3Rpb24sIGl0 IGlzIGhhcmQmbmJzcDt0byBrbm93IHdoaWNoIGtpbmQgb2YgcHJpdmF0ZSBrZXkgaXMgbmVlZGVk OiA8L0RJVj48RElWPmlzIGl0IGEgcHJpdmF0ZSBrZXkgZm9yIGRlY3J5cHRpb24gb3IvYW5kIGZv ciBkaWdpdGFsbHkgc2lnbmluZyA/IDwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5JdCBpcyBh bHNvIGhhcmQgdG8ga25vdyB3aGV0aGVyIGEgcHVyZSBzaWduYXR1cmUgYWxnb3JpdGhtIGxpa2Ug RFNBIG1heSZuYnNwO2JlIHVzZWQuIDwvRElWPjxESVY+TGF0ZXIgb24gZnJvbSB0aGUgbmV4dCwg aXQgc2VlbXMgdGhhdCB0aGUgYW5zd2VyIGlzICJvbmx5IHRoZSBSU0EgYWxnb3JpdGhtIGNhbiBi ZSB1c2VkIi48L0RJVj48RElWPiZuYnNwOzwvRElWPjxESVY+U3RlcCAyIGFzIGRlc2NyaWJlZCBp biBzZWN0aW9uIDMsIG1hbmRhdGVzIHRoZSB1c2Ugb2YgYSBwdWJsaWMga2V5IGNlcnRpZmljYXRl LCA8L0RJVj48RElWPmJ1dCBzdGVwIDEgb25seSBtZW50aW9ucyB0aGF0IGEgcHVibGljIGtleSBp cyBwYXNzZWQsIGluc3RlYWQgb2YgYSBwdWJsaWMga2V5IGNlcnRpZmljYXRlLiA8L0RJVj48RElW PlN0ZXBzIDEgYW5kIDIgbmVlZCB0byBiZSBtYWRlIGNvbnNpc3RhbnQuJm5ic3A7Jm5ic3A7PC9E SVY+PERJVj4mbmJzcDs8L0RJVj48RElWPlBsZWFzZSBjbGFyaWZ5IHRoZSBpbnRyb2R1Y3Rpb24g dG8gdGhlc2UgcmVzcGVjdHMuIDwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5UaGUgc3ludGF4 IG9mIEV4dGVybmFsUHJpbmNpcGFsSWRlbnRpZmllciAodXNlZCBieSB0cnVzdGVkQ2VydGlmaWVy cykgaXMgcXVpdGUgb2RkLiA8L0RJVj48RElWPldoeSBpcyBzaW1wbHkgYSBzZWxmLXNpZ25lZCBj ZXJ0aWZpY2F0ZSBub3QgYWxsb3dlZCA/PC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPlNob3Vs ZCBtZDUgcmVhbGx5IGJlIHN0aWxsIGFsbG93ZWQgPzwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJ Vj5UaGVyZSBzaG91bGQgYmUgYW4gZWFybHkgZGlzY3Vzc2lvbiB0byBzYXkgd2hlbiAzYSBhbmQg M2IgKGZyb20gc2VjdGlvbiAzKSZuYnNwO2FyZSBuZWVkZWQgb3IgImJlc3QiLjwvRElWPjxESVY+ PERJVj5UaGUgZHJhZnQgc2VlbXMgdG8gaGF2ZSB0b28gbWFueSBtYW5kYXRvcnkgb3B0aW9ucyB0 byBpbXBsZW1lbnQuPC9ESVY+PC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPklmIEkgaGF2ZSBt b3JlIHRpbWUsIEkgd2lsbCByZWFkIHRoZSBkcmFmdCBpbiBtb3JlIGRldGFpbHMuPC9ESVY+PERJ Vj4mbmJzcDs8L0RJVj48RElWPkluIHRoZSBtZWFuIHRpbWUsIHJlc3BvbnNlcyB0byB0aGUgYWJv dmUmbmJzcDtxdWVzdGlvbnMgd2lsbCBiZSBpbnRlcnJlc3RpbmcuPC9ESVY+PERJVj4mbmJzcDs8 L0RJVj48RElWPkRlbmlzPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPjxESVY+UFMuIEkgYW0g cHV6emxlZCB0aGF0IHlvdSBhbnN3ZXJlZCAoYXMgQUQmbmJzcDs/KSBpbnN0ZWFkIG9mIHRoZSBl ZGl0b3IocykuPEJSPjwvRElWPjwvRElWPjxGT05UIGNvbG9yPSM5OTAwOTk+LS0tLS1vd25lci1p ZXRmLXBraXhAbWFpbC5pbWMub3JnIHdyb3RlOiAtLS0tLTxCUj48QlI+PC9GT05UPlRvOiBUb20g R2luZGluICZsdDt0Z2luZGluQHVzLmlibS5jb20mZ3Q7PEJSPkZyb206IFNhbSBIYXJ0bWFuICZs dDtoYXJ0bWFucy1pZXRmQG1pdC5lZHUmZ3Q7PEJSPlNlbnQgYnk6IG93bmVyLWlldGYtcGtpeEBt YWlsLmltYy5vcmc8QlI+RGF0ZTogMDEvMTEvMjAwNSAwMzoyN1BNPEJSPmNjOiBpZXRmLXBraXhA aW1jLm9yZywgamh1dHpAY211LmVkdSwgaWV0Zi1rcmItd2dAYW5sLmdvdjxCUj5TdWJqZWN0OiBS ZTogW0plZmZyZXkgSHV0emVsbWFuXSBMQVNUIENBTEwgLSBQdWJsaWMgS2V5IENyeXB0b2dyYXBo eSBmb3IgSW5pdGlhbCBBdXRoZW50aWNhdGlvbiBpbiBLZXJiZXJvczxCUj48QlI+PEJSPiZndDsm Z3Q7Jmd0OyZndDsmZ3Q7ICJUb20iID09IFRvbSBHaW5kaW4gJmx0O3RnaW5kaW5AdXMuaWJtLmNv bSZndDsgd3JpdGVzOjxCUj48QlI+ICAgIFRvbSZndDsgICAgICAgICBJZiBpdCBpc24ndCB0b28g bGF0ZSB0byBmaXggdGhpcyB3aXRob3V0IGJyZWFraW5nPEJSPiAgICBUb20mZ3Q7IGxvdHMgb2Yg aW1wbGVtZW50YXRpb25zLCB0aGUgQVNOLjEgaW4gdGhpcyBzcGVjaWZpY2F0aW9uIGlzPEJSPiAg ICBUb20mZ3Q7IG92ZXItdGFnZ2VkLiAgSW4gc2VjdGlvbiAzLjIuMSwgYWxsIHRocmVlIG9mIHRo ZSB0YWdzIGluPEJSPiAgICBUb20mZ3Q7IFBBLVBLLUFTLVJFUSBhcmUgdW5uZWNlc3NhcnksIGFu ZCB0aGUgb25lIG9uIHNpZ25lZEF1dGhQYWNrPEJSPiAgICBUb20mZ3Q7IGlzIGFjdHVhbGx5IHNs aWdodGx5IGhhcm1mdWwuICBOb25lIG9mIHRoZSB0YWdzIGluPEJSPiAgICBUb20mZ3Q7IFBLQXV0 aGVudGljYXRvciBkbyBhbnkgZ29vZCBlaXRoZXIuICBUaGUgT0NURVQgU1RSSU5HPEJSPiAgICBU b20mZ3Q7IHdyYXBwaW5ncyBmb3Igc3ViamVjdE5hbWUgYW5kIGlzc3VlckFuZFNlcmlhbE51bWJl ciBhcmUgbm90PEJSPiAgICBUb20mZ3Q7IHJlYWxseSBhcHByb3ByaWF0ZSwgYW5kIHN1YmplY3RO YW1lIGRvZXNuJ3QgbmVlZCBhIHRhZy4gIEV2ZW48QlI+ICAgIFRvbSZndDsgaW4gQXV0aFBhY2ss IHBrQXV0aGVudGljYXRvciBhbmQgY2xpZW50REhOb25jZSBkb24ndCBuZWVkPEJSPiAgICBUb20m Z3Q7IHRhZ3MuICBTaW1pbGFybHksIGluIDMuMi4zLCB0aGVyZSBpcyBubyByZWFzb24gZm9yIGFu eSBvZiB0aGU8QlI+ICAgIFRvbSZndDsgdGFncyBpbiBQQS1QSy1BUy1SRVAsIERIUmVwSW5mbywg b3IgS0RDREhLZXlJbmZvLiAgVGhlIHRhZ3M8QlI+ICAgIFRvbSZndDsgaW4gUmVwbHlLZXlQYWNr IGluIDMuMi4zLjIgYWxzbyBzZWVtIHVubmVjZXNzYXJ5LjxCUj48QlI+VGhlIGtlcmJlcm9zIHdv cmtpbmcgZ3JvdXAgaGFzIGEgcmF0aGVyIGRpZmZlcmVudCBwaGlsb3NvcGh5IG9uIEFTTi4xPEJS PnRoYW4gdGhlIFBLSVggY29tbXVuaXR5LiAgV2UndmUgYXR0ZW1wdGVkIHRvIGRyYXcgc3Ryb25n IGJvdW5kYXJpZXM8QlI+YXJvdW5kIHN0cnVjdHVyZXMgdG8gdGhlIGV4dGVudCB0aGF0IHdlIGNh bjoga2VyYmVyb3Mgc3RydWN0dXJlcyB1c2U8QlI+b3VyIGNvbnZlbnRpb25zOyBQS0lYIHN0cnVj dHVyZXMgdXNlIHlvdXJzLjxCUj48QlI+VGhlIHNob3J0IGFuc3dlciBpcyB0aGF0IHRhZ2dpbmcg aXNzdWVzIGhhdmUgYmVlbiBkaXNjdXNzZWQ8QlI+ZXh0ZW5zaXZlbHkgYWNyb3NzIGFsbCBvdXIg QVNOLjEgdXNhZ2UuPEJSPjxCUj48L0ZPTlQ+ --NextPart_Webmail_9m3u9jl4l_1090_1130955619_1-- --NextPart_Webmail_9m3u9jl4l_1090_1130955619_0-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2Fwftw018108; Wed, 2 Nov 2005 07:58:41 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2Fwfp6018107; Wed, 2 Nov 2005 07:58:41 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2FweR6018092 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 07:58:40 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA2FwYi17500; Wed, 2 Nov 2005 16:58:35 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Wed, 2 Nov 2005 16:58:35 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id QAA09296; Wed, 2 Nov 2005 16:58:33 +0100 (MET) Message-ID: <4368E229.9000706@edelweb.fr> Date: Wed, 02 Nov 2005 16:58:33 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sam Hartman <hartmans-ietf@mit.edu> CC: Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> <tslpspkbfzz.fsf@cz.mit.edu> In-Reply-To: <tslpspkbfzz.fsf@cz.mit.edu> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080808090809000606010300" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms080808090809000606010300 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sam, Just because I find your response strange I'd like to add some reamrks. Why do you mention PKIX here. Tom didn't mention it at all. You could as well have mentioned SMIME. Anyway, not too important. Saying that kerberos has other rules than PKIX has nothing to do with the problem. besides that PKIX has no rules and continue s to use obsolete ASN.1, thus it may be good to use something else, i.e. to ignore whatever some PKIX authors are proposing. :-) There are two issues in Tom's message: The tagging with context tags almost always explicit, and the wrapping. Tagging is a matter of ket's say "taste", in fact, it is a matter of implementation experience. ASN.1 after many years has come with AUTOMATIC tags allowing automatically unambiguous and non-excessive explicit tagging. The actual tagging appeared in the 03 draft in 1997 as far as I see. The krb-wg first meeting was in Jul 2000 but the text was obviously discussed before in cat. well, let's see the mail archives of this group. oops. It is difficult to determine now what has "always" been discussed. Wrapping: Strong boundaries would make sense if you don't have to cross them Interoperability note: Some implementations may not be able to decode wrapped CMS objects encoded with BER but not DER; specifically, they may not be able to decode infinite length encodings. something that seems to be necessary according to the previous citation. As soon as you have the data structure that you wrap, you can also encode them in DER. I doubt that you just have the octet string contents only available as blobs. I refer to the minutes of San Diego concerning the use of DER/BER and wrapping. Must have been real fun, this meeting The argument of the difficulties of parsing BER (in particular when it is totally unrestricted) seem right to me, or better, that it is too complex to mandate a BER parser. There may be good arguments after years to keep the syntax or the bits on the wire but it has been change just a year ago after 8 years or so. Have fun Peter > > Tom> If it isn't too late to fix this without breaking > Tom> lots of implementations, the ASN.1 in this specification is > Tom> over-tagged. In section 3.2.1, all three of the tags in > Tom> PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack > Tom> is actually slightly harmful. None of the tags in > Tom> PKAuthenticator do any good either. The OCTET STRING > Tom> wrappings for subjectName and issuerAndSerialNumber are not > Tom> really appropriate, and subjectName doesn't need a tag. Even > Tom> in AuthPack, pkAuthenticator and clientDHNonce don't need > Tom> tags. Similarly, in 3.2.3, there is no reason for any of the > Tom> tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags > Tom> in ReplyKeyPack in 3.2.3.2 also seem unnecessary. > >The kerberos working group has a rather different philosophy on ASN.1 >than the PKIX community. We've attempted to draw strong boundaries >around structures to the extent that we can: kerberos structures use >our conventions; PKIX structures use yours. > >The short answer is that tagging issues have been discussed >extensively across all our ASN.1 usage. > > > > > -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms080808090809000606010300 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTAyMTU1ODMzWjAjBgkqhkiG9w0B CQQxFgQUk61YQiOk/VPj5SmKQd4QWaGKz7UwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGARtzOTwk7jaGqUdP3 T2xmgHxYQ+kdqz/C4cGzjtbrDt5szfEajZytPojh/yAUHDeKxh4thohs9sMUvo8LuLkw3AIi blYZtNSBq42YbqtqptIvViAbp6Md+0jNZXOF5XUpkNeEPH3vI+iTFX02S13GTVjPxCmRa/OC wrC6e6LdozYAAAAAAAA--------------ms080808090809000606010300-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2ETYtp009027; Wed, 2 Nov 2005 06:29:34 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA2ETYVc009026; Wed, 2 Nov 2005 06:29:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA2ETVgV009013 for <ietf-pkix@imc.org>; Wed, 2 Nov 2005 06:29:32 -0800 (PST) (envelope-from denis.pinkas@bull.net) Received: from cln-m001.frcl.bull.fr (cln-m001.frcl.bull.fr [129.182.91.40]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA25970; Wed, 2 Nov 2005 15:46:44 +0100 Importance: Normal X-Priority: 3 (Normal) Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos MIME-Version: 1.0 From: denis.pinkas@bull.net To: Sam Hartman <hartmans-ietf@mit.edu> Cc: Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov, housley@vigilsec.com Date: Wed, 2 Nov 2005 15:29:59 +0100 Message-ID: <OF8F33953F.2489813C-ONC12570AD.004FA63B-C12570AD.004FA662@frcl.bull.fr> X-MIMETrack: Serialize by Router on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 02/11/2005 15:30:02 MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: base64 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> PEZPTlQgZmFjZT0iRGVmYXVsdCBTYW5zIFNlcmlmLCBWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNh LCBzYW5zLXNlcmlmIiBzaXplPTI+PERJVj5JIHNlY29uZCBUb20gYW5kIFBldGVyIHBvc2l0aW9u cy48L0RJVj48RElWPiZuYnNwOzwvRElWPjxESVY+U2luY2UgeW91IGFza2VkLCB5b3UgZ290IHRo cmVlIGNvbnNpc3RhbnQgYW5zd2Vycy48QlI+SXQgaXMgbm90Jm5ic3A7YXBwcm9wcmlhdGUgdG8g b3ZlciB0YWcgYW5kIG92ZXIgY29tbWVudCBpbiB0aGUgQVNOLjEgc3ludGF4LjwvRElWPjxESVY+ Jm5ic3A7PC9ESVY+PERJVj5JIGJlbGlldmUgdGhhdCB0aGUgQS1EcyBzaG91bGQgbWFrZSBzdXJl IHRoZSBBU04uMSBkZXNjcmlwdGlvbnMgY29taW5nIGZyb20gZGlmZmVyZW50IFdHcyBoYXZlIHRo ZSBzYW1lIGxvb2sgYW5kIGZlZWwuPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPkluIGFkZGl0 aW9uOjwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5Gcm9tIHRoZSBpbnRyb2R1Y3Rpb24sIGl0 IGlzIGhhcmQmbmJzcDt0byBrbm93IHdoaWNoIGtpbmQgb2YgcHJpdmF0ZSBrZXkgaXMgbmVlZGVk OiA8L0RJVj48RElWPmlzIGl0IGEgcHJpdmF0ZSBrZXkgZm9yIGRlY3J5cHRpb24gb3IvYW5kIGZv ciBkaWdpdGFsbHkgc2lnbmluZyA/IDwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5JdCBpcyBh bHNvIGhhcmQgdG8ga25vdyB3aGV0aGVyIGEgcHVyZSBzaWduYXR1cmUgYWxnb3JpdGhtIGxpa2Ug RFNBIG1heSZuYnNwO2JlIHVzZWQuIDwvRElWPjxESVY+TGF0ZXIgb24gZnJvbSB0aGUgbmV4dCwg aXQgc2VlbXMgdGhhdCB0aGUgYW5zd2VyIGlzICJvbmx5IHRoZSBSU0EgYWxnb3JpdGhtIGNhbiBi ZSB1c2VkIi48L0RJVj48RElWPiZuYnNwOzwvRElWPjxESVY+U3RlcCAyIGFzIGRlc2NyaWJlZCBp biBzZWN0aW9uIDMsIG1hbmRhdGVzIHRoZSB1c2Ugb2YgYSBwdWJsaWMga2V5IGNlcnRpZmljYXRl LCA8L0RJVj48RElWPmJ1dCBzdGVwIDEgb25seSBtZW50aW9ucyB0aGF0IGEgcHVibGljIGtleSBp cyBwYXNzZWQsIGluc3RlYWQgb2YgYSBwdWJsaWMga2V5IGNlcnRpZmljYXRlLiA8L0RJVj48RElW PlN0ZXBzIDEgYW5kIDIgbmVlZCB0byBiZSBtYWRlIGNvbnNpc3RhbnQuJm5ic3A7Jm5ic3A7PC9E SVY+PERJVj4mbmJzcDs8L0RJVj48RElWPlBsZWFzZSBjbGFyaWZ5IHRoZSBpbnRyb2R1Y3Rpb24g dG8gdGhlc2UgcmVzcGVjdHMuIDwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJVj5UaGUgc3ludGF4 IG9mIEV4dGVybmFsUHJpbmNpcGFsSWRlbnRpZmllciAodXNlZCBieSB0cnVzdGVkQ2VydGlmaWVy cykgaXMgcXVpdGUgb2RkLiA8L0RJVj48RElWPldoeSBpcyBzaW1wbHkgYSBzZWxmLXNpZ25lZCBj ZXJ0aWZpY2F0ZSBub3QgYWxsb3dlZCA/PC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPlNob3Vs ZCBtZDUgcmVhbGx5IGJlIHN0aWxsIGFsbG93ZWQgPzwvRElWPjxESVY+Jm5ic3A7PC9ESVY+PERJ Vj5UaGVyZSBzaG91bGQgYmUgYW4gZWFybHkgZGlzY3Vzc2lvbiB0byBzYXkgd2hlbiAzYSBhbmQg M2IgKGZyb20gc2VjdGlvbiAzKSZuYnNwO2FyZSBuZWVkZWQgb3IgImJlc3QiLjwvRElWPjxESVY+ PERJVj5UaGUgZHJhZnQgc2VlbXMgdG8gaGF2ZSB0b28gbWFueSBtYW5kYXRvcnkgb3B0aW9ucyB0 byBpbXBsZW1lbnQuPC9ESVY+PC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPklmIEkgaGF2ZSBt b3JlIHRpbWUsIEkgd2lsbCByZWFkIHRoZSBkcmFmdCBpbiBtb3JlIGRldGFpbHMuPC9ESVY+PERJ Vj4mbmJzcDs8L0RJVj48RElWPkluIHRoZSBtZWFuIHRpbWUsIHJlc3BvbnNlcyB0byB0aGUgYWJv dmUmbmJzcDtxdWVzdGlvbnMgd2lsbCBiZSBpbnRlcnJlc3RpbmcuPC9ESVY+PERJVj4mbmJzcDs8 L0RJVj48RElWPkRlbmlzPC9ESVY+PERJVj4mbmJzcDs8L0RJVj48RElWPjxESVY+UFMuIEkgYW0g cHV6emxlZCB0aGF0IHlvdSBhbnN3ZXJlZCAoYXMgQUQmbmJzcDs/KSBpbnN0ZWFkIG9mIHRoZSBl ZGl0b3IocykuPEJSPjwvRElWPjwvRElWPjxGT05UIGNvbG9yPSM5OTAwOTk+LS0tLS1vd25lci1p ZXRmLXBraXhAbWFpbC5pbWMub3JnIHdyb3RlOiAtLS0tLTxCUj48QlI+PC9GT05UPlRvOiBUb20g R2luZGluICZsdDt0Z2luZGluQHVzLmlibS5jb20mZ3Q7PEJSPkZyb206IFNhbSBIYXJ0bWFuICZs dDtoYXJ0bWFucy1pZXRmQG1pdC5lZHUmZ3Q7PEJSPlNlbnQgYnk6IG93bmVyLWlldGYtcGtpeEBt YWlsLmltYy5vcmc8QlI+RGF0ZTogMDEvMTEvMjAwNSAwMzoyN1BNPEJSPmNjOiBpZXRmLXBraXhA aW1jLm9yZywgamh1dHpAY211LmVkdSwgaWV0Zi1rcmItd2dAYW5sLmdvdjxCUj5TdWJqZWN0OiBS ZTogW0plZmZyZXkgSHV0emVsbWFuXSBMQVNUIENBTEwgLSBQdWJsaWMgS2V5IENyeXB0b2dyYXBo eSBmb3IgSW5pdGlhbCBBdXRoZW50aWNhdGlvbiBpbiBLZXJiZXJvczxCUj48QlI+PEJSPiZndDsm Z3Q7Jmd0OyZndDsmZ3Q7ICJUb20iID09IFRvbSBHaW5kaW4gJmx0O3RnaW5kaW5AdXMuaWJtLmNv bSZndDsgd3JpdGVzOjxCUj48QlI+ICAgIFRvbSZndDsgICAgICAgICBJZiBpdCBpc24ndCB0b28g bGF0ZSB0byBmaXggdGhpcyB3aXRob3V0IGJyZWFraW5nPEJSPiAgICBUb20mZ3Q7IGxvdHMgb2Yg aW1wbGVtZW50YXRpb25zLCB0aGUgQVNOLjEgaW4gdGhpcyBzcGVjaWZpY2F0aW9uIGlzPEJSPiAg ICBUb20mZ3Q7IG92ZXItdGFnZ2VkLiAgSW4gc2VjdGlvbiAzLjIuMSwgYWxsIHRocmVlIG9mIHRo ZSB0YWdzIGluPEJSPiAgICBUb20mZ3Q7IFBBLVBLLUFTLVJFUSBhcmUgdW5uZWNlc3NhcnksIGFu ZCB0aGUgb25lIG9uIHNpZ25lZEF1dGhQYWNrPEJSPiAgICBUb20mZ3Q7IGlzIGFjdHVhbGx5IHNs aWdodGx5IGhhcm1mdWwuICBOb25lIG9mIHRoZSB0YWdzIGluPEJSPiAgICBUb20mZ3Q7IFBLQXV0 aGVudGljYXRvciBkbyBhbnkgZ29vZCBlaXRoZXIuICBUaGUgT0NURVQgU1RSSU5HPEJSPiAgICBU b20mZ3Q7IHdyYXBwaW5ncyBmb3Igc3ViamVjdE5hbWUgYW5kIGlzc3VlckFuZFNlcmlhbE51bWJl ciBhcmUgbm90PEJSPiAgICBUb20mZ3Q7IHJlYWxseSBhcHByb3ByaWF0ZSwgYW5kIHN1YmplY3RO YW1lIGRvZXNuJ3QgbmVlZCBhIHRhZy4gIEV2ZW48QlI+ICAgIFRvbSZndDsgaW4gQXV0aFBhY2ss IHBrQXV0aGVudGljYXRvciBhbmQgY2xpZW50REhOb25jZSBkb24ndCBuZWVkPEJSPiAgICBUb20m Z3Q7IHRhZ3MuICBTaW1pbGFybHksIGluIDMuMi4zLCB0aGVyZSBpcyBubyByZWFzb24gZm9yIGFu eSBvZiB0aGU8QlI+ICAgIFRvbSZndDsgdGFncyBpbiBQQS1QSy1BUy1SRVAsIERIUmVwSW5mbywg b3IgS0RDREhLZXlJbmZvLiAgVGhlIHRhZ3M8QlI+ICAgIFRvbSZndDsgaW4gUmVwbHlLZXlQYWNr IGluIDMuMi4zLjIgYWxzbyBzZWVtIHVubmVjZXNzYXJ5LjxCUj48QlI+VGhlIGtlcmJlcm9zIHdv cmtpbmcgZ3JvdXAgaGFzIGEgcmF0aGVyIGRpZmZlcmVudCBwaGlsb3NvcGh5IG9uIEFTTi4xPEJS PnRoYW4gdGhlIFBLSVggY29tbXVuaXR5LiAgV2UndmUgYXR0ZW1wdGVkIHRvIGRyYXcgc3Ryb25n IGJvdW5kYXJpZXM8QlI+YXJvdW5kIHN0cnVjdHVyZXMgdG8gdGhlIGV4dGVudCB0aGF0IHdlIGNh bjoga2VyYmVyb3Mgc3RydWN0dXJlcyB1c2U8QlI+b3VyIGNvbnZlbnRpb25zOyBQS0lYIHN0cnVj dHVyZXMgdXNlIHlvdXJzLjxCUj48QlI+VGhlIHNob3J0IGFuc3dlciBpcyB0aGF0IHRhZ2dpbmcg aXNzdWVzIGhhdmUgYmVlbiBkaXNjdXNzZWQ8QlI+ZXh0ZW5zaXZlbHkgYWNyb3NzIGFsbCBvdXIg QVNOLjEgdXNhZ2UuPEJSPjxCUj48L0ZPTlQ+ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1JKoEE074249; Tue, 1 Nov 2005 11:20:50 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA1JKoj2074248; Tue, 1 Nov 2005 11:20:50 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1JKnWr074232 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 11:20:49 -0800 (PST) (envelope-from todd.glassey@att.net) Received: from 204.127.135.57 ([204.127.135.57]) by worldnet.att.net (mtiwmhc12) with SMTP id <2005110119203311200egrf4e>; Tue, 1 Nov 2005 19:20:44 +0000 Received: from [64.127.102.91] by 204.127.135.57; Tue, 01 Nov 2005 19:20:32 +0000 From: todd.glassey@att.net To: Sam Hartman <hartmans-ietf@mit.edu>, Tom Gindin <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos Date: Tue, 01 Nov 2005 19:20:32 +0000 Message-Id: <110120051920.25374.4367C000000603E20000631E2160376316970A9C9C0E0409D20B0B019B@att.net> X-Mailer: AT&T Message Center Version 1 (Oct 30 2005) X-Authenticated-Sender: dG9kZC5nbGFzc2V5QGF0dC5uZXQSender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Sam what you are looking at is the obvious incompetence in the IETF and ISOC's management to allow for a myriad of incompatible notation schemas... Just another reason why the IETF is a joke. Todd Glassey -------------- Original message ---------------------- From: Sam Hartman <hartmans-ietf@mit.edu> > > >>>>> "Tom" = Tom Gindin <tgindin@us.ibm.com> writes: > > Tom> If it isn't too late to fix this without breaking > Tom> lots of implementations, the ASN.1 in this specification is > Tom> over-tagged. In section 3.2.1, all three of the tags in > Tom> PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack > Tom> is actually slightly harmful. None of the tags in > Tom> PKAuthenticator do any good either. The OCTET STRING > Tom> wrappings for subjectName and issuerAndSerialNumber are not > Tom> really appropriate, and subjectName doesn't need a tag. Even > Tom> in AuthPack, pkAuthenticator and clientDHNonce don't need > Tom> tags. Similarly, in 3.2.3, there is no reason for any of the > Tom> tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags > Tom> in ReplyKeyPack in 3.2.3.2 also seem unnecessary. > > The kerberos working group has a rather different philosophy on ASN.1 > than the PKIX community. We've attempted to draw strong boundaries > around structures to the extent that we can: kerberos structures use > our conventions; PKIX structures use yours. > > The short answer is that tagging issues have been discussed > extensively across all our ASN.1 usage. > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1IFa6k065587; Tue, 1 Nov 2005 10:15:36 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA1IFanS065586; Tue, 1 Nov 2005 10:15:36 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1IFYk4065578 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 10:15:35 -0800 (PST) (envelope-from Peter.Sylvester@edelweb.fr) Received: from champagne.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id jA1IFPi00571; Tue, 1 Nov 2005 19:15:25 +0100 (MET) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/2.4); Tue, 1 Nov 2005 19:15:25 +0100 (MET) Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id TAA08421; Tue, 1 Nov 2005 19:15:24 +0100 (MET) Message-ID: <4367B0BC.6090601@edelweb.fr> Date: Tue, 01 Nov 2005 19:15:24 +0100 From: Peter Sylvester <Peter.Sylvester@edelweb.fr> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tom Gindin <tgindin@us.ibm.com> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> In-Reply-To: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms060708060608030909050701" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms060708060608030909050701 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit I think I second Tom Gindin. Itseems strange to me to have pieces of the specification as comments of the asn.1. example: subjectName [0] IMPLICIT OCTET STRING OPTIONAL, -- Contains a PKIX type Name encoded according to -- [RFC3280]. -- Identifies the certificate subject by the -- distinguished subject name. -- REQUIRED when there is a distinguished subject -- name present in the certificate. The first two lines are syntactic specification, it was common to have such syntactical restrictions until some years ago. The others don't belong to the syntax at all. The first one can be replaced by subjectName [0] IMPLICIT OCTET STRING OPTIONAL CONTAINING Name and an IMPORT that imports Name from an appropiate module. I have the feeling that the following sentence doesn't make sense. All data structures carried in OCTET STRINGs must be encoded according to the rules specified in corresponding specifications. because as far as I remeber the texts, none of the specifications have any particular requirement on the encoding, You can encode everything in XER, can't you? There are lots of exemples of useless tagging iKDCDHKeyInfo or PKAuthenticator All base tags are different, and there is only one optional field. Well, that'a a matter of style as well as the global EXPLICIT default. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the PKAuthenticator of the -- request if DH keys are NOT reused, -- 0 otherwise. To me the comment seems to suggest that nonce INTEGER (1..4294967295) OPTIONAL could be more appropriate. But, the nonce in PKAuthenticator says: nonce [2] INTEGER (0..4294967295), -- Chosen randomly; This nonce does not need to -- match with the nonce in the KDC-REQ-BODY. so it can be 0. This comment doesn't change anything fundamental of the spec. Tom Gindin wrote: > If it isn't too late to fix this without breaking lots of >implementations, the ASN.1 in this specification is over-tagged. In >section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and >the one on signedAuthPack is actually slightly harmful. None of the tags >in PKAuthenticator do any good either. The OCTET STRING wrappings for >subjectName and issuerAndSerialNumber are not really appropriate, and >subjectName doesn't need a tag. Even in AuthPack, pkAuthenticator and >clientDHNonce don't need tags. > Similarly, in 3.2.3, there is no reason for any of the tags in >PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack in >3.2.3.2 also seem unnecessary. > >Tom Gindin >P.S. - The opinions above are mine, and not necessarily those of my >employer. > > > > -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. --------------ms060708060608030909050701 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5 MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8 1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5 V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9 F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+ udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2 mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4 88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8 oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0 MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe 1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0 dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3 UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy 4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6 PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18 k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTAxMTgxNTI0WjAjBgkqhkiG9w0B CQQxFgQUe0Vr+/CFxbYNyLxDIydYAffsp9UwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAUk09SnLZJ2ZMhXIr 6ozmuomkDh4Xez1ZKoyTwSNEf5ry+MocutaUI4NCsoRxibZn8SPISFZbGNGoMgdNz5Qhxn/h 2/d4k2fcnHwszXuoSQ2DXXMymJ7mh2RvUG6axZw2fWq18G1n1h20RixxlksXmOjrEf7s8ybx 1NaE5l46qYAAAAAAAAA--------------ms060708060608030909050701-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1GGuf2048552; Tue, 1 Nov 2005 08:16:56 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA1GGuRO048551; Tue, 1 Nov 2005 08:16:56 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from carter-zimmerman.mit.edu (h193007.nist.gov [129.6.193.7]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1GGuEd048544 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 08:16:56 -0800 (PST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 6F99EE0049; Tue, 1 Nov 2005 09:27:12 -0500 (EST) To: Tom Gindin <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> From: Sam Hartman <hartmans-ietf@mit.edu> Date: Tue, 01 Nov 2005 09:27:12 -0500 In-Reply-To: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> (Tom Gindin's message of "Tue, 1 Nov 2005 08:36:31 -0500") Message-ID: <tslpspkbfzz.fsf@cz.mit.edu> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>>>> "Tom" = Tom Gindin <tgindin@us.ibm.com> writes: Tom> If it isn't too late to fix this without breaking Tom> lots of implementations, the ASN.1 in this specification is Tom> over-tagged. In section 3.2.1, all three of the tags in Tom> PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack Tom> is actually slightly harmful. None of the tags in Tom> PKAuthenticator do any good either. The OCTET STRING Tom> wrappings for subjectName and issuerAndSerialNumber are not Tom> really appropriate, and subjectName doesn't need a tag. Even Tom> in AuthPack, pkAuthenticator and clientDHNonce don't need Tom> tags. Similarly, in 3.2.3, there is no reason for any of the Tom> tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags Tom> in ReplyKeyPack in 3.2.3.2 also seem unnecessary. The kerberos working group has a rather different philosophy on ASN.1 than the PKIX community. We've attempted to draw strong boundaries around structures to the extent that we can: kerberos structures use our conventions; PKIX structures use yours. The short answer is that tagging issues have been discussed extensively across all our ASN.1 usage. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1DaiPp030249; Tue, 1 Nov 2005 05:36:44 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jA1DaiRH030248; Tue, 1 Nov 2005 05:36:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jA1DagWl030223 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 05:36:42 -0800 (PST) (envelope-from tgindin@us.ibm.com) Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e5.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id jA1DaYXM026781 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 08:36:34 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay02.pok.ibm.com (8.12.10/NCO/VERS6.7) with ESMTP id jA1DaY5c104730 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 08:36:34 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id jA1DaXnB023377 for <ietf-pkix@imc.org>; Tue, 1 Nov 2005 08:36:34 -0500 Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av04.pok.ibm.com (8.12.11/8.12.11) with ESMTP id jA1DaXsx023369; Tue, 1 Nov 2005 08:36:33 -0500 In-Reply-To: <tslfyqlzsyh.fsf@cz.mit.edu> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-pkix@imc.org, jhutz@cmu.edu, ietf-krb-wg@anl.gov MIME-Version: 1.0 Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 From: Tom Gindin <tgindin@us.ibm.com> Message-ID: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@us.ibm.com> Date: Tue, 1 Nov 2005 08:36:31 -0500 X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 6.5.4FP1 HF2|August 30, 2005) at 11/01/2005 08:36:32, Serialize complete at 11/01/2005 08:36:32 Content-Type: text/plain; charset="US-ASCII" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> If it isn't too late to fix this without breaking lots of implementations, the ASN.1 in this specification is over-tagged. In section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack is actually slightly harmful. None of the tags in PKAuthenticator do any good either. The OCTET STRING wrappings for subjectName and issuerAndSerialNumber are not really appropriate, and subjectName doesn't need a tag. Even in AuthPack, pkAuthenticator and clientDHNonce don't need tags. Similarly, in 3.2.3, there is no reason for any of the tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack in 3.2.3.2 also seem unnecessary. Tom Gindin P.S. - The opinions above are mine, and not necessarily those of my employer. Sam Hartman <hartmans-ietf@mit.edu> Sent by: owner-ietf-pkix@mail.imc.org 10/28/2005 09:12 AM To: ietf-pkix@imc.org cc: jhutz@cmu.edu Subject: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos Hi. The Kerberos working group has started a last call on the pkinit draft. Pkinit is a mechanism for acquiring kerberos tickets based on knowledge of a private key. It also supports and is typically used with a PKI. I'd appreciate any review that members of the pkix working group can provide on this document. ----- Message from Unknown on Unknown ----- solipsist-nation ([unix socket]) by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP; Sun, 23 Oct 2005 22:07:31 -0400 X-Sieve: CMU Sieve 2.2 Return-Path: <owner-ietf-krb-wg-outgoing@anl.gov> Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by suchdamage.org (Postfix) with ESMTP id 9BDFA1383E for <hartmans@suchdamage.org>; Sun, 23 Oct 2005 22:07:24 -0400 (EDT) Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by south-station-annex.mit.edu (8.12.4/8.9.2) with ESMTP id j9O27MkZ012927 for <hartmans@suchdamage.org>; Sun, 23 Oct 2005 22:07:22 -0400 (EDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id j9O26Emq005270; Sun, 23 Oct 2005 22:06:14 -0400 (EDT) Received: by mailhost.anl.gov (Postfix) id 18622286; Sun, 23 Oct 2005 21:06:13 -0500 (CDT) Delivered-To: ietf-krb-wg-outgoing@anl.gov Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id E87EA26D for <ietf-krb-wg-outgoing@anl.gov>; Sun, 23 Oct 2005 21:06:12 -0500 (CDT) Received: by mailhost.anl.gov (Postfix, from userid 10733) id D6987286; Sun, 23 Oct 2005 21:06:12 -0500 (CDT) X-Original-To: ietf-krb-wg@anl.gov Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 5D96227F for <ietf-krb-wg@anl.gov>; Sun, 23 Oct 2005 21:06:12 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 4C9D526D for <ietf-krb-wg@anl.gov>; Sun, 23 Oct 2005 21:06:12 -0500 (CDT) Received: from mailrelay.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id D63D05F0D5B; Sun, 23 Oct 2005 21:06:11 -0500 (CDT) Received: from currant.srv.cs.cmu.edu (CURRANT.SRV.CS.CMU.EDU [128.2.194.193]) by mailrelay.anl.gov (Postfix) with SMTP id 7F1595F0D5A for <ietf-krb-wg@anl.gov>; Sun, 23 Oct 2005 21:06:11 -0500 (CDT) Received: from CRUNCHBERRY.SRV.CS.CMU.EDU ([128.2.203.75]) by currant.srv.cs.cmu.edu id aa18518; 23 Oct 2005 22:06 EDT Received: from jhutz-dyn0.pc.cs.cmu.edu (IDENT:U2FsdGVkX1+t+NgCyV0xi/qQraCNyY7Gmr6mlG7xV3U@JHUTZ-DYN0.PC.CS.CMU.EDU [128.2.200.136]) (authenticated bits=0) by crunchberry.srv.cs.cmu.edu (8.13.4/8.13.4) with ESMTP id j9O264gX002260 (version=TLSv1/SSLv3 cipheríH-RSA-DES-CBC3-SHA bits8 verify=NO); Sun, 23 Oct 2005 22:06:05 -0400 (EDT) Date: Sun, 23 Oct 2005 22:06:00 -0400 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: ietf-krb-wg@anl.gov Cc: Jeffrey Hutzelman <jhutz@cmu.edu> Subject: LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos Message-ID: <6F5E31C582712026A72741F6@bistromath.pc.cs.cmu.edu> Originator-Info: login-token=Mulberry:01ouPFOwxLOq/uLj281WH1qjlV/GYpFz4PWPOg2GM=; token_authority=postmaster@andrew.cmu.edu X-Mailer: Mulberry/3.1.6 (Linux/x86) Sender: owner-ietf-krb-wg@mailhost.anl.gov Precedence: bulk X-Scanned-By: MIMEDefang 2.42 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on solipsist-nation.suchdamage.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 MIME-Version: 1.0 At long last... As of October 23, 2005, I am beginning a two-week Last Call period on the following document: Title : Public Key Cryptography for Initial Authentication in Kerberos Author(s) : B. Tung, L. Zhu Filename : draft-ietf-cat-kerberos-pk-init-29.txt Pages : 36 Date : 2005-10-21 Comments on this document should be sent to the Kerberos Working Group mailing list, ietf-krb-wg@anl.gov, and will be accepted at least until 11:59pm EST on November 6, 2005. All issues raised will be entered into the Request Tracker system at https://rt.psg.com/. Once the Last Call period has ended, I will make a determination as to whether there remain any unresolved issue, and whether there is a rough consensus withing the working group to send this document to the IESG for publication as a Proposed Standard. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu> Chair, IETF Kerberos Working Group Carnegie Mellon University - Pittsburgh, PA
- I-D ACTION:draft-ietf-pkix-pkixrep-04.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt Ulf Möller
- Re: I-D ACTION:draft-ietf-pkix-pkixrep-04.txt Russ Housley