IETF Logo Mail Archive

Re: [pkix] [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt

Dmitry Belyavsky <beldmit@gmail.com> Sun, 26 November 2017 17:03 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 808B7129438; Sun, 26 Nov 2017 09:03:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 398qCYvwOlXs; Sun, 26 Nov 2017 09:03:15 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4C23129435; Sun, 26 Nov 2017 09:03:14 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id g130so25622602wme.0; Sun, 26 Nov 2017 09:03:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K4ZDXmQoM3Wrnz8yK/0H2AuMdpO7FbP6e4RqjITTa/0=; b=qtzINDQXr/e0THMwLVh9arnyQkUulDB6EqJ+o4VDNjoWNuRhrgunsICa66Sa/pLbw8 UeJKKFxc0cbMUk/rkOsE4YPZqpPwJMBFMAQD6ptOQiapX4mR6wvFpSXNQ8lUDfVbh5aG HK2yPt+8roFf4Cl8PwOsyDHCF4oBBxXygdWFPIhGFhEMzMHmEXcvsMgN68V64SGZnDEX Qts6axmTzKYhMm19DZ/TV03T3gwDFl8vZnRfPHGrGfN6ZLXMdIhZGIj4ecImfXG6Qjx1 B7SoKFklZ5w4f+v4vYOOkzIi/jxuhmHSaTZYxsay+K1mXRwzduWTBJedfSfdfjilYhau Deag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K4ZDXmQoM3Wrnz8yK/0H2AuMdpO7FbP6e4RqjITTa/0=; b=e6aN0tu8IiW5c7O6XstLnl8FWeboM6oLmR4EqK2fR4ekUbETNyMirVvyw2gjmyTTZZ tJz8lfj+IgPqAjqZODDLwgeSbH2ZR/WiK9HMKeFAaxrR+FpnA9iCru/Teaps9JbaCBdK Bhh6RxQiibnCzX5dMBz0mYIDtzSDiXtR9gxcR7VkYeO5uPqUNIUxbbUn4okz1ZVg4CHz lMuWWjIi2dy/l4+hnIcwRpKpu7x43B02ihJHBvIgoDK6va3YzgHudFj6vilY0xlQAt1y 8fgYV9kWm43yqlxmMeiLWJ4xVmtD2rV4UrBpuF3cAZ/o8+lOQDCnUyDN8+6pLmf8W1Nx pRgg==
X-Gm-Message-State: AJaThX4jGbOJ8gfeFjyVQLN1WW5xuKMIo4cKzlsswnHyWJxFcmWTs9Jz NvLsEozVRmfycZR6vSHgvJPuZRTiU6sHb3zg8lhv2VHc
X-Google-Smtp-Source: AGs4zMYw9Q3OolGqjb8J1vPyeJ93+//toS9Zm+MWQKk4c418E9vBRzdm+clvFAUM+LwHIlpze9ZqizuOhMhn59A03Uk=
X-Received: by 10.80.208.195 with SMTP id g3mr48518595edf.246.1511715793362; Sun, 26 Nov 2017 09:03:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.139.216 with HTTP; Sun, 26 Nov 2017 09:03:12 -0800 (PST)
In-Reply-To: <CAJU7zaJXLy-xMpL_q98ZrG1fdkdhv8uANYViCN7M_mLOd6rtCg@mail.gmail.com>
References: <150522092693.4724.2532571098567577114.idtracker@ietfa.amsl.com> <CADqLbz+OB86s4E-Ntr6eaEow+sBtxscJ703nGN+PAS7zQmJ==Q@mail.gmail.com> <CAJU7zaLsza65gvERm__njLYM82jGWx9ht_QwHi+e6WQAtFKsZA@mail.gmail.com> <CADqLbz+-86OoH6wJQj4cu4daCUmh6mDPCkmVhbBYnLgv9AmOHw@mail.gmail.com> <CAJU7za+TVnhmyATbwdzC4B0Ci3CtdxrqPTzVQnP9BfN_RX+8kw@mail.gmail.com> <CADqLbzLatQzsRTiCos4oD5p_8TLZ_Pt2zGkksEjt7hAV-CfSbA@mail.gmail.com> <CAJU7zaJXLy-xMpL_q98ZrG1fdkdhv8uANYViCN7M_mLOd6rtCg@mail.gmail.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Sun, 26 Nov 2017 20:03:12 +0300
Message-ID: <CADqLbzJgLZMLN-yv1YzozVEQmnNAysa3MvqhAOuzLJx5i-_p4g@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Cc: LAMPS <spasm@ietf.org>, pkix@ietf.org, dev-security-policy@lists.mozilla.org, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1cd2fadd64dc055ee5c28b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/txteQt7rnHy10jHwIXTcVfwlp9s>
Subject: Re: [pkix] [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Nov 2017 17:03:17 -0000

Hello,

I've just uploaded the new version of my draft.

The main difference from the previous one is more or less described syntax
of
specific limitations mentioned in text.

The answers on the question raised by Nikos are below.

=================
A new version of I-D, draft-belyavskiy-certificate-limitation-policy-05.txt
has been successfully submitted by Dmitry Belyavskiy and posted to the
IETF repository.

Name:           draft-belyavskiy-certificate-limitation-policy
Revision:       05
Title:          Certificate Limitation Policy
Document date:  2017-11-25
Group:          Individual Submission
Pages:          9
URL:            https://www.ietf.org/internet-drafts/draft-belyavskiy-
certificate-limitation-policy-05.txt
Status:         https://datatracker.ietf.org/doc/draft-belyavskiy-
certificate-limitation-policy/
Htmlized:       https://tools.ietf.org/html/draft-belyavskiy-certificate-
limitation-policy-05
Htmlized:       https://datatracker.ietf.org/doc/html/draft-belyavskiy-
certificate-limitation-policy-05
Diff:           https://www.ietf.org/rfcdiff?url2=draft-belyavskiy-
certificate-limitation-policy-05

Abstract:
   The document provides a specification of the application-level trust
   model.  Being provided at the application level, the limitations of
   trust can be distributed separately using cryptographically protected
   format instead of hardcoding the checks into the application itself.
==================

On Thu, Oct 12, 2017 at 3:03 PM, Nikos Mavrogiannopoulos via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:

> On Sat, Oct 7, 2017 at 8:37 PM, Dmitry Belyavsky <beldmit@gmail.com>
> wrote:
> > Dear Nicos,
> >
> > Sorry for the delay with my response.
> >
> > On Fri, Sep 22, 2017 at 11:06 AM, Nikos Mavrogiannopoulos <
> nmav@gnutls.org>
> > wrote:
> >>
> >> On Wed, Sep 20, 2017 at 3:21 PM, Dmitry Belyavsky <beldmit@gmail.com>
> >> wrote:
> >>
> >
> > Well, the specification I suggest should allow applying CLPs issued by
> major
> > vendors (Mozilla etc).
> > For this purposes the CLPs should be validable => signed.
>
> Hi,
>  If mozilla or any other organization is willing to deploy such PKI,
> that would be great. However for the majority of software, I'd expect
> that such files are distributed using the same channel as software,
> and thus using the same authentication mechanism for it rather than a
> new PKI. For a software distributor to use that optional signing could
> work.
>

I got your point. I'll think about allowing local CLPs to be unsigned.


>
> >> One problem with that is the fact that the existing CRL extensions are
> >> about extending attributes of the CRL, rather than adding/removing
> >> attributes to the certificate in question.
> > For this purposes I implied that the limitations are provided not by
> > extensions,
> > but as SEQUENCE of limitations related to the certificates.
> >
> > Was I wrong in the ASN1 scheme in the current version of my draft?
>
> I do not think that the presented ASN.1 description is valid.
> The "limitations          SEQUENCE," doesn't define anything in ASN.1
> (i..e, it is a sequence of what?).
>

I (hopefully) clarified the ASN.1 description in the new version.


>
> >>
> >> To bring the stapled extensions to your proposal, you'd need the
> >> Extensions and Extension fields from RFC5280, and
> >> add into limitedCertificates structure (I'll split it on the example
> >> below for clarity) the following field.
> >>
> >> LimitedCertificates  ::=   SEQUENCE OF LimitedCertificate
> >>
> >> LimitedCertificate ::= SEQUENCE {
> >>                 userCertificate         CertificateSerialNumber,
> >>                 certificateIssuer       Name,
> >>                 limitationDate          Time,
> >>                 limitationPropagation   Enum,
> >>                 fingerprint SEQUENCE {
> >>                     fingerprintAlgorithm AlgorithmIdentifier,
> >>                     fingerprintValue     OCTET STRING
> >>                                      } OPTIONAL,
> >>                 limitations          SEQUENCE,
> >>                                    } OPTIONAL,
> >>                                  };
> >>
> >>
> >>                 stapledExtensions Extensions; <----- NEW
> >> }
> >
> >
> > Sorry, I do not get the difference between the purposes of the field
> > 'limitations'
> > and 'stapledExtensions'.
>
> I cannot answer this as I cannot see the syntax of the limitations
> field. I thought it was a field intended to spark discussion rather
> than anything specific.
>

Now, when the syntax is provided, I hope it's specific enough to continue
the discussion.

-- 
SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email