IETF Logo Mail Archive

Re: Son of RFC3280 path validation rules

"Denis Pinkas" <denis.pinkas@bull.net> Fri, 20 October 2006 12:51 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gatqo-0005xA-9u for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:51:50 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GatqY-0000sW-UR for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:51:50 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBoMqo097420; Fri, 20 Oct 2006 04:50:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9KBoMQm097419; Fri, 20 Oct 2006 04:50:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBoKta097412 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 04:50:21 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id NAA42896 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 13:52:40 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006102013501705:11493 ; Fri, 20 Oct 2006 13:50:17 +0200
Date: Fri, 20 Oct 2006 13:50:15 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Son of RFC3280 path validation rules
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 13:50:17, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 13:50:19, Serialize complete at 20/10/2006 13:50:19
Message-ID: <OF593ECDCE.FAF92017-ONC125720D.00410749@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88

Hi Stephen,

>Hi Santosh,

>That's true. What I meant however, was an I-D. If no-one wants to
>write one then maybe this isn't actually such a pressing problem.

You are proposing to write an I-D to add a single sentence like:
"The certificate from the CRL Issuer MUST be issued by the CA that has issued the target certificate."
I suspect you are kidding.

The alternative would be to add in the security considerations section :

"The path validation algorithm provides no protection in case two CRL Issuers under the same trust anchor 
would happen to have the same DN".

Denis

>S.
>
>Santosh Chokhani wrote:
>> Steve,
>> 
>> Text has already been written and briefed to the PKIX group as early as
>> November 2004.  See the slides and minutes from Nov 2004 IETF in
>> Washington DC
>> 
>> -----Original Message-----
>> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
>> On Behalf Of Stephen Farrell
>> Sent: Friday, October 20, 2006 5:44 AM
>> To: Denis Pinkas
>> Cc: ietf-pkix@imc.org
>> Subject: Re: Son of RFC3280 path validation rules
>> 
>> 
>> 
>> Hi Denis,
>> 
>> Denis Pinkas wrote:
>> 
>>> ...the sentence : "The trust anchor for the certification path
>>> MUST be the same as the trust anchor used to validate the target
>> certificate" does not allow 
>>> to address the cases where:
>> 
>> As it happens I disagree with you but that was done to death on the
>> list before I think.
>> 
>>>      a) two CAs in different branches of a certification tree would
>> have the same DN, and
>>>      b) two CAs in different trees of a certification forest would
>> have the same DN.
>>> Dave, the text of son-of-RFC328 is currently insufficient to enable
>> secure implementations.
>> 
>> That strikes me as a wild overstatement almost akin to saying that
>> we should spend forever figuring out how to handle cases where two
>> CAs end up with the same private key and never mind making any
>> progress in the meantime.
>> 
>> I think the current text is fine, an improvement on 3280, and well
>> worth proceeding with.
>> 
>> I suggest that you write up a separate document that says how to
>> handle the corner cases above.
>> 
>> Stephen.

v2.23.0 | Report a Bug | By Email