[TLS] Re: Review of draft-ietf-tls-openpgp-keys-08

Simon Josefsson <jas@extundo.com> Wed, 17 May 2006 16:58 UTC

Received: from [] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgPLh-0001Tq-Qb; Wed, 17 May 2006 12:58:13 -0400
Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgPLg-0001Tl-Bx for tls@lists.ietf.org; Wed, 17 May 2006 12:58:12 -0400
Received: from ([] helo=yxa.extundo.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgPLf-0002n7-UK for tls@lists.ietf.org; Wed, 17 May 2006 12:58:12 -0400
Received: from localhost.localdomain (yxa.extundo.com []) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k4HGw2ES018980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 May 2006 18:58:05 +0200
From: Simon Josefsson <jas@extundo.com>
To: Eric Rescorla <ekr@networkresonance.com>
References: <20060517163805.9811E22245C@laser.networkresonance.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060517:ekr@networkresonance.com::Vb49l82LkM9CDv+m:/pD
X-Hashcash: 1:22:060517:tls@lists.ietf.org::1rOnENs4OMHq4uQd:68fB
Date: Wed, 17 May 2006 18:58:02 +0200
In-Reply-To: <20060517163805.9811E22245C@laser.networkresonance.com> (Eric Rescorla's message of "Wed, 17 May 2006 09:31:41 -0700")
Message-ID: <87u07oio6d.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: tls@lists.ietf.org
Subject: [TLS] Re: Review of draft-ietf-tls-openpgp-keys-08
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Eric Rescorla <ekr@networkresonance.com> writes:

> Simon Josefsson <jas@extundo.com> wrote:
>> Eric Rescorla <ekr@networkresonance.com> writes:
>> > It's not undocumented. It's "add these certs to your bucket of certs"
>> > and use them in whatever resolution mechanism you have.
>> How are clients and servers, respectively, supposed to figure out
>> which keys to include?
>> Presumably, they should not send their entire key ring, right?  Some
>> properties of the resolution algorithms appear to be needed to pick
>> the "appropriate" keys, and limit the set of keys to send.
>> Compare RFC 4346, which says on X.509 certs:
>>    certificate_list
>>       This is a sequence (chain) of X.509v3 certificates.  The sender's
>>       certificate must come first in the list.  Each following
>>       certificate must directly certify the one preceding it.  Because
>>       certificate validation requires that root keys be distributed
>>       independently, the self-signed certificate that specifies the root
>>       certificate authority may optionally be omitted from the chain,
>>       under the assumption that the remote end must already possess it
>>       in order to validate it in any case.
>> What I'm looking for are similar guidelines to decide which OpenPGP
>> keys to include, but I'm skeptical about the existence of useful such
>> guidelines.
> Rather than arguing about whether such rules are possible (though 
> I think they are in practice), why don't we see if Pasi wants to
> try to write something?

Yup, agreed.


TLS mailing list