Re: Son of RFC3280 path validation rules
"Denis Pinkas" <denis.pinkas@bull.net> Fri, 20 October 2006 12:51 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gatqo-0005xA-9u for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:51:50 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GatqY-0000sW-UR for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:51:50 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBoMqo097420; Fri, 20 Oct 2006 04:50:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9KBoMQm097419; Fri, 20 Oct 2006 04:50:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBoKta097412 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 04:50:21 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id NAA42896 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 13:52:40 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006102013501705:11493 ; Fri, 20 Oct 2006 13:50:17 +0200
Date: Fri, 20 Oct 2006 13:50:15 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Son of RFC3280 path validation rules
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 13:50:17, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 13:50:19, Serialize complete at 20/10/2006 13:50:19
Message-ID: <OF593ECDCE.FAF92017-ONC125720D.00410749@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Hi Stephen, >Hi Santosh, >That's true. What I meant however, was an I-D. If no-one wants to >write one then maybe this isn't actually such a pressing problem. You are proposing to write an I-D to add a single sentence like: "The certificate from the CRL Issuer MUST be issued by the CA that has issued the target certificate." I suspect you are kidding. The alternative would be to add in the security considerations section : "The path validation algorithm provides no protection in case two CRL Issuers under the same trust anchor would happen to have the same DN". Denis >S. > >Santosh Chokhani wrote: >> Steve, >> >> Text has already been written and briefed to the PKIX group as early as >> November 2004. See the slides and minutes from Nov 2004 IETF in >> Washington DC >> >> -----Original Message----- >> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] >> On Behalf Of Stephen Farrell >> Sent: Friday, October 20, 2006 5:44 AM >> To: Denis Pinkas >> Cc: ietf-pkix@imc.org >> Subject: Re: Son of RFC3280 path validation rules >> >> >> >> Hi Denis, >> >> Denis Pinkas wrote: >> >>> ...the sentence : "The trust anchor for the certification path >>> MUST be the same as the trust anchor used to validate the target >> certificate" does not allow >>> to address the cases where: >> >> As it happens I disagree with you but that was done to death on the >> list before I think. >> >>> a) two CAs in different branches of a certification tree would >> have the same DN, and >>> b) two CAs in different trees of a certification forest would >> have the same DN. >>> Dave, the text of son-of-RFC328 is currently insufficient to enable >> secure implementations. >> >> That strikes me as a wild overstatement almost akin to saying that >> we should spend forever figuring out how to handle cases where two >> CAs end up with the same private key and never mind making any >> progress in the meantime. >> >> I think the current text is fine, an improvement on 3280, and well >> worth proceeding with. >> >> I suggest that you write up a separate document that says how to >> handle the corner cases above. >> >> Stephen.
- Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Peter Sylvester
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Julien Stern