[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD/DPV reqmts

To: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>, "pkix" <ietf-pkix@xxxxxxx>
Subject: Re: DPD/DPV reqmts
From: "Yuriy Dzambasow" <yuriy@xxxxxxxxxxxx>
Date: Mon, 18 Mar 2002 17:13:26 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Digital Signature Trust
References: <>
Reply-to: "Yuriy Dzambasow" <yuriy@xxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Denis,

Thank you for responding and for agreeing to incorporate some of my
comments.  I have some additional responses below.

Yuriy


..snip...

>
> [COMMENT 19]
>
> 1) Recommend deleting the 2nd paragraph on page 5 (Section 5) for the
> following reasons:
>         - the first sentence attempts to qualify the preceding paragraph,
> and in my
> opinion, adds no additional value
>         - the second sentence contains redundant information already
defined
> two
> paragraphs above
>
> [Answer 19]
>
> The second paragraph on page 5 (Section 5) is:
>
> Clients MUST be able to specify whether they want, in addition to the
> certification path, the revocation information associated with the
> path, for the end-entity certificate only, for the CA certificates
> only or for both.
>
> This text is not redundant. You are certainly pointing to another
paragraph.
> Next time, please provide a short extract.

Sorry about that.  The text in question is the following, which is defined
in Section 5:

"The client needs to be able to limit the number of paths returned.
Therefore the client MUST be able to indicate the maximum number of
certification paths that SHOULD be returned (provided that they can be
found). If the number is not specified, that number defaults to one.

The paths that are returned may need to match some additional local
controls done by the client, e.g. verifying some certificate
extensions.

The returned paths may not be appropriate to the client when it
locally applies additional tests. Instead of asking one by one the
paths (which would require state information at the server), the
client specifies with every request the maximum number of paths
to be returned."

It's the 3rd paragraph that I recommend deleting for the reasons I provided
earlier.

...snip...

>
> [COMMENT 23]
>
> 1) Why does DPD say that it is OK to pass some policy parameters within a
> DPD request if the policy is simple enough (section 5), but just the
> opposite is said for DPV (section 4)?  I would think that a simple policy
> could be adhered to as well for DPV, and that the parameter specification
> could occur within the DPV request.
>
> [Answer 23]
>
> The document does not provide details about what means "simple". However
the
> idea is the following: when there is a single root, with no constraints
> (unless contained in the self-signed certificate itself) and when any CRL
> status information is acceptable, then the policy can be considered as
> simple. Specific checks on the end-certificate are always done locally.
>
> With DPV the policy has to say which CRL information is necessary for each
> leg. But the most important is that checks on the end-certificate have to
be
> done remotely and specifying them is that not simple.

I disagree.  A client can merely provide a root certificate and a policy ID,
and the server can do everything else to respond to a DPV request.  In this
scenario, the additional policy parameters have been defined locally at the
server (e.g., which CRL information to use for each leg of the certificate.)
I still believe it is appropriate for a client to specify this simple policy
information (i.e., root cert and policy ID) within the DPV request.

...snip...

>
> [COMMENT 25]
>
> 3) Section 8:  I think it would be helpful to break out the PDP
requirements
> section into two areas:
>
> 1) requirements around the coordination of a validation/path discovery
> policy
> between a client and a server to support the validation/path discovery for
> a given certificate; and
>
> 2) requirements around defining an authorized policy at a server (e.g.,
used
> by security managers).
>
> This makes it clear that PDP can be used in two distinct ways.
>
> [Answer 25]
>
> PDP only addresses the later. It is unclear what is being requested for
the
> first area. Please explain.

In section 8 it says, "Usually, these request/response pairs will be used by
security managers to register the policies to be used by ordinary clients,
such as those
within an organization for use with various applications."

It is this paragraph that made me believe that PDP would be used by clients
as well as security managers.  Hence, my comment.

...snip...

References:
- DPD/DPV reqmts
  - From: Denis Pinkas

Prev by Date: Re: <draft-ietf-pkix-pi-03.txt>
Next by Date: Re: DPD/DPV reqmts strawpoll
Previous by thread: RE: DPD/DPV reqmts
Next by thread: Re: DPD/DPV reqmts
Index(es):
- Date
- Thread