Re: [therightkey] review of draft-laurie-pki-sunlight-03
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 19 December 2012 12:47 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D7A821F8AD8 for <therightkey@ietfa.amsl.com>; Wed, 19 Dec 2012 04:47:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_52=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMYZuENQN-AC for <therightkey@ietfa.amsl.com>; Wed, 19 Dec 2012 04:47:56 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6314221F8AC4 for <therightkey@ietf.org>; Wed, 19 Dec 2012 04:47:56 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 58932BE29; Wed, 19 Dec 2012 12:47:34 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8tSywJmXH9h; Wed, 19 Dec 2012 12:47:33 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:2c02:cb9b:fa9d:a3bb] (unknown [IPv6:2001:770:10:203:2c02:cb9b:fa9d:a3bb]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 771C0BE20; Wed, 19 Dec 2012 12:47:33 +0000 (GMT)
Message-ID: <50D1B765.3000803@cs.tcd.ie>
Date: Wed, 19 Dec 2012 12:47:33 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <50CE7B39.8040703@cs.tcd.ie> <CABrd9STezrpPs_0nb345MD+NPLkM=_ePpQocrNoXPKJCD14vUA@mail.gmail.com>
In-Reply-To: <CABrd9STezrpPs_0nb345MD+NPLkM=_ePpQocrNoXPKJCD14vUA@mail.gmail.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Emilia Kasper <ekasper@google.com>, "therightkey@ietf.org" <therightkey@ietf.org>, Adam Langley <agl@google.com>
Subject: Re: [therightkey] review of draft-laurie-pki-sunlight-03
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 12:47:57 -0000
Just the bits where there's something to say: On 12/19/2012 12:17 PM, Ben Laurie wrote: > On 17 December 2012 01:54, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > >> - Where're the OIDs in 3.1 and 3.2 registered? They should be >> in the some registry I guess. >> >> - 3.1, shameless self-promotion - draft-farrell-decade-ni has >> a way to hash public keys:-) Yes, filling in the TODO is >> needed. > > Am I allowed to refer to I-Ds? You could. However, my I-D is gonna be stuck for a while since it has a normative dependency on http/1.1 drafts so unfortunately you're probably better to just copy the bit of text you need from there, if you want to use it. If you do that you could copy what you need and add an informative reference and it could all be fixed up later without slowing down your RFC. Or you could refer to DANE [rfc6698] assuming you hash the SPKI which both my draft and DANE do. >> - intro, para 2: I'd avoid the word "prove" since mistakes can >> be made (e.g. a clock might be off) > > I am slightly at a loss for a better word here! s/prove/provide strong evidence / maybe >> - 3.1, why "0..." for X509ChainEntry and "1.." for >> PrecertChainEntry? You probably ought say and that might need >> to change if you change the "same CA issued both EE cert and >> precert-signing-cert" rule. > > I can't parse this! Can't say I blame you, wonder who typed that silly comment;-) It was this bit that triggered the comment: struct { ASN.1Cert leaf_certificate; ASN.1Cert certificate_chain<0..2^24-1>; } X509ChainEntry; struct { ASN.1Cert tbs_certificate; ASN.1Cert precertificate_chain<1..2^24-1>; } PrecertChainEntry; The certificate_chain can be empty but the precertificate_chain cannot. That's right given the current spec, but maybe non-obvious. The 2nd part of the comment was that if you do need to change the precertificate_chain idea (if the issuing CA cannot create a precert issuer under itself e.g. because of a pathLenConstraint) then the PrecertChainEntry syntax might also have to change. I dunno if that'd be a real problem now, or only later, or is just theoretical but I'd say there will be CAs that can issue TLS server certs but that cannot issue a sub-ca cert for precertificates. Cheers, S.
- [therightkey] review of draft-laurie-pki-sunlight… Stephen Farrell
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Stephen Farrell
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling