[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.

To: "Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>, "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
From: Stefan Santesson <stefans@xxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 23:22:39 +0000
Accept-language: en-US
Acceptlanguage: en-US
In-reply-to: <FA998122A677CF4390C1E291BFCF598906677E24@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <A15AC0FBACD3464E95961F7C0BCD1FF01D6E18B0@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <FA998122A677CF4390C1E291BFCF598906677E24@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AccghXxioexQt1yFTtmAmBmOZxqscwUe2l0gAR7VikAACTHeQAABzaigAAbfayA=
Thread-topic: Straw poll for Algorithm Identifiers in Subject Public Key Info.

There is no single way that applications and protocol stacks may operate.

In my example, applications don't understand any public key OID. They would simply consult OID table to get a translation into something they can pass to the crypto lib. If that look-up is unsuccessful, the application will most certainly fail. But if it is successful, the application will attempt to map that key to the usage negotiated in the protocol, e.g. a TLS cipher suite. This is where I'm not at all sure that "old" applications will get it right. I have indications that they might get it wrong but I don't have any hard facts to offer yet. It worries me though to have to depend on various applications to get it right.

I would prefer to have more control in the library layer and more actively prevent applications from doing the wrong thing.


Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: Kemp, David P. [mailto:DPKemp@xxxxxxxxxxxxxx]
> Sent: den 16 januari 2007 15:08
> To: Stefan Santesson; ietf-pkix@xxxxxxx
> Subject: RE: Straw poll for Algorithm Identifiers in Subject Public Key
> Info.
>
> Hmmm, I'd guess that applications would fail, either gracefully
> or catastrophically, when faced with an unrecognized Subject
> Public Key Info OID.   I did miss the point that they might
> falsely accept and misuse the public key, but even after considering
> the possibility it still seems highly improbable.
>
> Dave
>
> -----Original Message-----
> From: Stefan Santesson [mailto:stefans@xxxxxxxxxxxxx]
> Sent: Tuesday, January 16, 2007 2:09 PM
> To: Kemp, David P.; ietf-pkix@xxxxxxx
> Subject: RE: Straw poll for Algorithm Identifiers in Subject Public Key
> Info.
>
> Thanks Dave,
>
> Let me clarify where I think you missed my point.
>
> I believe that it is less likely that a certificate with a critical
> extension will be falsely accepted and misused by an application. I
> believe the risk is greater that applications get it wrong and makes
> wrong use of a public key if the restriction comes as a public key OID.
>
> But this is just an educated guess.
>
> I agree that it will be hard to define complete mapping info in an
> extension. That was my point - It may make the extension overly
> complex.
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>

References:
- RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
  - From: Stefan Santesson
- RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
  - From: Kemp, David P.

Prev by Date: RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
Next by Date: RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
Previous by thread: RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
Next by thread: RE: Straw poll for Algorithm Identifiers in Subject Public Key Info.
Index(es):
- Date
- Thread