IETF Logo Mail Archive

Re: [xmpp] draft-hildebrand-dna-00

Dirk Balfanz <balfanz@google.com> Wed, 28 October 2009 18:12 UTC

Return-Path: <balfanz@google.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1933428C1D7 for <xmpp@core3.amsl.com>; Wed, 28 Oct 2009 11:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwZF9cd6pkZt for <xmpp@core3.amsl.com>; Wed, 28 Oct 2009 11:12:28 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id A9E8328C179 for <xmpp@ietf.org>; Wed, 28 Oct 2009 11:12:27 -0700 (PDT)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id n9SICduT020048 for <xmpp@ietf.org>; Wed, 28 Oct 2009 18:12:40 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1256753560; bh=fhHxg9EHSNayhnWUi2nCAFV40Xg=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=oQT+76NpGMM6ZQ3TIhgPCAYrQKA2pvvQaaCqJt2GnBOYfoe4fm3huGg0lgHJCXls4 NdIIBJj56c/CKG4Ppa/+Q==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type:x-system-of-record; b=vr+e8u9Hz+Qq703bBn/C6UCtPui9Mhw1Dfg7hS8bJBZnkdeMfdGdzVH0MDrlTXXST iO1+/YEo6aA0mBug2N8Yg==
Received: from pwj3 (pwj3.prod.google.com [10.241.219.67]) by wpaz21.hot.corp.google.com with ESMTP id n9SICaDU030989 for <xmpp@ietf.org>; Wed, 28 Oct 2009 11:12:36 -0700
Received: by pwj3 with SMTP id 3so944762pwj.28 for <xmpp@ietf.org>; Wed, 28 Oct 2009 11:12:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.115.85.16 with SMTP id n16mr7252483wal.123.1256753555992; Wed, 28 Oct 2009 11:12:35 -0700 (PDT)
Date: Wed, 28 Oct 2009 11:12:35 -0700
Message-ID: <60c552b80910281112u76bd45f1h572c73df0c43914a@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: xmpp@ietf.org
Content-Type: multipart/alternative; boundary="0016e64ca2a6467524047702bdd3"
X-System-Of-Record: true
Subject: Re: [xmpp] draft-hildebrand-dna-00
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 18:12:29 -0000

Hi guys,

I wanted to give some feedback on draft-hildebrand-dna-00. I just joined the
mailing list, so I probably missed a bunch of the discussion regarding this
topic. I'm new to XMPP, but have been helping out the Wave folks at Google
with some crypto/PKI bits.

My biggest question is why you're tangling up this spec with Attribute
Certificates. I've never seen an RFC 3281-style AC in the wild, and hadn't
heard of draft-ietf-pkix-3281update until I read this spec. Is 3281update
real? Are there parsers out there that understand this stuff? It makes sense
to stand on the shoulders, so to speak, of other specs if there is
wide-spread adoption out there and code that can process these things, but
you don't want to depend on specs that nobody is using - it just complicates
things.

Ok, now for more detailed, turn-by-turn comments:

- it says "The issuer's certificate MUST NOT have a
basicConstraints extension with the cA BOOLEAN set to TRUE." Why?

- The holder field MUST be the baseCertificateID. This seems to mean that it
points to a issuer/serial number in some other PKC. Hows does the validating
entity get hold of that PKC? How did the issuer of the AC know what to put
there?

- http://www.ietf.org/id/draft-ietf-pkix-3281update-05.txt says  "Conforming
implementations MUST NOT use the x400Address, ediPartyName, or registeredID
options [wherever the spec asks for a GeneralName]"  Your spec says to use
registeredId, so you seem to be advocating a non-3281update-compliant AC.

- For encoding the AC, issuer cert and potential intermediate certs, you're
depending on yet another RFC (
http://tools.ietf.org/html/draft-ietf-smime-3851bis-11) for encoding the
cert chain, which seems like overkill. Why not just say that proof-type
attribute-cert has sub-elements, like
   <proof xmlns='urn:ietf:params:xml:ns:dna'
          from='asserted.tld'
          type='urn:ietf:params:dna:proof:attribute-cert'>
     <ac>
       (base64 of AC)
     </ac>
     <pkc>
       (base64 of issuer PKC)
     </pkc>
     <pkc>
       (base64 of intermediate PKC that issued issuer PKC)
     </pkc>
   </proof>

What do you guys think? You probably discussed all these things to death and
i'm just late to the party...

Dirk.

v2.23.0 | Report a Bug | By Email