Re: [secdir] [lamps] Secdir last call review of draft-ietf-lamps-hash-of-root-key-cert-extn-03

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 09 January 2019 01:59 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED98F12F1A5; Tue, 8 Jan 2019 17:59:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoVMKMOl7NDo; Tue, 8 Jan 2019 17:59:21 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7598512F1A2; Tue, 8 Jan 2019 17:59:21 -0800 (PST)
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:b4c1:b6ff:fe27:67bb]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id DDE04F99B; Tue, 8 Jan 2019 20:58:48 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8FFAC202B4; Tue, 8 Jan 2019 13:55:32 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Russ Housley <housley@vigilsec.com>, Adam Montville <adam.w.montville@gmail.com>
Cc: spasm@ietf.org, draft-ietf-lamps-hash-of-root-key-cert-extn.all@ietf.org, IETF <ietf@ietf.org>, IETF SecDir <secdir@ietf.org>
In-Reply-To: <38C4C1A8-42E9-4F50-B4F1-356909D81AC9@vigilsec.com>
References: <154695697211.25494.5342366287090150478@ietfa.amsl.com> <38C4C1A8-42E9-4F50-B4F1-356909D81AC9@vigilsec.com>
Date: Tue, 08 Jan 2019 13:55:28 -0500
Message-ID: <877effhtcv.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pWUiFFArdKha8wUicW6T7a9ALZY>
Subject: Re: [secdir] [lamps] Secdir last call review of draft-ietf-lamps-hash-of-root-key-cert-extn-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 01:59:23 -0000

On Tue 2019-01-08 12:33:45 -0500, Russ Housley wrote:
>    Guidance on the transition from one trust anchor to another is
>    available in Section 4.4 of [RFC4210].  In particular, the oldWithNew
>    and newWithOld advice ensures that relying parties are able to
>    validate certificates issued under the current Root CA certificate
>    and the next generation Root CA certificate throughout the
>    transition.  Further, this advice avoids the need for all relying
>    parties to make the transition at the same time.

I'm not convinced that this analysis is correct, as i tried to explain
in more detail in Message-Id: <87k1jlnxnu.fsf@fifthhorseman.net>;.

I hope my analysis in that e-mail is wrong, but i've received no
feedback on it yet.

Maybe some additional guidance about which parties should ship which
certificates in which contexts would clarify matters?  Or maybe i'm just
missing something obvious to other people -- i'd be happy to see a
clarification.

Regards,

         --dkg