Re: [lamps] [pkix] Considerations and Clarifications about draft-nir-saag-star-01

Stefan Santesson <stefan@aaa-sec.com> Tue, 27 March 2018 11:10 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B943112D955 for <spasm@ietfa.amsl.com>; Tue, 27 Mar 2018 04:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynJsufA2-UwP for <spasm@ietfa.amsl.com>; Tue, 27 Mar 2018 04:10:28 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.112]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CE4D12D94C for <spasm@ietf.org>; Tue, 27 Mar 2018 04:10:27 -0700 (PDT)
Received: from s554.loopia.se (localhost [127.0.0.1]) by s554.loopia.se (Postfix) with ESMTP id D47FCFDBC2 for <spasm@ietf.org>; Tue, 27 Mar 2018 13:10:03 +0200 (CEST)
Received: from s499.loopia.se (unknown [172.21.200.97]) by s554.loopia.se (Postfix) with ESMTP id B5DFC5F2B50; Tue, 27 Mar 2018 13:10:03 +0200 (CEST)
Received: from s404.loopia.se (unknown [172.21.200.105]) by s499.loopia.se (Postfix) with ESMTP id B1E02134FFCF; Tue, 27 Mar 2018 13:10:03 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s498.loopia.se ([172.21.200.105]) by s404.loopia.se (s404.loopia.se [172.21.200.134]) (amavisd-new, port 10024) with UTF8LMTP id bttXx_TrmiWS; Tue, 27 Mar 2018 13:10:03 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from [10.0.1.54] (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s498.loopia.se (Postfix) with ESMTPSA id 1E29A45A9A1; Tue, 27 Mar 2018 13:10:03 +0200 (CEST)
User-Agent: Microsoft-MacOutlook/10.b.0.180311
Date: Tue, 27 Mar 2018 13:10:02 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: "Dr. Pala" <director@openca.org>, LAMPS <spasm@ietf.org>
Message-ID: <C115B6E7-A238-44C9-80C2-223A243C0839@aaa-sec.com>
Thread-Topic: [pkix] Considerations and Clarifications about draft-nir-saag-star-01
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
In-Reply-To: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3605001003_1077337105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/eJ8Xp5HyPjIMaWEDkRIp2gosWp4>
Subject: Re: [lamps] [pkix] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 11:10:31 -0000

HI,

 

I think this discussion underlines my argument to rescope this effort from “short-lived” certificates to “no-revocation” certificates.

 

The concept of “short-lived” is filled with policy considerations that we can battle forever. Things like what actually is “short” and how short is good enough to skip revocation is impossible to agree on. And there is no need to agree on that. At least not in the IETF.

 

CAB forum and other policy related forums may want to agree on that, but not IETF.

 

There may be a number or good reasons to provide certificates with no revocation. One such reason is if the private key is used only once and then destroyed in a secure and controlled fashion.

 

 

/Stefan