IETF Logo Mail Archive

[VIPR] Identity certificate segregation for VIPR

Marc Petit-Huguenin <petithug@acm.org> Tue, 07 February 2012 17:09 UTC

Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0304E21F85F1 for <vipr@ietfa.amsl.com>; Tue, 7 Feb 2012 09:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.326
X-Spam-Level:
X-Spam-Status: No, score=-102.326 tagged_above=-999 required=5 tests=[AWL=0.274, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY4G9mHw0Cy1 for <vipr@ietfa.amsl.com>; Tue, 7 Feb 2012 09:09:04 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id F04CE21F885F for <vipr@ietf.org>; Tue, 7 Feb 2012 09:09:03 -0800 (PST)
Received: from [IPv6:2406:a000:f007:6f00:213:d4ff:fe04:3e08] (unknown [IPv6:2406:a000:f007:6f00:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 9A0FB2043C for <vipr@ietf.org>; Tue, 7 Feb 2012 16:53:53 +0000 (UTC)
Message-ID: <4F315AA1.9030703@acm.org>
Date: Tue, 07 Feb 2012 09:08:49 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: "vipr@ietf.org" <vipr@ietf.org>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [VIPR] Identity certificate segregation for VIPR
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2012 17:09:05 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The current version of RELOAD requires that the certificates used contain one
or more Node-IDs and one username.  This username plays no role in VIPR, so it
is not only useless, but can also be a source of privacy leak.

A proposal was made in the p2psip WG some time ago for Identity certificate
segregation[1] (see also [2]), but the author is waiting for the final version
of RELOAD to publish a draft about this.

My proposal is to say in the RELOAD usage document that VIPR must not use
certificates with username, and to put a placeholder for the reference to the
upcoming draft about Identity certificate segregation.

Opinions?

Thanks.


[1] http://www.ietf.org/mail-archive/web/p2psip/current/msg06005.html
[2] http://ieeexplore.ieee.org/iel5/4105970/5783356/05783372.pdf?arnumber=5783372

- -- 
Marc Petit-Huguenin
Personal email: marc@petit-huguenin.org
Professional email: petithug@acm.org
Blog: http://blog.marc.petit-huguenin.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPMVqgAAoJECnERZXWan7Efz8QALZRQRYyDYwHjMd8IIShYEsd
IoaZXZLR/F367dTKwQuVxCufD1Bh9DEtPJeRxUr7JLlSOariEUgUH9IIa4JKSOzi
+fQxdMEm3KdRagIx+fqqBNlA9E1WuaViy8Q/sprJHo8KFGNWya2POL8ffg3wIU58
Xhw6M28XV3Db7MbLfl/Oy2DTtHhs32OHMAoSXd/sCKPF8o51QVl/nCGnxUsqLKgq
u1VD99fWmTKCe/dw7BLqtdn2HQGEpYtlrUaJSLDK1ot1LmlNYJnNfFvaa28omKmQ
YY9T137gkqUQc552FxGpoSWK/7dY0+NFvMGpxAwpTMEkuKFZvAXydrMNbulTV+qT
jP7PBjYWBa2uD1r8IiEY2sUO1y0wbuK5QmHPlADuoSyISacclYSUgLlAm3ei7Hg/
SLHq/gzd6+4PQfKoFfIk5/7Rk8Be+rnlk/PjVHE3Kyy9WsfXmd2pTBW87f5U8tFK
PYfrVXbjkyyReOokupq6IgyocjnnCSu6lmMQJMnLVzfw8jumuDLDsNZVchGz9dZe
Ql0E215ZDRfTs90EGmNRfa2QzcDTx+f3IIeyTYNUx1yjmNMRaWZwEa86mKx6d5mJ
Nrn53TLbQQ59JmGkn1EA396IqSOd4otz0aevAz1FxWoVMoXZNpbP2DPWgCTwbVxj
BfFRQqyLkM6R/2zF234C
=w/9F
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email