[saag] PKIX report
Stephen Kent <kent@bbn.com> Tue, 27 March 2012 14:12 UTC
Return-Path: <kent@bbn.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D6C21E8218 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2012 07:12:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.398
X-Spam-Level:
X-Spam-Status: No, score=-106.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRMTBYxAikrf for <saag@ietfa.amsl.com>; Tue, 27 Mar 2012 07:12:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 240DA21E8217 for <saag@ietf.org>; Tue, 27 Mar 2012 07:12:00 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:56027 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1SCX7h-000M0Q-6r for saag@ietf.org; Tue, 27 Mar 2012 10:11:45 -0400
Mime-Version: 1.0
Message-Id: <p06240806cb977b21e0f4@[130.129.18.170]>
Date: Tue, 27 Mar 2012 10:11:56 -0400
To: saag@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-879264978==_ma============"
Subject: [saag] PKIX report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 14:12:01 -0000
PKIX met once, for 2.5 hours on 3/27, with about 52 attendees. Three presentations addressed issues with OCSP. Stefan Santesson discussed his plans for making substantial changes to 2560bis (OCSP clarifications), to cause it to better match deployed OCSP client and responder behavior. Sean Turner urged Stefan to complete work on this document so that it can yield an RFC prior to the end of this year. Denis Pinkas described several concerns about both the original OCSP spec (2560) and the clarifications document. Stefan agreed with many of Denis's observations. A later presentation by Denis dealt with recent PKIX list discussions of extensions for OCSP, and how the clarification document may help with these issues. There was a brief discussion of issuing an updated version of the Diffie-Hellman PoP RFC (2875), in support of algorithm agility, e.g., to accommodate new hash algorithms and EC Diffie-Hellman. This work may be done inside of PKIX, or fast-tracked by Sean. A presentation on a proposed EKU was inconclusive. The motivation for assigning an OID for the requested EKU from the PKIX arc is based on behavior of commercial CAs (TAs in web browsers) when issuing server certificates. This behavior is outside of PKIX specs, and there is no indication that these CAs would agree to issue server certificates, which makes it unclear that assignment of this EKU would have the desired effect. The authors of the (non-PKIX) I-D were advised to participate in the JSON and ABFAB WGs.
- Re: [saag] PKIX report Hallam-Baker, Phillip
- [saag] PKIX report Stephen Kent
- Re: [saag] PKIX report Hallam-Baker, Phillip
- Re: [saag] PKIX report Stephen Kent
- Re: [saag] PKIX report Stephen Kent
- [saag] PKIX report Stephen Kent
- [saag] PKIX report Stephen Kent
- [saag] PKIX report Stephen Kent