Re: [Trans] Use of private OIDs in WG document
Rob Stradling <rob.stradling@comodo.com> Mon, 30 March 2015 08:55 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4B61A924E for <trans@ietfa.amsl.com>; Mon, 30 Mar 2015 01:55:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBjJLcjU6IAt for <trans@ietfa.amsl.com>; Mon, 30 Mar 2015 01:55:26 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58BC11A924C for <trans@ietf.org>; Mon, 30 Mar 2015 01:55:26 -0700 (PDT)
Received: (qmail 10499 invoked by uid 1004); 30 Mar 2015 08:55:24 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Mon, 30 Mar 2015 09:55:24 +0100
Received: (qmail 5083 invoked by uid 1000); 30 Mar 2015 08:55:24 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 30 Mar 2015 09:55:24 +0100
Message-ID: <55190F7B.4050001@comodo.com>
Date: Mon, 30 Mar 2015 08:55:23 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>, Massimiliano Pala <director@openca.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz><C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com><5512C9C7.70202@comodo.com> <55159714.1070902@openca.org><5515EB25.2090206@openca.org><2ebf955d99414800bfefd7a6edd814dd@usma1ex-dag1mb2.msg.corp.akamai.com><551638A0.5060007@openca.org> <D7A1D4A7-AF13-4116-B6D1-4AE71D55DF5D@vigilsec.com>
In-Reply-To: <D7A1D4A7-AF13-4116-B6D1-4AE71D55DF5D@vigilsec.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/0a10vG7kbwQZ-N3WcACFK26VJsM>
Cc: trans@ietf.org
Subject: Re: [Trans] Use of private OIDs in WG document
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 08:55:29 -0000
RFC6962 defines 4 OIDs under Google's OID arc. 1.3.6.1.4.1.11129.2.4.3 (the Precertificate Poison certificate extension) and 1.3.6.1.4.1.11129.2.4.4 (the Precertificate Signing Certificate EKU OID) are both no longer required, due to the Precertificate format change. They've both been removed from 6962-bis. That leaves us with 1.3.6.1.4.1.11129.2.4.2 (the SignedCertificateTimestampList certificate extension) and 1.3.6.1.4.1.11129.2.4.5 (the SignedCertificateTimestampList OCSP Response extension). Ticket #10 (see comments 6 and 8) intends to extend and merge these two extensions into one new extension with a new OID. I see no reason why we shouldn't use an OID from an IETF OID arc, as I wrote in ticket #10 comment 9. 6962-bis currently defines 1.3.6.1.4.1.11129.2.4.6 (the Redacted Labels certificate extension) and 1.3.6.1.4.1.11129.2.4.7 (the certificate extension to permit a Name-constrained intermediate CA certificate to be logged in place of end-entity certificates). I see no reason why we shouldn't reassign these from an IETF OID arc too. I am working on the assumption that "Russ, we're gonna need some OIDs for some cert/OCSP extensions - please can you assign some now, even though we haven't finished specifying the contents of these extensions yet?" would be greeted by a firm "No". Hence why the draft is still using OIDs under Google's OID arc. [1] http://trac.tools.ietf.org/wg/trans/trac/ticket/10 On 29/03/15 16:00, Russ Housley wrote: > In this case, the document was published with OIDs from a non-IETF OID > arc long ago. I see no reason to disrupt those implementations, and in > fact, having two OIDs with exactly the same semantics is confusing. > > If new OIDs are needed, we ought to assign them from an IETF arc managed > by IANA. > > Russ > > > On Mar 28, 2015, at 1:14 AM, Massimiliano Pala wrote: > >> Hi Rich, >> >> I do not think there is any precedence about using private OIDs for >> I-Ds - the use of Google's OIDs is ok at Google, not for a standard. >> The first reason is because Google's controls its own sub-tree and can >> change the sub tree at any time - not appropriate for an RFC. The >> second reason is that, since the document is defining extensions for >> certificates and OCSP messages (both under PKIX), the natural place is >> actually under PKIX. >> >> I also want to point out that OIDs are not just opaque identifiers - >> if that was the case, we would not use a hierarchical structure. The >> sub-tree where the OID is is actually important. >> >> This said, I have two questions for you: >> >> 1. Why this would not be the appropriate base OID ? >> 2. Which base OID are you referring to when you say "under IETF" ? >> >> Cheers, >> Max >> >> >> On 3/27/15 10:58 PM, Salz, Rich wrote: >>> >>> OID’s are just distributed opaque identifiers. Doesn’t bother me, >>> but if the WG wants to change OID’s and break deployed software, go >>> for it >>> >>> It will might be hard to get a PKIX arc. A Trans arc under IETF >>> seems more feasible. >>> >>> -- >>> >>> Senior Architect, Akamai Technologies >>> >>> IM: richsalz@jabber.at Twitter: RichSalz -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- Re: [Trans] [pkix] a question of cert (and OCSP) … Manger, James
- Re: [Trans] [pkix] a question of cert (and OCSP) … Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Melinda Shore
- Re: [Trans] [pkix] a question of cert (and OCSP) … Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Salz, Rich
- [Trans] Use of private OIDs in WG document Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Leif Johansson
- Re: [Trans] Use of Private OIDs in WG document (R… Melinda Shore
- [Trans] Use of Private OIDs in WG document (Re: [… Massimiliano Pala
- Re: [Trans] Use of private OIDs in WG document Russ Housley
- Re: [Trans] Use of private OIDs in WG document Rob Stradling
- Re: [Trans] Use of private OIDs in WG document Russ Housley
- Re: [Trans] Use of Private OIDs in WG document (R… Nico Williams
- Re: [Trans] [pkix] a question of cert (and OCSP) … Salz, Rich
- Re: [Trans] [pkix] a question of cert (and OCSP) … Warren Kumari