Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn
Jim Schaad <ietf@augustcellars.com> Tue, 06 November 2018 12:24 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9778112958B for <spasm@ietfa.amsl.com>; Tue, 6 Nov 2018 04:24:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n67wWF7sraOu for <spasm@ietfa.amsl.com>; Tue, 6 Nov 2018 04:24:12 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35D2A12D4F1 for <spasm@ietf.org>; Tue, 6 Nov 2018 04:24:12 -0800 (PST)
Received: from Jude (43.249.105.152) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 6 Nov 2018 04:18:56 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Russ Housley' <housley@vigilsec.com>
CC: 'SPASM' <spasm@ietf.org>
References: <BN6PR14MB1106CF89BEC31A9D837A3A5383F30@BN6PR14MB1106.namprd14.prod.outlook.com> <014401d47581$5fe919d0$1fbb4d70$@augustcellars.com> <7104A92B-DC98-4E58-A50A-D470E8E4A0B9@vigilsec.com> <016001d4758c$67daa2c0$378fe840$@augustcellars.com> <0871B813-F7BE-470D-AE97-6F5B62CDA7C3@vigilsec.com> <019601d475b9$578c9ea0$06a5dbe0$@augustcellars.com> <E77C61DD-E953-438A-A020-319F74C656BD@vigilsec.com>
In-Reply-To: <E77C61DD-E953-438A-A020-319F74C656BD@vigilsec.com>
Date: Tue, 06 Nov 2018 19:23:40 +0700
Message-ID: <01ba01d475cb$8ef10cc0$acd32640$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BB_01D47606.3B519270"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJLwZVoNyKH0k+Ca89z5ljDodd25QLXeOc8AOBEjwsBky5VHwI0uZGRAqb9qY4CXp3voKPv6dKw
Content-Language: en-us
X-Originating-IP: [43.249.105.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xU9RFujooVPD8sVQZj_F_H5Fjrs>
Subject: Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 12:24:16 -0000
Yes that satisfies my concern. From: Russ Housley <housley@vigilsec.com> Sent: Tuesday, November 6, 2018 6:07 PM To: Jim Schaad <ietf@augustcellars.com> Cc: SPASM <spasm@ietf.org> Subject: Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn Jim: * Section 2 - What operational considerations are there for when to retire the old Root CA certificate when a new one has been discovered and is to be used? I'm not sure what you are requesting. Install the new one, and remove the old one? When you install the new one, I don't believe that you are going to remove the old one. There are still going to be valid certificates running around that will chain to the old root until you have done all of the issuing of certificates to the new root. This is going to take time. Additionally, if you are looking at something like the mail case you want to keep the old root but mark it as being "expired" so that you can validate the chain of certificates. If one follows the old-with-new and new-with-old advice in RFC 2510, then the replacement should not cause any disruption. If you think it is useful, an operational consideration about this can be added. This means that it might be some time before the old one is removed. It should not need to linger... Since it was not obvious to me, then yes the hint should be included. Does this text address your concern: 5. Operational Considerations Guidance on the transition from one trust anchor to another is available in [RFC2510]. In particular, the oldWithNew and newWithOld advice ensures that relying parties are able to validate certificates issued under the current Root CA certificate and the next generation Root CA certificate throughout the transition. Further, this technique ovoids the need for all relying parties to make the transition at the same time. Russ
- [lamps] WG Last call: draft-ietf-lamps-hash-of-ro… Tim Hollebeek
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Tim Hollebeek
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Salz, Rich
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Jim Schaad
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Jim Schaad
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Jim Schaad
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Jim Schaad
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Russ Housley
- Re: [lamps] WG Last call: draft-ietf-lamps-hash-o… Jim Schaad