[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New other certs extension I-D

To: "Stephen Kent" <kent@xxxxxxx>
Subject: Re: New other certs extension I-D
From: stephen.farrell@xxxxxxxxx
Date: Fri, 21 Dec 2007 22:53:32 -0000 (GMT)
Cc: stephen.farrell@xxxxxxxxx, ietf-pkix@xxxxxxx
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <1709.87.232.102.234.1198258360.squirrel@xxxxxxxxxxxxxxxxx> <>
Reply-to: stephen.farrell@xxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: SquirrelMail/1.4.13


Hi Steve,

> I did a quick read of the I-D

Thanks for taking the time to read this.

> I do have a concern.  The text says:
>
> When this extension is present the CA is asserting that the same end
> entity is the subject of the relevant certificates. Mechanisms for
> how this assertion is validated by the CA or used by consumers of the
> certificate are out of scope of this memo.
>
> I agree that the CA's actions re validation may be outside the scope
> of a document like this. However, we might say that CA is expected to
> have acted in accordance with any CP cited in the new cert, and
> performed whatever validation called for in the CPS for the CA.
>
> I am less sanguine about being silent re what the client (RP) is
> expected to to do based on these links.  That creates a dangerous
> ambiguity. Since there were some examples provided to motivate this
> extension, I think you should use those as a starting point to
> describe what you think a client will do, based on this extension.

Yes, as written there'd be nothing to stop a CA
putting in references to web server certs and VPN g/w certs
and code signing certs all in one place, which does
seem odd but I didn't see a security problem arising.

I did think of adding an OID in there, e.g. to say that
all the linked certs are current or former web server
certs issued to the same organisation/web site. However,
I didn't see a concrete problem with leaving that out,
so I did. Might be worth thinking again though.

Or, I suppose one could simply make the extension specific
to web server certs, but that feels a bit wrong, as I reckon
there must be other uses for this extension.

> Also, is issuer name and serial # the best linkage to use, given that
> we know that CA names are not globally unique?

Sure, maybe the CertID from OCSP or the SCVPCertID makes
more sense all right. (I vaguely recall a thread about why
those are different from ages ago. Must take a peek back at
that I suppose.)

Cheers,
Stephen.

Follow-Ups:
- Re: New other certs extension I-D
  - From: Stephen Kent

References:
- New other certs extension I-D
  - From: stephen . farrell
- Re: New other certs extension I-D
  - From: Stephen Kent

Prev by Date: Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Next by Date: Finest Replica watches & bags for Christmas
Previous by thread: Re: New other certs extension I-D
Next by thread: Re: New other certs extension I-D
Index(es):
- Date
- Thread