Re: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt
"Horne, Rob" <rob.horne@trustis.com> Fri, 06 June 2014 16:03 UTC
Return-Path: <rob.horne@trustis.com>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E371A0080 for <wpkops@ietfa.amsl.com>; Fri, 6 Jun 2014 09:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjP39zd4cTC0 for <wpkops@ietfa.amsl.com>; Fri, 6 Jun 2014 09:03:33 -0700 (PDT)
Received: from mail1.bemta14.messagelabs.com (mail1.bemta14.messagelabs.com [193.109.254.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DF0C1A007A for <wpkops@ietf.org>; Fri, 6 Jun 2014 09:03:32 -0700 (PDT)
Received: from [194.106.220.51:62318] by server-16.bemta-14.messagelabs.com id 94/30-16986-C46E1935; Fri, 06 Jun 2014 16:03:24 +0000
X-Env-Sender: rob.horne@trustis.com
X-Msg-Ref: server-5.tower-92.messagelabs.com!1402070602!16057849!7
X-Originating-IP: [217.28.140.9]
X-StarScan-Received:
X-StarScan-Version: 6.11.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15171 invoked from network); 6 Jun 2014 16:03:23 -0000
Received: from smtp.hs20.net (HELO outlook.hs20.net) (217.28.140.9) by server-5.tower-92.messagelabs.com with AES256-SHA encrypted SMTP; 6 Jun 2014 16:03:23 -0000
Received: from THHSTE15D1BE5.hs20.net (192.168.251.26) by thhste15d1be5.hs20.net (192.168.251.26) with Microsoft SMTP Server (TLS) id 15.0.847.32; Fri, 6 Jun 2014 17:03:08 +0100
Received: from THHSTE15D1BE5.hs20.net ([fe80::4064:274f:d635:873e]) by THHSTE15D1BE5.hs20.net ([fe80::4064:274f:d635:873e%15]) with mapi id 15.00.0847.030; Fri, 6 Jun 2014 17:03:08 +0100
From: "Horne, Rob" <rob.horne@trustis.com>
To: "i-barreira@izenpe.net" <i-barreira@izenpe.net>, "wpkops@ietf.org" <wpkops@ietf.org>
Thread-Topic: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt
Thread-Index: AQHPeyZFDyYFwnLMcUy7s1i6Lj94AJtipRxAgAEXKhCAAI22gA==
Date: Fri, 06 Jun 2014 16:03:08 +0000
Message-ID: <241793dc995244e4aa719ecc679fa70e@THHSTE15D1BE5.hs20.net>
References: <20140529101033.15865.72439.idtracker@ietfa.amsl.com> <8bb8a25e698a450988b79c058705f1cb@THHSTE15D1BE5.hs20.net> <763539E260C37C46A0D6B340B5434C3B099397E8@AEX06.ejsarea.net>
In-Reply-To: <763539E260C37C46A0D6B340B5434C3B099397E8@AEX06.ejsarea.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [62.6.167.196]
x-exclaimer-md-config: 266e7a57-cddd-49fd-bdea-19bca6d40303
Content-Type: multipart/alternative; boundary="_000_241793dc995244e4aa719ecc679fa70eTHHSTE15D1BE5hs20net_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/orEghqWKXWsf7A-jXFf-_NoMLQs
Subject: Re: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 16:03:37 -0000
Hi Iñigo, Thank you for your responses which have provided excellent clarification. Maybe 3.2.1 needs a reference to the BRs? It's not something to get excited about so I'll leave it up to you whether you agree or not. Regards, Rob From: i-barreira@izenpe.net [mailto:i-barreira@izenpe.net] Sent: 06 June 2014 09:29 To: Horne, Rob; wpkops@ietf.org Subject: RE: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt Hi Rob, In your email Iñigo Barreira Responsable del Área técnica i-barreira@izenpe.net<mailto:i-barreira@izenpe.net> 945067705 ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ! ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente. -----Mensaje original----- De: wpkops [mailto:wpkops-bounces@ietf.org] En nombre de Horne, Rob Enviado el: jueves, 05 de junio de 2014 16:54 Para: wpkops@ietf.org<mailto:wpkops@ietf.org> Asunto: Re: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt Hi, I've taken a look at this and have a few comments. Although the security issues are addressed in section 5, I think it could benefit from a little more detail and clarification in sections 2 and 3. 2.1 Root store provider Does the audit reporting and updating method described conform to any standard? I've seen auditors follow their own procedures which do not match this description. IB: The Baseline Requirements developed by the CABF indicates which standards are suitable to be used by the auditors and also indicates a procedure to perform the audit but some auditors prefer to use their own procedure to perform audits which is valid meanwhile they follow what the standard requires. 3.2.1. One root CA cross-certifies another root CA Is there a defined and agreed way for older CAs to cross certify newer CAs particularly if they're not owned by the same organisation? For example if the criterion for cross certification is less than that required by the root store for the original CA there could be some interesting issues. 3.2.2 refers to adherence to the root store policy so should that also be in 3.2.1? IB: The Baseline Requirements indicates it in section 8.4 as in general. There´s no clear distinction if they shall be owned by the same organization. About the criterion is up to the root CA that signs the other root CA to define it but once is done it "belongs" to the organization and the same audit rules apply. For the second question is similar, but in this case by contract and it´s also indicated in how to audit delegated functions. Maybe a rewording is needed to clarify it 3.2.5 to 3.2.7 I'd have expected more emphasis on technically constraining third party and subscriber RAs and CAs. For one thing legal contracts may be subject to non-disclosure which could make it difficult to audit properly but if they're not technically constrained that will be what's required. IB: Will check it again 5.3. Root CA compromise The last sentence is incomplete ;-) IB: Yes, you´re right. Sean Mullan told me so. It´s already corrected but not published A further thought: although potentially contentious should the scope be expanded to include other applications which use https but are not, in the traditional sense, web browsers? I'm thinking in particular of applications that utilise the protocol but don't have or use any form of trusted root store. To my mind this is a much bigger security issue than is covered in the draft as it stands. Of course this gets us into a discussion of how synonymous "web" is with "http/s". IB: In the introduction is indicated that this trust model is to support the communication between the subscriber and the browser. This thought´s been discussed if the scope should be wider but it was decided to keep it as it is now. Regards, Rob -----Original Message----- From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> Sent: 29 May 2014 11:11 To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> Cc: wpkops@ietf.org<mailto:wpkops@ietf.org> Subject: [wpkops] I-D Action: draft-ietf-wpkops-trustmodel-02.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web PKI OPS Working Group of the IETF. Title : Trust models of the Web PKI Authors : Inigo Barreira Bruce Morton Filename : draft-ietf-wpkops-trustmodel-02.txt Pages : 11 Date : 2014-05-29 Abstract: This is one of a set of documents to define the operation of the Web PKI. It describes the currently deployed Web PKI trust. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-wpkops-trustmodel/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-wpkops-trustmodel-02 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-wpkops-trustmodel-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ wpkops mailing list wpkops@ietf.org<mailto:wpkops@ietf.org> https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list wpkops@ietf.org<mailto:wpkops@ietf.org> https://www.ietf.org/mailman/listinfo/wpkops
- [wpkops] I-D Action: draft-ietf-wpkops-trustmodel… internet-drafts
- Re: [wpkops] I-D Action: draft-ietf-wpkops-trustm… Horne, Rob
- Re: [wpkops] I-D Action: draft-ietf-wpkops-trustm… i-barreira
- Re: [wpkops] I-D Action: draft-ietf-wpkops-trustm… Horne, Rob
- [wpkops] Fwd: Re: I-D Action: draft-ietf-wpkops-t… Denis
- Re: [wpkops] Fwd: Re: I-D Action: draft-ietf-wpko… i-barreira