Re: [POSH] Delegation duration
"Olle E. Johansson" <oej@edvina.net> Tue, 17 September 2013 15:04 UTC
Return-Path: <oej@edvina.net>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC20611E8440 for <posh@ietfa.amsl.com>; Tue, 17 Sep 2013 08:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.928
X-Spam-Level:
X-Spam-Status: No, score=-1.928 tagged_above=-999 required=5 tests=[AWL=-0.570, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsyZMy7HIQ3B for <posh@ietfa.amsl.com>; Tue, 17 Sep 2013 08:04:39 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id EFABA11E8295 for <posh@ietf.org>; Tue, 17 Sep 2013 08:04:17 -0700 (PDT)
Received: from [192.168.40.16] (h87-96-134-126.dynamic.se.alltele.net [87.96.134.126]) by smtp7.webway.se (Postfix) with ESMTPA id A5CDF93DE3C; Tue, 17 Sep 2013 15:04:15 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail=_3D10D07F-D356-457D-B04B-B5030EF0AC73"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <CAPms+wSp-DZgP_iGfHbdZUmVFhu7LLMHmR6+36udEPV2m9BzVA@mail.gmail.com>
Date: Tue, 17 Sep 2013 17:04:15 +0200
Message-Id: <C9CCAD08-4A22-4A8F-83B2-443CCC2A408A@edvina.net>
References: <CAPms+wSp-DZgP_iGfHbdZUmVFhu7LLMHmR6+36udEPV2m9BzVA@mail.gmail.com>
To: Michael Procter <michael@voip.co.uk>
X-Mailer: Apple Mail (2.1508)
Cc: posh@ietf.org, "Olle E. Johansson" <oej@edvina.net>
Subject: Re: [POSH] Delegation duration
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 15:04:41 -0000
17 sep 2013 kl. 14:46 skrev Michael Procter <michael@voip.co.uk>: > Thanks for issuing -01, which addresses some of my questions. I'm still concerned about one area though. To repeat from an earlier email: > > > In section [7], you state that ideally, caching of the certificate > > obtained via POSH should be based on the expiration time of the > > certificate. I think this might be a little too trusting, as it ties > > delegation validity to certificate expiry. If I trust > > hosting.example.net to host my service today, that doesn't mean I will > > continue to trust them until their certificate expires. HTTP > > cache-control headers might be a useful way of indicating a short term > > trust though. > > I think it would be useful to consider adding a "validity" field somewhere, indicating either a duration (this delegation valid for 24 hours) or an expiry (this delegation valid until 17th Sep 2013). Whether this is done via cache-control headers, or a new field in the jwk, or some other mechanism is less important to me, so long as there is some way of indicating how soon the delegation may be revoked. > Caching to expiry time is not acceptable. I do agree that we need to have a header to define a decent caching time. /O
- [POSH] Delegation duration Michael Procter
- Re: [POSH] Delegation duration Olle E. Johansson
- Re: [POSH] Delegation duration Matt Miller (mamille2)
- Re: [POSH] Delegation duration Peter Saint-Andre