[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Other certs extension

To: "Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>
Subject: Re: Other certs extension
From: Stephen Farrell <stephen.farrell@xxxxxxxxx>
Date: Thu, 10 Apr 2008 10:13:04 +0100
Cc: Denis Pinkas <denis.pinkas@xxxxxxxx>, pkix <ietf-pkix@xxxxxxx>
In-reply-to: <C1A47F1540DF3246A8D30C853C05D0DA1BD529@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <OF78F08BD5.9E4604EC-ONC1257424.00572CF3@xxxxxxxxxxxx> <47FB66A1.1010604@xxxxxxxxx> <C1A47F1540DF3246A8D30C853C05D0DA1BD529@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)




Kemp, David P. wrote:

(never post before reading the entire thread :-) ...

- The technical need articulated in the I-D is for a permanent
identifier, i.e. a reference that doesn't change even if an entity
providing a service such as a web form field database gets a new DNS

name.


I don't agree with you there. If there is a PI, then that can be
used for the use-cases here. However, a PI is not required. For
example, a PI is presumably "permanent" whereas for the other
certs stuff, one could have no identifiers at all that match in
the two certs.

> PI isn't just about N-R.

That wasn't my impression, but fair enough.


- If you cannot rely on DNS to link multiple instances of a single
entity, and you cannot rely on some other assigner authority to provide
that linkage, then you cannot have a service that will safely allow

state to be shared among those instances.


I don't thing an "other assigner authority" is needed for the use-cases
in question. The CA can do it nicely IMO.

(BTW - are there any PI assigner authorities operating now?)

> If you offer such a service

using the new I-D or any other extension (SAN or PI), I'd be happy to
request a cert linking myself to your service, and with no CA or other
assigner authority to stop me, I'd succeed.


I don't follow that last bit. A CA is still in the loop so I don't
see how you'd succeed unless its in collusion with you (when all bets
are off).


In short, the new I-D, if it goes forward, should present a new use case
for existing extensions.  It should not define a new extension.


Disagree. (But you probably knew that already:-)

S.


Dave


-----Original Message-----
From: Stephen Farrell

My earlier response on this was (and still is):

"
- I don't think there's a technical need for a permanent identifier for
   this purpose (as I understand it N-R is the main motivator for 4043)
- I'm not sure that there are any real assigner authorities and
   depending on a new name space might just make the problem at hand
   worse
- I've no idea whether 4043 is widely supported or not (mind you, the
   proposed new extension isn't even implemented so that's less of a
   concern)

However, I do agree that were 4043 used, it could solve the problem
at hand, so even if the new extension does go ahead, the spec should
call that out."

Follow-Ups:
- RE: Other certs extension
  - From: Kemp, David P.

References:
- Re: Other certs extension
  - From: Denis Pinkas
- Re: Other certs extension
  - From: Stephen Farrell
- RE: Other certs extension
  - From: Kemp, David P.

Prev by Date: RE: Other certs extension
Next by Date: Re: Other certs extension
Previous by thread: RE: Other certs extension
Next by thread: RE: Other certs extension
Index(es):
- Date
- Thread