Re: [therightkey] review of draft-laurie-pki-sunlight-03
Ben Laurie <benl@google.com> Wed, 19 December 2012 13:41 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80E421F8B26 for <therightkey@ietfa.amsl.com>; Wed, 19 Dec 2012 05:41:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.36
X-Spam-Level:
X-Spam-Status: No, score=-102.36 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MuiBwno7gtx for <therightkey@ietfa.amsl.com>; Wed, 19 Dec 2012 05:41:46 -0800 (PST)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by ietfa.amsl.com (Postfix) with ESMTP id 3964721F888F for <therightkey@ietf.org>; Wed, 19 Dec 2012 05:41:46 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id hm9so3623571wib.1 for <therightkey@ietf.org>; Wed, 19 Dec 2012 05:41:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sBCrNONFi7AkhnmRQqMaSucQltPV88BLVYiY0xMoOZk=; b=Gc4p+2na7x1JQP7lfyIrtvwUiaho+1ZJX817dwiIeqcLNxFRiJ7fwGIz7jfOVl7JyP jbN2PKm66yDtOx3HK/3Pa1UdE5c38AYK0wvrrWiTgvqcnmr/Xf6W5XL0YB5YaZK4G/vE /rhQ/ShsoKNdVufTvYH6swcF7u0kSrcMfnwYOod2E7r7EEuwEMXgBDWLSHhX5q2xjrqL nTHA+vTfmb3cV/OJ3vViJGc/ca3uOh7u2Y2Hw+XG5bx9Fpk4ybu+DUk+4ArUQnvSedj6 HTvxRNefo7Vwqvdd52oXJqDKPcWjRS6IJ1GhYhEDcK+ua6ke71pdHfzRCrAFYPU9bZVy Acrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=sBCrNONFi7AkhnmRQqMaSucQltPV88BLVYiY0xMoOZk=; b=HNAAVyY3LIUKdYwHCca5HEwdhJ2p/ZHQ4xQtInEH+BuutcnR1nwf+WzR7J/HS5a/RB AqkMIA3W2aA5DERuUeNbQnxsLWiQfrx782aze4dhbx19ITsc0UW+kzbU8qeTeffAOpzQ B1DAsiL7aoURnBFXyANBQUsa1iWnzzrztfkTE6jqvMsWuzyh5cTcOXxH1m2cwpQxFsLD PIyg34gZhO/ssk/KjpEM8kN0GbN7m7/nJAT4ay6z7q/6DycKDh2H2fWToi2Lii5qRxAN 6PyXFidZzmlUvScRytYaOAUUEgtzyF+qhOfYDBEPZSIR3pVCW3AeJYwuFPghiOmY91kX sXNg==
MIME-Version: 1.0
Received: by 10.180.93.133 with SMTP id cu5mr4111221wib.32.1355924504785; Wed, 19 Dec 2012 05:41:44 -0800 (PST)
Received: by 10.194.51.35 with HTTP; Wed, 19 Dec 2012 05:41:44 -0800 (PST)
In-Reply-To: <50D1B765.3000803@cs.tcd.ie>
References: <50CE7B39.8040703@cs.tcd.ie> <CABrd9STezrpPs_0nb345MD+NPLkM=_ePpQocrNoXPKJCD14vUA@mail.gmail.com> <50D1B765.3000803@cs.tcd.ie>
Date: Wed, 19 Dec 2012 13:41:44 +0000
Message-ID: <CABrd9SR90RYcmkXXo-cW_0RpVK6HU=Cqd_S85NRZU9dxiNwsFg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQk84RgHCG1pDUpd1w/joIfbFODce8Xw8e0KfyIUA3iBBJ+ZVdkIxzQuo7eu8SU14UunpYsqDah4k4+w3TlXmuR9vJS2AwLcGZJJI0zKtiZdXrd58FrHAEM4EQAckWW75cdFS37h8C0T/HOEXG67foVFCuCrcyB8cvx19owaF5aANo/HIPU+GpOwFjIx7t89WkOa6h4z
Cc: Emilia Kasper <ekasper@google.com>, "therightkey@ietf.org" <therightkey@ietf.org>, Adam Langley <agl@google.com>
Subject: Re: [therightkey] review of draft-laurie-pki-sunlight-03
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 13:41:47 -0000
On 19 December 2012 12:47, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Just the bits where there's something to say: > > On 12/19/2012 12:17 PM, Ben Laurie wrote: >> On 17 December 2012 01:54, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> >>> - Where're the OIDs in 3.1 and 3.2 registered? They should be >>> in the some registry I guess. >>> >>> - 3.1, shameless self-promotion - draft-farrell-decade-ni has >>> a way to hash public keys:-) Yes, filling in the TODO is >>> needed. >> >> Am I allowed to refer to I-Ds? > > You could. However, my I-D is gonna be stuck for a while > since it has a normative dependency on http/1.1 drafts so > unfortunately you're probably better to just copy the bit > of text you need from there, if you want to use it. If > you do that you could copy what you need and add an > informative reference and it could all be fixed up later > without slowing down your RFC. > > Or you could refer to DANE [rfc6698] assuming you hash > the SPKI which both my draft and DANE do. For a single sentence it seems simpler to just say it again! >>> - intro, para 2: I'd avoid the word "prove" since mistakes can >>> be made (e.g. a clock might be off) >> >> I am slightly at a loss for a better word here! > > s/prove/provide strong evidence / maybe OK. > >>> - 3.1, why "0..." for X509ChainEntry and "1.." for >>> PrecertChainEntry? You probably ought say and that might need >>> to change if you change the "same CA issued both EE cert and >>> precert-signing-cert" rule. >> >> I can't parse this! > > Can't say I blame you, wonder who typed that silly comment;-) > > It was this bit that triggered the comment: > > struct { > ASN.1Cert leaf_certificate; > ASN.1Cert certificate_chain<0..2^24-1>; > } X509ChainEntry; > > struct { > ASN.1Cert tbs_certificate; > ASN.1Cert precertificate_chain<1..2^24-1>; > } PrecertChainEntry; > > > The certificate_chain can be empty but the > precertificate_chain cannot. That's right given the > current spec, but maybe non-obvious. > > The 2nd part of the comment was that if you do need > to change the precertificate_chain idea (if the > issuing CA cannot create a precert issuer under itself > e.g. because of a pathLenConstraint) then the > PrecertChainEntry syntax might also have to change. > I dunno if that'd be a real problem now, or only > later, or is just theoretical but I'd say there > will be CAs that can issue TLS server certs but > that cannot issue a sub-ca cert for precertificates. Well, in response to Rob's comment I'm going to have to change this anyway :-)
- [therightkey] review of draft-laurie-pki-sunlight… Stephen Farrell
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Stephen Farrell
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling
- Re: [therightkey] review of draft-laurie-pki-sunl… Ben Laurie
- Re: [therightkey] review of draft-laurie-pki-sunl… Rob Stradling