Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
"Black, David" <david.black@emc.com> Tue, 09 April 2013 13:36 UTC
Return-Path: <david.black@emc.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9121621F8D92; Tue, 9 Apr 2013 06:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvD5TmSb+UQ3; Tue, 9 Apr 2013 06:36:44 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 0A90B21F8D00; Tue, 9 Apr 2013 06:36:43 -0700 (PDT)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r39DaS1l028219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Apr 2013 09:36:28 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor); Tue, 9 Apr 2013 09:36:13 -0400
Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r39DYpxh009795; Tue, 9 Apr 2013 09:36:10 -0400
Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub12.corp.emc.com ([10.254.92.107]) with mapi; Tue, 9 Apr 2013 09:35:25 -0400
From: "Black, David" <david.black@emc.com>
To: Piyush Jain <piyush@ditenity.com>, 'Sean Turner' <turners@ieca.com>
Date: Tue, 09 Apr 2013 09:35:24 -0400
Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
Thread-Index: AQHHvIU0pEj95jqjILpXYwEgVOm34gLGPak8AXFeg0kBCCz4MwNWbgjOAWN27bOYinncUIAAg2SQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com>
References: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com> <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp> <00a401ce3092$0a1415d0$1e3c4170$@ditenity.com> <5163270C.20300@ieca.com> <07af01ce34a4$582df1d0$0889d570$@ditenity.com> <5163840F.2030508@ieca.com> <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com>
In-Reply-To: <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Sat, 20 Apr 2013 16:53:15 -0700
Cc: "ambarish@gmail.com" <ambarish@gmail.com>, "slava.galperin@gmail.com" <slava.galperin@gmail.com>, "cadams@eecs.uottawa.ca" <cadams@eecs.uottawa.ca>, 'Stefan Santesson' <stefan@aaa-sec.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "sts@aaa-sec.com" <sts@aaa-sec.com>, "pkix@ietf.org" <pkix@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 13:36:45 -0000
> I guess it would be okay if you and David make the determination that this > issue is not worth debating anymore but I would surely have appreciated > hearing the opinions of a few others. I'm not sure how much of a say I have in that determination - Sean (as AD) is absolutely free to acknowledge my input and ignore it ;-). > The deviation from that consensus is that in such cases, the current draft > prohibits clients to interpret the certificate as non-issued, and requires > them to interpret it as issued and revoked by the CA. And this is necessary > to circumvent the responder trust issue for CA delegated responders if they > return extended revoked indicating non-issuance. > Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html. I do not see that prohibition in the new text in -16. In the cited email message, I do see a disagreement between you and Stefan about what implementations are likely to do, but I don't see any text in the draft that dictates that implementations must or must not make that interpretation. Speaking for myself, I would have no problem w/client code that inferred that any "revoked" response with revocation reason certificateHold (6) and revocationTime January 1, 1970 most likely indicates a non-issued certificate. OTOH, such a client *cannot* rely on always receiving that form of response for a known non-issued certificate for the reasons discussed in the new text (e.g., responder not updated to use that response, responder uses only pre produced responses). Again speaking for myself, I think the current text in -16 is ok, in that I don't see the prohibition that Piyush is concerned about there. OTOH, I'd also be ok with a couple of sentences added to say that (new) clients could use that response format to infer that the certificate is a known non-issued certificate, but that clients cannot rely on getting that form of response for all known non-issued certificate (i.e., may get an "unknown" response). Thanks, --David > -----Original Message----- > From: Piyush Jain [mailto:piyush@ditenity.com] > Sent: Tuesday, April 09, 2013 2:03 AM > To: 'Sean Turner' > Cc: ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > 'Stefan Santesson'; Black, David; sts@aaa-sec.com; pkix@ietf.org; gen- > art@ietf.org; 'Henry B. Hotz' > Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > > I went back and looked at the WG poll about this issue that you and lot of > > other people participated in (https://www.ietf.org/mail- > > archive/web/pkix/current/msg31906.html). The WG's rough consensus was > > to allow "revoked" to be used for non-issued certificates with the caveat > > thrown in by Paul Hoffman that the meaning of "revoked" be clear about > > what it now means. I've not seen anything that would make me want to > > throw this draft back to the WG to revisit that consensus. > > > > I believe that the straw poll consensus was that revoked will be overloaded > to convey non-issued status to the clients. > The deviation from that consensus is that in such cases, the current draft > prohibits clients to interpret the certificate as non-issued, and requires > them to interpret it as issued and revoked by the CA. And this is necessary > to circumvent the responder trust issue for CA delegated responders if they > return extended revoked indicating non-issuance. > Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html. > > This is an important distinction because from client's point of view > non-issued response for a CA signed certificate is much more severe than a > revoked response and is indicative of a CA/RA compromise. > The reason I'm raising this at LC is because there were a few WG members who > acknowledged this issue and there was no consensus (other than Stefan's > response in the post linked above) on how this should be handled. > > I guess it would be okay if you and David make the determination that this > issue is not worth debating anymore but I would surely have appreciated > hearing the opinions of a few others. > > Best > Piyush > > >
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson