[secdir] PKIX summary
Stephen Kent <kent@bbn.com> Tue, 29 March 2011 10:38 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id CD03F28C108 for <secdir@core3.amsl.com>;
Tue, 29 Mar 2011 03:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.553
X-Spam-Level:
X-Spam-Status: No, score=-102.553 tagged_above=-999 required=5 tests=[AWL=0.046,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdEfLbW1yIc6 for
<secdir@core3.amsl.com>; Tue, 29 Mar 2011 03:38:31 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com
(Postfix) with ESMTP id 6120028C0F5 for <secdir@ietf.org>;
Tue, 29 Mar 2011 03:38:31 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:55070 helo=[130.129.71.125]) by
smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>)
id 1Q4WLI-000Hyk-Up for secdir@ietf.org; Tue, 29 Mar 2011 06:40:09 -0400
Mime-Version: 1.0
Message-Id: <p06240809c9b6670a7d80@[130.129.71.125]>
Date: Tue, 29 Mar 2011 06:40:05 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: [secdir] PKIX summary
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 10:38:32 -0000
About 47 individuals attended the PKIX meeting on Monday. We reviewed document status (two in the RFC editors queue), and 5 in process in the WG. Jim Schaad described his S/MIME capabilities doc, which is ready for WGLC. He noted that the data structure defined therein might be a better choice for the OCSP algorithm offering description. if we elect to adopt this would require that we revise the OCSP agility doc, which is already in the RFC Editor's queue. Tim Polk suggested that if the WG wants to make this change, he can probably persuade the IESG to allow this as an Auth_48 change. Alexey Melinkov noted that the EAI WG is completing a revision RFC 5335bis and RFC 5336bis. These changes will allow UTF-8 characters on both sides of the "@" in an e-mail address. RFC 5280 defines an RFC822 address as an SAN, but does not define addresses relative to UTF-8 encoding. Thus Alexey would like to see an update to 5280 that extends these two SANs to allow for UTF-8 encoding. In the past we have seen a lack of widespread vendor support for UTF-8 in certificates (in DNs). Most recently it appeared that few RPs supported the matching rules that 5280 defines, in lieu of the simple, binary matching rules that were defined in 3280. This may argue for a return to the older, simple rules, if we want to support UTF-8 in these two SANs Paul argued that the alias issue is a red herring, since we may already have this problem, .e.g., foo.com and foo.net. So, we can bring to the list the topic of an update to 5280 that makes UTF-8 support a SHOULD in DNS and e-mail address SANs, and to revert to the simpler matching rules. The meeting ended with a presentation by Joe Salowey, discussing a proposal to pursue development of a lightweight cert management protocol, based on CMS. There was enthusiasm for this work, but also a lot of questions, e.g., what cert management functions will be supported and what are the primary use cases? Nonetheless, this is an interesting topic and it is likely that PKIX will pursue this effort. Steve Kent Stefan Santesson
- [secdir] PKIX summary Stephen Kent