Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
Stephen Kent <kent@bbn.com> Tue, 11 September 2007 15:55 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IV85O-00050t-8E for pkix-archive@lists.ietf.org; Tue, 11 Sep 2007 11:55:34 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IV85M-0006x3-UD for pkix-archive@lists.ietf.org; Tue, 11 Sep 2007 11:55:34 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8BFA4GW000544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Sep 2007 08:10:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8BFA4n8000543; Tue, 11 Sep 2007 08:10:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8BFA2SK000533 for <ietf-pkix@imc.org>; Tue, 11 Sep 2007 08:10:02 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dhcp89-089-071.bbn.com ([128.89.89.71]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1IV7NJ-00023l-5G; Tue, 11 Sep 2007 11:10:01 -0400
Mime-Version: 1.0
Message-Id: <p0624054ec30c550cba4d@[128.89.89.71]>
In-Reply-To: <46E6678A.2030307@kent.ac.uk>
References: <OF3876B698.C80CC9A9-ONC125734F.002F7456@frcl.bull.fr> <46E1B0B7.3080003@kent.ac.uk> <p06240511c30b2a2eae3c@[128.89.89.71]> <46E6678A.2030307@kent.ac.uk>
Date: Tue, 11 Sep 2007 11:10:01 -0400
To: David Chadwick <d.w.chadwick@kent.ac.uk>
From: Stephen Kent <kent@bbn.com>
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
At 11:01 AM +0100 9/11/07, David Chadwick wrote: >Hi Steve > >As you know nearly everything in security is a tradeoff in one way >or another. What the webdav scheme gives you is instant revocation >status, which CRLs do not give you, but the tradeoff is having to >trust the repository. So the schemes are fundamentally different, >but I submit that there are many user requirements where the >tradeoff of instant revocation is preferable to the more >cryptographically protected though stale CRL scheme. > >regards > >David The phrase "instant revocation status" is, I fear, a misnomer. In OCSP an RP can make a query about a single cert and get a response that applies to just that cert, but that says nothing about the relative freshness of the revocation status data vs. what a CRL tells us. The same is potentially true here. Also, if one argues that a CA will manage a repository under the WebDAV approach to offer fresher revocation status data than a CRL, the same argument could be made for the CA managing an OCSP server, right? In the case of OCSP, one need not trust a repository, but rather trust an OCSP server. Is there a difference? Maybe, maybe not. It will depend on what forms of authentication one requires for WebDAV access, e.g., if you mandated use of TLS and required that the TLS server cert be issued under the CA in question, then maybe the security would be equivalent to what we have with an OCSP server (not lightweight) with a server cert issued under the CA. In general I think that instant revocation is over emphasized. In many (most?) contexts the decision to revoke a cert is a serious one, and thus people generally do not act very quickly. In fact, this is a big part of why the financial community insisted on cert hold status as a half-way revocation mechanism. Thus the speed with which a revocation decision is reflected in a database (OCSP, CRL, or WebDAV) is probably the fastest link in the process chain. Steve
- request for WG to adopt draft-chadwick-webdav-00.… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Kemp, David P.
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick