[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on <draft-ietf-pkix-crlaia-00.txt>

To: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Subject: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Tue, 10 May 2005 15:26:38 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <42805C27.8090209@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <BF9309599A71984CAC5BAC5ECA6299440235C51B@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <42711979.4030201@xxxxxxxx> <6.2.0.14.2.20050429032158.046a1a60@xxxxxxxxxxxxxxxx> <427F609E.6020309@xxxxxxxx> <6.2.1.2.2.20050509112536.05e0e7d0@xxxxxxxxxxxxxxxx> <42805C27.8090209@xxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Denis:

Yes, it is OBVIOUS that the CRL issuer certificate needs to be validated.
You say that it is not clear what validation policy needs to be used, butthis is completely irrelevant to the discussion of the CRL AIAextension. This extension aid in certification path construction, notthe validation of the path once it is constructed.
Not exactly, it could "help" finding a wrong path !

Not likely. The signer of the CRL is providing a pointer to their owncertificate. Path construction to locate a parent of that certificatethrough a complex PKI might include paths that are acceptable and pathsthat are unacceptable, but the certificate that contains the public keyneeded to validate the signature on the CRL is clearly needed.

There are many factors which need to be considered in the validation ofthe CRL issue certificate. The values of the key usage extension and thecertificate policies extension are two that jump to mind. There areprobably more if I spend the time to consider each possible scenario.
One simple rule would allow no security problem at all and I wonder whyyou have so much resistance to mention it.

We have that rule: The CA certificate and the CRL Issuer certificate mustvalidate back to the same trust anchor.

In my opinion, this document is ready for WG Last Call.
As an editor of the draft, I may understand your position; but it is upthe the PKIX chairs to decide whether or not the document is ready for WGlast call.

Correct. I included this sentence for the WG chairs. I hope they willagree with me, and that they will issue WG Last Call for this document.

Once again the current Security Considerations section is not acceptable.

To you... No one else is advocating this change. I continue to believethat requiring the CA certificate and the CRL Issuer certificate tovalidate back to the same trust anchor resolves your concern. I am willingto add a few words to the security considerations about name collisions (myco-author may disagree), but I am not willing to use "MUST" or "SHOULD" inthose words. There is absolutely nothing that a client can do to determinedeal with name collisions that are subordinate to the same trust anchor.


Russ

Follow-Ups:
- Typo in <draft-ietf-pkix-crlaia-01.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas

References:
- RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Stefan Santesson
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Russ Housley
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Russ Housley
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas

Prev by Date: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by Date: WG Last Call: AIA CRL extension
Previous by thread: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by thread: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Index(es):
- Date
- Thread