RE: request for WG to adopt draft-chadwick-webdav-00.txt as a work item

[Stefan Santesson <stefans@microsoft.com>]

David,

Everything in security is a tradeoff, but that is not an excuse to introduce new classes of threats that defeats basic security principles when there exists valid alternatives that don't.
PKI has some basic important security principles in that it leverage trust in signed objects and not in the information infrastructure. Also, when CRLs are used for revocation checking, there is an underlying principle that one or more CRL's are available with scopes that cover all issued certificate with a current validity period.

With the WebDav proposal you violate both these principles. I don't see a strong enough motivation for doing so, and I object to putting an IETF/PKIX rubberstamp on such solution
Therefore I can't support this solution to be developed within the PKIX workgroup.


Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of David Chadwick
> Sent: den 11 september 2007 12:02
> To: Stephen Kent
> Cc: ietf-pkix@imc.org
> Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a
> work item
>
>
> Hi Steve
>
> As you know nearly everything in security is a tradeoff in one way or
> another. What the webdav scheme gives you is instant revocation status,
> which CRLs do not give you, but the tradeoff is having to trust the
> repository. So the schemes are fundamentally different, but I submit
> that there are many user requirements where the tradeoff of instant
> revocation is preferable to the more cryptographically protected though
> stale CRL scheme.
>
> regards
>
> David
>
>
> Stephen Kent wrote:
> >
> > David,
> >
> > I have to agree with those who have expressed some concerns about
> > security aspects of cert revocation status under the WebDAV model.  I
> > think it is a precept of current PKI models that we don't rely
> > completely on the integrity of repositories.  That's why we post
> signed
> > CRLs and why the v2 CRL has both this update and next update fields.
> We
> > are always cognizant of the possibility that even with signed data,
> the
> > data might not be fresh, and so we try to minimize the
> vulnerabilities
> > associated with our reliance on on repositories.
> >
> > Steve
> >
> >
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site:
> http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************