Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

Stefan Santesson <stefan@aaa-sec.com> Tue, 09 April 2013 14:57 UTC

User-Agent: Microsoft-MacOutlook/14.3.2.130206
Date: Tue, 09 Apr 2013 16:57:05 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: "Black, David" <david.black@emc.com>, Piyush Jain <piyush@ditenity.com>, 'Sean Turner' <turners@ieca.com>
Message-ID: <CD89F6C1.60183%stefan@aaa-sec.com>
Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: "ambarish@gmail.com" <ambarish@gmail.com>, "slava.galperin@gmail.com" <slava.galperin@gmail.com>, "cadams@eecs.uottawa.ca" <cadams@eecs.uottawa.ca>, "gen-art@ietf.org" <gen-art@ietf.org>, "sts@aaa-sec.com" <sts@aaa-sec.com>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
Precedence: list

On 4/9/13 2:35 PM, "Black, David" <david.black@emc.com> wrote:

>Again speaking for myself, I think the current text in -16 is ok, in that
>I
>don't see the prohibition that Piyush is concerned about there.  OTOH,
>I'd also
>be ok with a couple of sentences added to say that (new) clients could use
>that response format to infer that the certificate is a known non-issued
>certificate, but that clients cannot rely on getting that form of response
>for all known non-issued certificate (i.e., may get an "unknown"
>response).

I'd rather not try to describe what clients should do or expect in terms
of non-issued certificates.
Clients are really not meant to know anything beyond "revoked" = this cert
should not be trusted.

This is a server choice to prevent the requested cert (if it exist at all)
from being accepted.
For requests for real certs, issued by a trusted CA, this case will never
even occur unless the CA is compromised.
And, if I put something in, given the discussion so far, the chance that
there will be some major disagreements with it, is really high.

The current text works.

/Stefan

[pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
[pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
[pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson