[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on / suggested changes for RFC3280bis

To: Peter Hesse <pmhesse@xxxxxxxxxxxxxxxxxx>
Subject: Re: Comments on / suggested changes for RFC3280bis
From: "David A. Cooper" <david.cooper@xxxxxxxx>
Date: Fri, 10 Jun 2005 14:25:06 -0400
Cc: ietf-pkix@xxxxxxx, RGuida@xxxxxxxxxxxxx, MRamos8@xxxxxxxxxxxxx, mcooper@xxxxxxxxxxxx, chokhani@xxxxxxxxxxxx, "'Zagar, Terry (Mission Systems)'" <Terry.Zagar@xxxxxxx>, "'Guy Tallent [SIG] (E-mail)'" <guy@xxxxxxxxxxxxxxxxxxxxxxxxxx>, "'Gary Secrest [JJCUS] (E-mail)'" <GSecrest@xxxxxxxxxxxxx>
In-reply-to: <20050526151420.13819114175@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <20050526151420.13819114175@xxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040804


Peter,

Thanks for the comments. Below are some responses to your comments. I'veskipped over most of the editorial comments for the moment, but I willmake any appropriate changes in the document.


Peter Hesse wrote:

A real-world example of the unclear language related to behavior causing a
problem: RFC3280 specified that the inhibitAnyPolicy extension be marked
critical.  At least one version of the Sun Java CertPath implementation
rejects any certification paths containing inhibitAnyPolicy extensions which
are not marked critical.  The wording in RFC3280 was not clear that this was
a requirement for issuers and not for implementations.  (This issue has been
fixed the current RFC3280bis draft, but remains in other places for other
extensions.)

This is definitely something that will need to be addressed in 3280bis.At first I thought it would be sufficient to change statements of theform "this extension MUST be marked critical" to "conforming CAs MUSTmark this extension as critical". But Sam Roberts suggested that 3280bisneeds a more explicit statement that relying parties should not bechecking certificates to verify that they were issued in conformancewith 3280bis. As Peter Guttman noted in a recent message(http://www.imc.org/ietf-pkix/mail-archive/msg02333.html), evenstatements of the form "conforming CAs MUST" can sometimes beinterpreted as imposing a requirement on relying parties.

Location: 4.2.1.11, 4th para, last sentence
Original Text: "If the policyConstraints extension is marked critical and
the inhibitPolicyMapping field is present, applications that do not
implement support for the inhibitPolicyMapping field MUST reject the
certificate."
Comment: This seems to be encouraging different behavior depending on the
criticality of the field, which goes against the spirit of extension
processing.

I don't understand the concern here. This statement is entirelyconsistent with the general rule for processing the criticality bit(from section 4.2):


A certificate using system MUST reject the certificate if it encounters
a critical extension it does not recognize or a critical extension
that contains information that it can not process.

It was only stated here explicitly since section 4.2.1.11 also says:

Conforming applications MUST be able to process the
requireExplicitPolicy field and SHOULD be able to process the
inhibitPolicyMapping field.

We wanted it to be clear that even though the ability to process theinhibitPolicyMapping field was not required, the general rule that onemust still reject a certificate with a critical extension containinginformation that the application cannot process still applies.

Location: 4.2.1.13, 5th para, last sentence
Original Text: "DistributionPointName SHOULD include at least one LDAP or
HTTP URI."
Recommendation: Add the following sentence. "If both HTTP and LDAP
DistributionPointName URI values are specified, the HTTP
DistributionPointName SHOULD appear first."
Reason: Firewalls are more likely to allow HTTP through, and HTTP typically
results in faster access.  Applications typically try distribution points in
the order in which they appear.

The design team thought that it specifying an ordering was tooprescriptive. In general it is probably a good idea to list thedistribution points in order of preference, but it may not always bepossible to control the order in which the distribution points areencoded. Even if 3280bis did say something about ordering, I think itshould only note that they should be listed in order of preferencewithout declaring an opinion that one protocol is inherently better thananother.

Location: 4.2.2.1, 13th para, 2nd sentence
Original Text: "...and MAY specify a host name (e.g.,
ldap://ldap.example.com/cn=example%20CA,dc=example,dc=com?cACertificate;bina
ry,crossCertificatePair;binary).
Recommendation: remove ",crossCertificatePair;binary" from the example
Reason: Attributes containing cross-certificate pairs should not be
recommended.  There is no way for the client to know whether or not they
will be encountering cross-certificate pairs as opposed to certificates,
without attempting to decode them and failing.  Retrieving only
cACertificate attribute should be sufficient if LDAPv3 schema is being
followed.

First, I don't understand why you say that "[t]here is no way for theclient to know whether or not they will be encounteringcross-certificate pairs as opposed to certificates, without attemptingto decode them and failing." If its stored in the cACertificate oruserCertificate attribute, it is a certificate. If its stored in thecrossCertificatePair attribute its a cross-certificate pair (it may bethat either the forward or reverse element is absent, but it is stillencoded as a certificate pair).

I am also not aware of any schema that would make the contents of thecrossCertificatePair attribute unnecessary. The current text in X.509states:


Clause 11.2.2:
The cACertificate attribute of a CA's directory entry shall be used to store

self-issued certificates (if any) and certificates issued to this CA byCAs inthe same realm as this CA. In the case of v3 certificates, thesecertificates

shall include a basicConstraints extension with the cA value set to TRUE.
The definition of realm is purely a matter of local policy.

Clause 11.2.3:
The issuedToThisCA elements of the crossCertificatePair attribute of a CA's

directory entry shall be used to store all, except self-issuedcertificates issuedto this CA. Optionally, the issuedByThisCA elements of thecrossCertificatePairattribute, of a CA's directory entry may contain a subset ofcertificates issued

by this CA to other CAs. If a CA issues a certificate to another CA, and the

subject CA is not a subordinate to the issuer CA in a hierarchy, thenthe issuer

CA shall place that certificate in the issuedByThisCA element of the
crossCertificatePair attribute of its own directory entry.

The requirements for cACertificate are the same as in RFC 2587.draft-zeilenga-ldap-x509-01.txt simply refers to clause 11.2.2 in X.509.All of these documents state the same thing: certificates issued to thisCA by CAs in a different "realm" do not need to be included in thecACertificate attribute, but must be included in thecrossCertificatePair attribute. I am not aware of any schemas thatrequire all certificates issued to the CA to be included in thecACertificate attribute.

Location: 4.2.2.1, 16th para
Original Text: " .p7c   A DER encoded "certs-only" CMS message as specified
in [RFC 2797]."
Recommendation: " .p7c   A DER encoded "certs-only" CMS message as specified
in [RFC 2797] which MUST NOT contain self-signed certificates."
Reason: Self-signed certificates retrieved externally should not be included
because they cannot be trusted,

I agree that self-signed certificates should not be included in thedirectory. Self-signed certificates should only be used as a source oftrust anchor information and should be obtained by secure, out-of-bandmeans for this purpose. Including unnecessary certificates in thedirectory only complicates matters. I think they should be excluded fromthe cACertificate attribute of the directory as well the Web server. Itis, however, very common practice to include self-signed certificates inthe directory.

I would be in favor of stating that self-signed certificates SHOULD NOTbe included in the directory or in the information pointed to by the AIAextension, but given that this is such common practice, I would needsufficient evidence of working group consensus before making any changesto the current text.

Location: 4.2.2.1, 18th para
Original Text: "The semantics of other id-ad-caIssuers accessLocation name
forms are not defined."
Recommendation: Add a new paragraph before this one: "If both HTTP and LDAP
accessLocations are specified, the HTTP accessLocation SHOULD appear first."
Reason: Same as above (4.2.1.13, 5th para, last sentence).

I am actually aware of some implementations that can process an LDAP URIin the AIA extension but not an HTTP URI (and vice versa), which I thinkis yet another reason that 3280bis should not declare that one protocolis inherently superior to another.

Location: 4.2.2.2, 9th para, 2nd sentence
Original Text: "...and MAY specify a host name (e.g.,
ldap://ldap.example.com/cn=example%20CA,dc=example,dc=com?cACertificate;bina
ry,crossCertificatePair;binary).
Recommendation: remove ",crossCertificatePair;binary" from the example
Reason: Same as above (4.2.2.1, 13th para, 2nd sentence).

See text from clauses 11.2.2 and 11.2.3 from X.509 above. ThecACertificate attribute only includes the self-issued certificatesissued by the CA. Only the crossCertificatePair attribute contains thecross-certificates issued by the CA. So, the crossCertificatePairattribute is even more important in the SIA extension than in the AIAextension.



Dave

References:
- Comments on / suggested changes for RFC3280bis
  - From: Peter Hesse

Prev by Date: RE: RE: 3280bis: CRL validation
Next by Date: RE: Comments on / suggested changes for RFC3280bis
Previous by thread: RE: Comments on / suggested changes for RFC3280bis
Next by thread: RE: Comments on / suggested changes for RFC3280bis
Index(es):
- Date
- Thread