[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>

To: Stefan Santesson <stefans@xxxxxxxxxxxxx>
Subject: Re: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 19 May 2005 17:17:34 +0200
Cc: pkix <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <BF9309599A71984CAC5BAC5ECA629944025B7DEB@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0


Stefan,

Denis,

Thanks for the clarification.
Yes, we agree on issue number 1 (remove SHOULD and MUST)


We also agree on a typo. :-|

So the remaining issue is:

Problem: The security considerations talk about "mitigation" of the name
collision problem but gives inadequate advice.

Your proposed resolution

 a) warn the user that the CRL where this extension was found may not be
    the right one.


The AIA extension in found in a CRL that is not yet checked to be the right one.

 b) warn the user that the CRL issuer certificate he might obtain using
    this extension may not be the right one.

The AIA extension does not provide enough information so that the CRL issuercertificate that is found there is indeed the right one, since at thistime the certification path is not yet formed. There may be aman-in-the-middle attack.

 c) provide guidance on how to GUARANTEE that the CRL Issuer is indeed
    the one nominated by the CA that has issued the target certificate
    (i.e. when the CRL Issuer certification path and the target
    certificate certification path are identical).


This would indeed be a useful guidance given the two above statements.

 d) say that other possibilities exists, but need additional trust
    conditions (there are zillions of such possible trust conditions).


This would indeed be a useful guidance given the previous statement.

I am spending a *considerable* time on this issue and I believe that youhave now perfectly understood what the problem is.


You know that I do not consider the AIA extension useful in the "basic" case.

Since the other cases (the "zillions" of other cases) rely anyway onadditional local trust conditions, some local configuration values may beused to know where to fetch the missing CRL issuer certificates, hence whythis extension is not really useful and may even be dangerous to be used ifpeople simply use what they get from the pointer.


Denis

To complete the picture it would now be very helpful if you, for each of
these statements, could confirm or explain how these issues are a result
of using the AIA extension in CRLs. Or in other words, which of these
security considerations could you ignore (would go away) if you were NOT
using the AIA extension in a CRL to locate the CRL Issuer certificate.



Stefan Santesson
Program Manager, Standards Liaison
Windows Security

References:
- RE: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Stefan Santesson

Prev by Date: Request for new work item - Defining an SRV RR otherName
Next by Date: RE: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
Previous by thread: RE: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by thread: RE: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
Index(es):
- Date
- Thread