Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
"Black, David" <david.black@emc.com> Sun, 31 March 2013 02:04 UTC
Return-Path: <david.black@emc.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C75C21F8935 for <pkix@ietfa.amsl.com>; Sat, 30 Mar 2013 19:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GPLn9LKbJ0N for <pkix@ietfa.amsl.com>; Sat, 30 Mar 2013 19:04:26 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 7ECF621F8934 for <pkix@ietf.org>; Sat, 30 Mar 2013 19:04:26 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2V241jj015643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 30 Mar 2013 22:04:01 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sat, 30 Mar 2013 22:03:46 -0400
Received: from mxhub27.corp.emc.com (mxhub27.corp.emc.com [10.254.110.183]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2V23j3Z018791; Sat, 30 Mar 2013 22:03:45 -0400
Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub27.corp.emc.com ([10.254.110.183]) with mapi; Sat, 30 Mar 2013 22:03:44 -0400
From: "Black, David" <david.black@emc.com>
To: Piyush Jain <piyush@ditenity.com>, 'Stefan Santesson' <stefan@aaa-sec.com>, "sts@aaa-sec.com" <sts@aaa-sec.com>, "mmyers@fastq.com" <mmyers@fastq.com>, "ambarish@gmail.com" <ambarish@gmail.com>, "slava.galperin@gmail.com" <slava.galperin@gmail.com>, "cadams@eecs.uottawa.ca" <cadams@eecs.uottawa.ca>
Content-Class: urn:content-classes:message
Date: Sat, 30 Mar 2013 22:03:11 -0400
Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
Thread-Index: AQH+nYEO0mMdaySTI1Wq5Cz3Zlq4EZheELgggAALf7OAABCRHg==
Message-ID: <985590FA-5A27-4787-B2EB-D44F909B7B3E@mimectl>
References: <023401ce2ce1$44448cd0$cccda670$@ditenity.com> <CD7D3A0F.5F1AA%stefan@aaa-sec.com>, <033001ce2daa$2826e150$7874a3f0$@ditenity.com>
In-Reply-To: <033001ce2daa$2826e150$7874a3f0$@ditenity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-mimectl: Produced By Microsoft Exchange V8.3.105.0
Content-Type: multipart/alternative; boundary="_000_985590FA5A274787B2EBD44F909B7B3Emimectl_"
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "pkix@ietf.org" <pkix@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2013 02:04:29 -0000
> Anyway, I'm pasting David's interpretation of the text that he sent in one > of the messages in this thread. I would appreciate it if you can share you > thoughts on this interpretation. > If this is how most people see it, they would conclude that both clients and > server would need to be updated together if servers start returning revoked > for non-issued. I know that this is not what you trying to convey. I don't think that's a good inference ... but this is getting confusing, so let's go back to the beginning. An important consideration is that "revoked" is defined in RFC 2560, so all existing clients have to be able to cope with that response, independent of whether they comply with 2560 or 2560bis. They apparently do cope just fine, as Piyush wrote: > Legacy clients will continue to work whether you make it required or optional. What's new is that there's an additional case, non-issued certificate serial number, where a 2560bis server could return "revoked" but a 2560 server will never return "revoked". OTOH, use of "revoked" can't be required in this case for the reasons described in Stefan's new text in 2560bis. That would appear to lead to the following: - Server (responder) use of "revoked" for non-issued certificate serial numbers is optional for the reasons that Stefan described, but suggested when possible because it reduces the likelihood of relying parties falling back to CRLs by comparison to use of "unknown". I'm carefully avoiding use of "SHOULD" here. - Clients (requesters) MUST NOT depend on receiving "revoked" for non-issued certificate numbers because servers that comply with RFC 2560 won't do that. According to Piyush, all existing deployed clients already meet this "MUST NOT" requirement, so nothing else is needed. Stefan's text in -16 covers the first point. The second point could be added for additional explanation, but it would need to go outside the "NOTE:" due to its use of "MUST NOT." Thanks, --David ________________________________ From: Piyush Jain [piyush@ditenity.com] Sent: Saturday, March 30, 2013 8:53 PM To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca Cc: pkix@ietf.org Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > This is what backward compatibility of a standard is. > A standard is backwards compatible if any valid implementation of the old > standard is also a valid implementation of the revised standard. And I always thought that compatibility applies to implementations. Anyway, I'm pasting David's interpretation of the text that he sent in one of the messages in this thread. I would appreciate it if you can share you thoughts on this interpretation. If this is how most people see it, they would conclude that both clients and server would need to be updated together if servers start returning revoked for non-issued. I know that this is not what you trying to convey. Pasted from David's message ~~~~~~~~~~~~~~~~~~~~~~ "The usual backwards compatibility concern is mixed new/legacy deployments. In this case, the specifics appear to be: New clients with legacy servers cannot expect to see "revoked" in this case. This matters because a hypothetical client coded to depend on a "revoked" response in this case won't work correctly with legacy servers (even though it'd be rather questionable to code that dependency into a new client - never underestimate the creativity and cleverness of implementers). New servers with legacy clients risk breaking clients that can't cope with "revoked" in this case, as you noted:" End ~~~
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson