IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

Martin Rex <mrex@sap.com> Fri, 11 March 2011 05:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FA0D3A6AD5; Thu, 10 Mar 2011 21:00:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.223
X-Spam-Level:
X-Spam-Status: No, score=-10.223 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzF3FezuaZV0; Thu, 10 Mar 2011 21:00:32 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id DD8593A680D; Thu, 10 Mar 2011 21:00:31 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p2B4whgu000351 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 11 Mar 2011 05:58:48 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103110458.p2B4wgaa024318@fs4113.wdf.sap.corp>
To: kent@bbn.com
Date: Fri, 11 Mar 2011 05:58:42 +0100
In-Reply-To: <p06240804c99f16612cae@[10.84.130.113]> from "Stephen Kent" at Mar 10, 11 07:21:22 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-Mailman-Approved-At: Fri, 11 Mar 2011 08:19:10 -0800
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, hartmans-ietf@mit.edu, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 05:00:33 -0000

Stephen Kent wrote:
> 
> n to act as CAs , and we want to limit their liability. 
> One way to do this is to restrict the fields and extensions in 
> resource certs to make then not very useful for other applications. 

A CA should never sign extensions that it doesn't understand.
Why has the RP to be bothered with this?

A request "everything must be considered critical, even if not marked
as such" implies that every conceivable extension can only be a constraint.

With its original meaning, the "ciriticality" flag could be used to sort
extensions into "constraints" (critical) and "capabilities" (non-critical).

The problem with newly inventend constraints is that they require flag days.
capabilities do not suffer from this, and allow for a smoother migration.


> 
> I also note that we want to impose these constraints on both CAs and 
> RPs, because we have lots of examples of CAs issuing "bad" certs, 
> accidentally. se want to use RP strictness to help "motivate" CAs to 
> do the right thing :-).

I don't think that this idea will work.
The consumers of the technology will want things to interoperate,
not to fail.  And implementations will provide the necessary workarouds.

Besides, such an idea is in conflict with rfc-2119 section 6

6. Guidance in the use of these Imperatives

   ... they must not be used to try to impose a particular method
   on implementors where the method is not required for interoperability.


-Martin

v2.23.0 | Report a Bug | By Email