Re: [TLS] OpenPGP and TLS cert_type code point reuse

Paul Hoffman <> Thu, 30 September 2010 17:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DD303A6D11 for <>; Thu, 30 Sep 2010 10:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.361
X-Spam-Status: No, score=-101.361 tagged_above=-999 required=5 tests=[AWL=0.685, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id af+qgwVOY2u9 for <>; Thu, 30 Sep 2010 10:46:03 -0700 (PDT)
Received: from (Hoffman.Proper.COM []) by (Postfix) with ESMTP id 5CA243A6CC8 for <>; Thu, 30 Sep 2010 10:46:03 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.3) with ESMTP id o8UHk9Nu049793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Sep 2010 10:46:10 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p06240804c8ca7d0dbafe@[]>
In-Reply-To: <>
References: <> <p06240803c8ca5a5b9904@[]> <>
Date: Thu, 30 Sep 2010 10:46:07 -0700
To: Nikos Mavrogiannopoulos <>,
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [TLS] OpenPGP and TLS cert_type code point reuse
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Sep 2010 17:46:04 -0000

At 7:26 PM +0200 9/30/10, Nikos Mavrogiannopoulos wrote:
>On 09/30/2010 05:18 PM, Paul Hoffman wrote:
>> At 9:11 AM -0400 9/30/10, Sean Turner wrote:
> >> draft-mavrogiannopoulos-rfc5081bis reuses the Certificate Type value assigned in RFC 5081 (it's 1).  The extension defined in draft-mavrogiannopoulos-rfc5081bis is not backwards compatible with RFC 5081.  If there were many implementations, then I'd be concerned about reusing the value.  The authors (and I) don't think there are any implementations other than GnuTLS, but I'd like to know if anybody knows of TLS implementations that support RFC 5081.
>> Given that there is a known implementation of 5081, and given that GnuTLS is reasonably well-deployed, why doesn't draft-mavrogiannopoulos-rfc5081bis simply use a new certificate type number? So far, only 2 out of >200 have been allocated, so there is no shortage.
>The problem is not strictly on the reusal of the extension but on the
>reusal of the OpenPGP CertificateType, but the idea is the same. The
>problem is that this reuse was made quite long ago in gnutls (when
>draft-mavrogiannopoulos-rfc5081bis-01 appeared), thus having all gnutls
>releases follow that approach since then.
>The reason we don't change that now is that will make the draft
>incompatible with gnutls openpgp support, which is supposed to describe
>(this is an informational RFC and not standards track). Hence if there
>are not any other implementations following RFC5081 this will have
>no side effects.

If the implementer of GnuTLS has already made the non-backwards-compatible change (yuck), *and no one else is doing the original 5081*, then reuse sounds like the better choice.

--Paul Hoffman, Director
--VPN Consortium