[secdir] PKIX summary

Stephen Kent <kent@bbn.com> Tue, 29 March 2011 10:38 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id CD03F28C108 for <secdir@core3.amsl.com>; Tue, 29 Mar 2011 03:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.553
X-Spam-Status: No, score=-102.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id fdEfLbW1yIc6 for <secdir@core3.amsl.com>; Tue, 29 Mar 2011 03:38:31 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com []) by core3.amsl.com (Postfix) with ESMTP id 6120028C0F5 for <secdir@ietf.org>; Tue, 29 Mar 2011 03:38:31 -0700 (PDT)
Received: from dommiel.bbn.com ([]:55070 helo=[]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Q4WLI-000Hyk-Up for secdir@ietf.org; Tue, 29 Mar 2011 06:40:09 -0400
Mime-Version: 1.0
Message-Id: <p06240809c9b6670a7d80@[]>
Date: Tue, 29 Mar 2011 06:40:05 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: [secdir] PKIX summary
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 10:38:32 -0000

About 47 individuals attended the PKIX meeting on Monday.

We reviewed document status (two in the RFC editors queue), and
5 in process in the WG.

Jim Schaad described his S/MIME capabilities doc, which is ready for WGLC.
He noted that the data structure defined therein might be a better choice
for the OCSP algorithm offering description. if we elect to adopt 
this would require that we revise the OCSP agility doc, which is 
already in the RFC Editor's queue. Tim Polk suggested that if the WG 
wants to make this change, he can probably persuade the IESG to allow 
this as an Auth_48 change.

Alexey Melinkov noted that the EAI WG is completing a revision RFC 
5335bis and RFC 5336bis. These changes will allow UTF-8 characters on 
both sides of the "@" in an e-mail address. RFC 5280 defines an 
RFC822 address as an SAN, but does not define addresses relative to 
UTF-8 encoding. Thus Alexey would like to see an update to 5280 that 
extends these two SANs to allow for UTF-8 encoding.  In the past we 
have seen a lack of widespread vendor support for UTF-8 in 
certificates (in DNs). Most recently it appeared that few RPs 
supported the matching rules that 5280 defines, in lieu of the 
simple, binary matching rules that were defined in 3280. This may 
argue for a return to the older, simple rules, if we want to support 
UTF-8 in these two SANs Paul argued that the alias issue is a red 
herring, since we may already have this problem, .e.g., foo.com and 
foo.net. So, we can bring to the list the topic of an update to 5280 
that makes UTF-8 support a SHOULD in DNS and e-mail address SANs, and 
to revert to the simpler matching rules.

The meeting ended with a presentation by Joe Salowey, discussing a 
proposal to pursue development of a lightweight cert management 
protocol, based on CMS. There was enthusiasm for this work, but also 
a lot of questions, e.g., what cert management functions will be 
supported and what are the primary use cases? Nonetheless, this is an 
interesting topic and it is likely that PKIX will pursue this effort.

Steve Kent
Stefan Santesson