IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 06 August 2010 13:55 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D99F3A69D7; Fri, 6 Aug 2010 06:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[AWL=0.332, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ksldyIiEG-q; Fri, 6 Aug 2010 06:55:56 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id A0CCE3A69E0; Fri, 6 Aug 2010 06:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1281102987; x=1312638987; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20Nicolas.Williams@oracle.com,=20pgut001@cs.auckland .ac.nz|Subject:=20Re:=20[pkix]=20[TLS]=20=20New=20version =20of=20Multiple=20OCSP=20mode=20of=20Certificate|Cc:=20m rex@sap.com,=20pkix@ietf.org,=20tls@ietf.org|In-Reply-To: =20<20100805183227.GT5213@oracle.com>|Message-Id:=20<E1Oh NP9-0002RW-10@wintermute02.cs.auckland.ac.nz>|Date:=20Sat ,=2007=20Aug=202010=2001:56:11=20+1200; bh=Kv0E05XdeIvm1K4g+udmCnGL/rRZg9eOIjSvSFrnPTk=; b=RQ7kpzBqjM+Dtx5CoSmOC1vwGtSYbMSsEYxr0lLoE4b2q189E1kts2Li 9rotBlxerQj4+M80pKoxns9AFOOjRhgqG/odbQbtgGVIDcZZCvMTfE7bQ qCPD6qPHDWT3DaJQenxATDii2wq/I2WfnQooEU0MWPFLTTR4TWia9KbzX g=;
X-IronPort-AV: E=Sophos;i="4.55,329,1278244800"; d="scan'208";a="19582694"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Aug 2010 01:56:11 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1OhNP9-0002RW-10; Sat, 07 Aug 2010 01:56:11 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nicolas.Williams@oracle.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <20100805183227.GT5213@oracle.com>
Message-Id: <E1OhNP9-0002RW-10@wintermute02.cs.auckland.ac.nz>
Date: Sat, 07 Aug 2010 01:56:11 +1200
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 13:55:57 -0000

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

>The domain part of the URL must be a DNS domainname to be resolved by the
>resolver to an IP (v4, v6) address.

What if it's an embedded device on a network with no DNS?

>No port number must be specified -- if HTTP then the port must be 80, if LDAP
>it must be 389.

What if they're running their OCSP on something other than port 80 because
port 80 is already in use for a web server?

(Not trying to have a perpetual-motion-machine debate here, just trying to
point out that there probably isn't any universally applicable way to restrict
this, so the ultimate choice may well be AIA or no AIA (and CRLDP and various
equivalents)).

Peter.

v2.23.0 | Report a Bug | By Email