IETF Logo Mail Archive

Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues

Nico Williams <nico@cryptonector.com> Mon, 17 November 2014 17:47 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 222331A0302 for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:47:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLTh_GGtVQgf for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:47:43 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 910F21A026A for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:47:43 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 6E5B2360072 for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:47:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=8xqnKjcIBAkE7mPvS2ym aqKhlxM=; b=pGzKRnB4uBUg0//C3Kl+yEag1gAApfnlI7qCrMkJUkvK74C5WP1I r8K7FNhEUKk2Cv6i9g3qs0FF/YWrqAHVkT0/urFQEsugssQQy4A4mb9KhDFzs+dm Ui6UuPNY/65R3QlQmRk0Qo63h2arG5caXK9mxhpGCnhyoGSEiu3fjaI=
Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPSA id 44B5936006B for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:47:43 -0800 (PST)
Received: by mail-wi0-f180.google.com with SMTP id n3so2586181wiv.1 for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:47:42 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.2.244 with SMTP id 20mr41319593wjx.4.1416246462198; Mon, 17 Nov 2014 09:47:42 -0800 (PST)
Received: by 10.216.32.135 with HTTP; Mon, 17 Nov 2014 09:47:42 -0800 (PST)
In-Reply-To: <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com>
References: <5466AF87.2050307@gmail.com> <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com>
Date: Mon, 17 Nov 2014 11:47:42 -0600
Message-ID: <CAK3OfOionKNtMRv+bFqY=yN1x+VQNwzraOBF-NSsdnSu6dOA5w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/qc0hWbL6jtIn-oiyeXNeflo4B9A
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 17:47:45 -0000

On Sat, Nov 15, 2014 at 3:56 PM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
>> (a) Defining new transport protocols for revocation information availability
>> (e.g., OCSP over DNS or OCSP over LDAP)
>
> There is already a mechanism for transporting certs over LDAP. I am
> pretty sure the folk who do that sort of thing have done the OCSP in
> LDAP thing already.
>
> I don't see a future for LDAP as an Internet protocol though. LDAP

Indeed, but it is an Internet protocol that is widely used in the enterprise.

> introduces a completely gratuitous name infrastructure (X.500) that

Eh?!  It's the same [busted, obnoxious, unworkable, <fill-in-curses>]
naming model as PKIX.  RFC4514 is a great demonstration of what a
disaster X.500 naming is, but don't be fooled by the "LDAP" in the
title: it's as good a demo of X.509's disastrous naming.

> adds no value other than to the consultants who can spin a 3 week
> consulting gig bikeshedding the DIT with the customer. Nobody has ever
> explained an advantage to me of LDAP over HTTP and a well-known
> service convention.

LDAP is hardly my favorite protocol.  Its biggest sin is really not
its fault, but the implementors, who have by and large adopted the
LDAP representation of "objects" as their native representation of the
same, losing a lot of relational power in the process.  The other
problem is that LDAP's is a poor query language.

As for HTTP...  HTTP doesn't do what LDAP does.  One could define a
DAP over HTTP (an "API"), and that'd be a fine thing.

>> (c) (Possibly) helping other working groups to revise and update how
>> revocation information are provided (e.g., the client authentication case)
>
> CRLs probably work just fine for servers validating private label client certs.

Yes.

> I have a different set of proposals:
>
> 1) Stapled OCSP with MUST-STAPLE OID
> 2) Short lived Certificates
>   2a) With the same key
>   2b) With different keys
> 3) CRLs with HBS compression.

+1

Nico
--

v2.23.0 | Report a Bug | By Email