IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 09 April 2013 15:42 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1C921F976C for <pkix@ietfa.amsl.com>; Tue, 9 Apr 2013 08:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.034
X-Spam-Level:
X-Spam-Status: No, score=-2.034 tagged_above=-999 required=5 tests=[AWL=1.566, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ZZUKuY6J-JQ for <pkix@ietfa.amsl.com>; Tue, 9 Apr 2013 08:42:11 -0700 (PDT)
Received: from mail-gh0-f181.google.com (mail-gh0-f181.google.com [209.85.160.181]) by ietfa.amsl.com (Postfix) with ESMTP id 47E8121F9764 for <pkix@ietf.org>; Tue, 9 Apr 2013 08:42:11 -0700 (PDT)
Received: by mail-gh0-f181.google.com with SMTP id 3so1085924ghz.26 for <pkix@ietf.org>; Tue, 09 Apr 2013 08:42:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=ZaUQ8IcbuIVYzFzIWxiYFenqK/As61mCYcfKd2v3PPA=; b=lwTRlN062qc6uJoKK2PiXLNXNkduaSaUCkL8tGez7TlArsJf3qxvZAGPc0s9X50YLU 6qJVYhojbaWcoIaAr0gnoEsyMKAYuatEKl8Y/FD/iCkFkf/rADiDwmzpmT8yKPvCoeEw HXskNzHqGOPrisJNODsvPVT8FsZKfAiikcx/lsWfmO8DlIsaK72xYBNMpCKPDePU/yRn F3+g0zTi5YskKk89iyLWN8nLSgY1HEsKzfhPNCYSCOKoXsbOwsMg58v8YHoWraQrqyRY 9hsxi/KWlvtIxNumH1VvHk2CMmgN9DqL+qEZMXAldxFmhAca8wsKlX/1pYBRcHpTiDcN oTVw==
X-Received: by 10.236.208.34 with SMTP id p22mr16161356yho.114.1365522130729; Tue, 09 Apr 2013 08:42:10 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id o64sm43848776yhd.16.2013.04.09.08.42.08 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Apr 2013 08:42:10 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, 'Sean Turner' <turners@ieca.com>
References: <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com> <CD89F6C1.60183%stefan@aaa-sec.com>
In-Reply-To: <CD89F6C1.60183%stefan@aaa-sec.com>
Date: Tue, 09 Apr 2013 08:41:57 -0700
Message-ID: <08d601ce3538$c67d1550$53773ff0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQF1yih3SmaeJVo5r2GHuwJNknT/Lpl+1XuQ
Content-Language: en-us
X-Gm-Message-State: ALoCoQlrr1QpDtPkGkY0kZq9u/+geN3TKyG4YnANy5ncwJCE/p7GBFShsptDwC6ssYogFcOUAcgV
X-Mailman-Approved-At: Sat, 20 Apr 2013 16:53:15 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, gen-art@ietf.org, sts@aaa-sec.com, pkix@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 15:42:12 -0000

> I'd rather not try to describe what clients should do or expect in terms
of
> non-issued certificates.
> Clients are really not meant to know anything beyond "revoked" = this cert
> should not be trusted.
[Piyush] 
Thanks for clarifying your position on this Stefan.
This is the position I disagree with. I think several people in the WG
expressed that the meaning should be clearly conveyed if "revoked" is
extended to communicate "non-issued".  Expectation that clients should treat
these responses as normal revoked is not aligned with WG consensus IMO.
> 
> This is a server choice to prevent the requested cert (if it exist at all)
from
> being accepted.
> For requests for real certs, issued by a trusted CA, this case will never
even
> occur unless the CA is compromised.
[Piyush]
 And I think this is the only case that is interesting to the clients. I
combed through the WG discussion and did not find a single case being
discussed where clients benefit from sending OCSP requests for serial
numbers for non-existent certificates.

> And, if I put something in, given the discussion so far, the chance that
there
> will be some major disagreements with it, is really high.
[Piyush]
These are the issues that implementers will have to deal with. If there are
going to be disagreement, they should be dealt with before the document is
published IMO, unless 2560bis is considered a stop gap measure and OCSP v2
is on the radar.
I understand the desire to wrap up the pending documents so pkix can be
disbanded on schedule. However, I'll leave that to the AD to decide that the
benefits of meeting that schedule outweighs the cons of publishing a
document that can potentially lead to confusion among implementers.

v2.23.0 | Report a Bug | By Email