[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC3039bis last call ?

To: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: RFC3039bis last call ?
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Tue, 23 Dec 2003 10:01:45 -0000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcO6r+1M+hUri19hR46Yubb7EavQlQOiNVOQ
Thread-topic: RFC3039bis last call ?

Denis,

I have replied to these comments before and these were also discussed at
the IETF meeting and concluded.

Name:
------
The scope is the same but it is just worded a bit different. This
profile has never limited itself to just Qualified Certificate, i.e.
this profile defines the framework that is considered useful for
Qualified Certificate but the use of the profile is not limited to
Qualified Certificates. It can be used to create or support also other
type of certificates. This was also clearly stated in RFC 3039.

The reason for the wording change in the abstract was that many readers
had missed the fact that this profile can be used to support any
ID-certificate, qualified or not. Example of such use could be use of
the bimetricInfo extension for attaching picture.

The meeting, the WG chairs and the Security AD agreed that the name of
the document should be kept. I don't feel strongly either way but I
respect that decision and think it is the best one.

Requirement from ETSI:
----------------------
There is a need to harmonize development of ETSI TS 102 280 with RFC
3039. This has also been expressed in circulated ETSI documents, but
there are also other reasons to update RFC 3039.

Replacement of RFC 3039:
------------------------
As concluded at last IETF it is impossible to update RFC 3039 and keep
RFC 3039. It would cause several extensions to be defined in multiple
RFCs.

Reference to RFC 3280
---------------------
RFC 3039 is a profile of RFC 3280 so we reference it.
If you have any problem with this that is an issue you have to take up
with the WG chairs or Russ as AD. As far as I'm concerned RFC 3039 does
not define any meanings of the key usage bits and thus should not be
dependent on any resolution of that.

Finally there is nothing in any definition of Qualified Certificates
that prevents such certificates from being used for Authentication.

/Stefan
 
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Denis Pinkas
> Sent: den 4 december 2003 21:08
> To: ietf-pkix@xxxxxxx
> Subject: RFC3039bis last call ?
> 
> 
> 
> I probably missed the e-mail about an RFC3039bis last call, but since
it
> is mentioned in the WG minutes that there will be a last call. In case
> it is already going, I would like to reiterate that the concerns I
> raised before the Minneapolis meeting are still valid.
> 
> In particular, I would like to reinsist on two points:
> 
> RFC3039 states in the abstract:
> 
> This document forms a certificate profile for Qualified Certificates,
> based on RFC 2459, for use in the Internet. The term Qualified
> Certificate is used to describe a certificate with a certain
> qualified status within applicable governing law.
> 
> RFC3039bis states in the abstract:
> 
> This document forms a certificate profile, based on RFC 3280, for
> identity certificates issued to physical persons.
> 
> It is clear from the abstract that the topic of the two documents are
> different and that the new draft should be renamed: Identity
> Certificates Profile.
> 
> As a consequence, this new draft is NOT a replacement for RFC 3039.
One
> argument has been that ETSI needed changes to RFC 3039. There is not
> such a requirement from ETSI.
> 
> Another major issue is that RFC3039bis states:
> 
> Key usage settings SHALL be set in accordance with RFC 3280
definitions.
> 
> We know that the key usage bit section of RFC 3280 is going to be
> changed. However we still don't know what will be the new text.
> Discussions are going on within ISO SC6 both to redefine bit 0 in
terms
> of the security services it may support (instead of saying "all
security
> services except one security service"), and to rename bit 1. This
means
> that referencing RFC 3280 is fine, except for the section on the key
> usage bits.
> 
> Qualified Certificates are to be used when a signer wants to commit to
> the content of a document, not when a signer wants to authenticate. As
> it is, the new draft would create confusion.
> 
> Denis
> 
> 
>

Follow-Ups:
- Re: RFC3039bis last call ?
  - From: Denis Pinkas

Prev by Date: Summary RE: Last Call: Qualified Certificates
Next by Date: Re: RFC3039bis last call ?
Previous by thread: RFC3039bis last call ?
Next by thread: Re: RFC3039bis last call ?
Index(es):
- Date
- Thread