IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Black, David" <david.black@emc.com> Tue, 09 April 2013 13:36 UTC

Return-Path: <david.black@emc.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9121621F8D92; Tue, 9 Apr 2013 06:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvD5TmSb+UQ3; Tue, 9 Apr 2013 06:36:44 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 0A90B21F8D00; Tue, 9 Apr 2013 06:36:43 -0700 (PDT)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r39DaS1l028219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Apr 2013 09:36:28 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor); Tue, 9 Apr 2013 09:36:13 -0400
Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r39DYpxh009795; Tue, 9 Apr 2013 09:36:10 -0400
Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub12.corp.emc.com ([10.254.92.107]) with mapi; Tue, 9 Apr 2013 09:35:25 -0400
From: "Black, David" <david.black@emc.com>
To: Piyush Jain <piyush@ditenity.com>, 'Sean Turner' <turners@ieca.com>
Date: Tue, 09 Apr 2013 09:35:24 -0400
Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
Thread-Index: AQHHvIU0pEj95jqjILpXYwEgVOm34gLGPak8AXFeg0kBCCz4MwNWbgjOAWN27bOYinncUIAAg2SQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com>
References: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com> <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp> <00a401ce3092$0a1415d0$1e3c4170$@ditenity.com> <5163270C.20300@ieca.com> <07af01ce34a4$582df1d0$0889d570$@ditenity.com> <5163840F.2030508@ieca.com> <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com>
In-Reply-To: <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Sat, 20 Apr 2013 16:53:15 -0700
Cc: "ambarish@gmail.com" <ambarish@gmail.com>, "slava.galperin@gmail.com" <slava.galperin@gmail.com>, "cadams@eecs.uottawa.ca" <cadams@eecs.uottawa.ca>, 'Stefan Santesson' <stefan@aaa-sec.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "sts@aaa-sec.com" <sts@aaa-sec.com>, "pkix@ietf.org" <pkix@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 13:36:45 -0000

> I guess it would be okay if you and David make the determination that this
> issue is not worth debating anymore but I would surely have appreciated
> hearing the opinions of a few others.

I'm not sure how much of a say I have in that determination - Sean (as AD)
is absolutely free to acknowledge my input and ignore it ;-).

> The deviation from that consensus is that in such cases, the current draft
> prohibits clients to interpret the certificate as non-issued, and requires
> them to interpret it as issued and revoked by the CA. And this is necessary
> to circumvent the responder trust issue for CA delegated responders if they
> return extended revoked indicating non-issuance.
> Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html.

I do not see that prohibition in the new text in -16.  In the cited email
message, I do see a disagreement between you and Stefan about what implementations
are likely to do, but I don't see any text in the draft that dictates that
implementations must or must not make that interpretation.

Speaking for myself, I would have no problem w/client code that inferred that
any "revoked" response with revocation reason certificateHold (6) and
revocationTime January 1, 1970 most likely indicates a non-issued certificate.
OTOH, such a client *cannot* rely on always receiving that form of response
for a known non-issued certificate for the reasons discussed in the new text
(e.g., responder not updated to use that response, responder uses only pre
produced responses).

Again speaking for myself, I think the current text in -16 is ok, in that I
don't see the prohibition that Piyush is concerned about there.  OTOH, I'd also
be ok with a couple of sentences added to say that (new) clients could use
that response format to infer that the certificate is a known non-issued
certificate, but that clients cannot rely on getting that form of response
for all known non-issued certificate (i.e., may get an "unknown" response).

Thanks,
--David

> -----Original Message-----
> From: Piyush Jain [mailto:piyush@ditenity.com]
> Sent: Tuesday, April 09, 2013 2:03 AM
> To: 'Sean Turner'
> Cc: ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca;
> 'Stefan Santesson'; Black, David; sts@aaa-sec.com; pkix@ietf.org; gen-
> art@ietf.org; 'Henry B. Hotz'
> Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
> 
> > I went back and looked at the WG poll about this issue that you and lot of
> > other people participated in (https://www.ietf.org/mail-
> > archive/web/pkix/current/msg31906.html).  The WG's rough consensus was
> > to allow "revoked" to be used for non-issued certificates with the caveat
> > thrown in by Paul Hoffman that the meaning of "revoked" be clear about
> > what it now means.  I've not seen anything that would make me want to
> > throw this draft back to the WG to revisit that consensus.
> >
> 
> I believe that the straw poll consensus was that revoked will be overloaded
> to convey non-issued status to the clients.
> The deviation from that consensus is that in such cases, the current draft
> prohibits clients to interpret the certificate as non-issued, and requires
> them to interpret it as issued and revoked by the CA. And this is necessary
> to circumvent the responder trust issue for CA delegated responders if they
> return extended revoked indicating non-issuance.
> Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html.
> 
> This is an important distinction because from client's point of view
> non-issued response for a CA signed certificate is much more severe than a
> revoked response and is indicative of a CA/RA compromise.
> The reason I'm raising this at LC is because there were a few WG members who
> acknowledged this issue and there was no consensus (other than Stefan's
> response in the post linked above) on how this should be handled.
> 
> I guess it would be okay if you and David make the determination that this
> issue is not worth debating anymore but I would surely have appreciated
> hearing the opinions of a few others.
> 
> Best
> Piyush
> 
> 
>

v2.23.0 | Report a Bug | By Email