Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 05 August 2010 11:01 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC4E63A6B07; Thu, 5 Aug 2010 04:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.198
X-Spam-Level:
X-Spam-Status: No, score=-3.198 tagged_above=-999 required=5 tests=[AWL=0.401, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hsAW5cIoOBC; Thu, 5 Aug 2010 04:01:01 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 5A4973A6B04; Thu, 5 Aug 2010 04:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1281006092; x=1312542092; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20mrex@sap.com|Subject:=20Re:=20[pkix]=20[TLS]=20New =20version=20of=20Multiple=20OCSP=20mode=20of=20Certifica te|Cc:=20pkix@ietf.org,=20tls@ietf.org|In-Reply-To:=20<20 1008041958.o74JwjlN012045@fs4113.wdf.sap.corp> |Message-Id:=20<E1OgyCZ-0007rq-7l@wintermute02.cs.aucklan d.ac.nz>|Date:=20Thu,=2005=20Aug=202010=2023:01:31=20+120 0; bh=a9TIeNzNkVtlRObJRPv+1RjmzrkmH7SkP+MtD3RI3pk=; b=oFV3npP7XwN3MgFMtBDM9+xZQEfGzN5esQt05FuXksn+87N2G/qCrLce dDOZgW0b1ipJHMiNnTgiX3KrBJMVY/R9hu0VTET7+RgsI0GFUO5m3+HGq 5fg3yKGhjxej4QSkTsHbOGwgaV9GSWd6NPlh0yzsjFP0kEBFbp207rzVL U=;
X-IronPort-AV: E=Sophos;i="4.55,320,1278244800"; d="scan'208";a="19395328"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 05 Aug 2010 23:01:31 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1OgyCZ-0007rq-7l; Thu, 05 Aug 2010 23:01:31 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com
In-Reply-To: <201008041958.o74JwjlN012045@fs4113.wdf.sap.corp>
Message-Id: <E1OgyCZ-0007rq-7l@wintermute02.cs.auckland.ac.nz>
Date: Thu, 05 Aug 2010 23:01:31 +1200
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 11:01:02 -0000
Martin Rex <mrex@sap.com> writes: >I don't know who invented the concept of automatic AIA retrieval, but my >personal intuition points to the S/Mime camp. S/Mime is notoriously broken >as far as the inclusion of certificates is concerned (being a heritage from >PKCS#7). I doubt very much it was S/MIME, S/MIME includes every cert needed along with the message, to the point of specifying what's included as a SET OF rather than a cert chain and explicitly allowing the inclusion of additional certs that the sender may think are useful. Just because they're not on the CC list doesn't mean you can blame something like this on them... >S/Mime and CMS are foobar. > >[...] > >AIA is a pretty dangerous idea designed to work around design flaws of an >installed base of PKCS#7/CMS/SMime. Did S/MIME spill its beer on you in a bar or something? :-). Peter.
- [TLS] New version of Multiple OCSP mode of Certif… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Marsh Ray
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Marsh Ray
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Dr Stephen Henson
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] Accessing arbitrary AIA URLs Matt McCutchen