Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.txt
Michael Ströder <michael@stroeder.com> Tue, 08 January 2002 13:26 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA20212 for <pkix-archive@odin.ietf.org>; Tue, 8 Jan 2002 08:26:53 -0500 (EST)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g08CJ5U26166 for ietf-pkix-bks; Tue, 8 Jan 2002 04:19:05 -0800 (PST)
Received: from mailout09.sul.t-online.com (mailout09.sul.t-online.com [194.25.134.84]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g08CJ3326161 for <ietf-pkix@imc.org>; Tue, 8 Jan 2002 04:19:03 -0800 (PST)
Received: from fwd03.sul.t-online.de by mailout09.sul.t-online.de with smtp id 16NvDV-0003oW-02; Tue, 08 Jan 2002 13:18:57 +0100
Received: from junker.stroeder.com (520010731148-0001@[217.1.20.8]) by fmrl03.sul.t-online.com with esmtp id 16NvDF-100np2C; Tue, 8 Jan 2002 13:18:41 +0100
Received: from stroeder.com (localhost [127.0.0.1]) by junker.stroeder.com (Postfix) with ESMTP id B1F58157CE2 for <ietf-pkix@imc.org>; Tue, 8 Jan 2002 13:19:29 +0100 (CET)
Message-ID: <3C3AE3D1.B7AB99CB@stroeder.com>
Date: Tue, 08 Jan 2002 13:19:29 +0100
From: Michael Ströder <michael@stroeder.com>
Reply-To: michael@stroeder.com
Organization: stroeder.com
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.17 i686)
X-Accept-Language: de-DE, de, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.txt
References: <200201071408.JAA14678@ietf.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Sender: 520010731148-0001@t-dialin.net
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
Content-Transfer-Encoding: 7bit
Internet-Drafts@ietf.org wrote: > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-certstore-http-01.txt I have some problems with section 2.1: Maybe it's me (I'm not a native english speaker) but I read it like all search values have to be hashed and base64-encoded except subjectKeyIdentifier. How about e.g. search attribute email? To avoid misinterpretation I'd prefer having a table which states exactly how to treat each search attribute on the client side if necessary before submitting the query. Or at least starting section 2.1 with "The fields [complete binary attribute list]...are of" instead of "Some of the fields...are of". IMHO for a low-tech use-case with wide-spread acceptance ;-) it should be possible to create a simple HTML form with the <form>'s attribute action= pointing to the URL of the "HTTP Certificate Store Interface". For this simple scenario pre-processing (hashing) of search values at the client side is unfeasible (except when using Javascript or similar beasty things). I'd also suggest that it should be possible to pass a subject DN in RFC2253 string representation as (x-www-form-urlencoded) search value. Maybe your could provide a separate search attribute rfc2253Name? Even though the length is theoretically unlimited the usual string length of DNs shouldn't be an issue with today's web servers. E.g. for security reasons I'm limiting string repr. of DNs to 1024 bytes in web2ldap and - guess what - never hit the limit. As long as you don't impose a hard limit in the draft there shouldn't be a problem with it. Now off course the really interesting part is "3. Locating HTTP Certificate Stores": IMHO locating a cert store in the Internet falls into two different steps: 1. Locating a server name or IP address *and* port of a cert store 2. Some well-defined addressing rules once the IP address is known One should not mix these two levels. The rules in section 3.2 for forming the URIs more or less sufficiently addresses 2. by defining the well-known PATH_INFO /search.cgi but fall short for 1. Your example already shows the problem: --------------- snip --------------- certificates.<domain_name>/search.cgi crls.<domain_name>/search.cgi Service providers SHOULD use these URIs in preference to other alternatives. For example if a CA with the domain kiwisign.com were to make its certificates available via an HTTP certificate store interface, the "well-known" query URIs for certificates and CRLs would be: certificates.kiwisign.com/search.cgi crls.kiwisign.com/search.cgi" --------------- snip --------------- Now what's our use-case here? Most times a user has an e-mail address of a recipient and wants to obtain the matching certificate for the recipient's e-mail address. The sender does not know the issuer of the certificate in advance => the <domain_name> in the example above is unknown. Or maybe I misunderstood something? Maybe it's not clear enough what the term "service provider" means in this context. And that's exactly the same case where LDAP-based cert stores fall short today. My suggestion would be to run certificate stores holding e-mail certs associated to e-mail domains. Like there are DNS MX RRs for each e-mail domain there could be DNS SRV RRs for the e-mail domains pointing to the certificate stores' DNS A or CNAME RR and port number. In this case "service provider" would be the domain name hoster for the recipient's e-mail address. IMHO draft-ietf-pkix-pkixrep-00 went in that direction but expired silently. :-( I cannot really comment on UPNP and determining net_loc but is net_loc really solely an IP address or a DNS name as you described or a host:port location? I think URI generation for both cases should be unified. Ciao, Michael.
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Russel F Weiser
- I-D ACTION:draft-ietf-pkix-certstore-http-01.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… David P. Kemp
- RE: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Piers Chivers
- RE: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Rich Salz
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Tomas Gustavsson
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Andreas Sterbenz
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Tomas Gustavsson
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Eric Murray
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Sylvester
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Gutmann
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Michael Ströder
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Andreas Sterbenz
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Peter Sylvester
- Re: I-D ACTION:draft-ietf-pkix-certstore-http-01.… Dr S N Henson