[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft meeting minutes

To: ietf-pkix@xxxxxxx
Subject: draft meeting minutes
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 17 Nov 2004 11:09:05 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Please review and comment on these minutes from last week's PKIX meeting. I plan to submit them to the Secretariat by 11/24.

Steve
-------

PKIX WG Meeting 11/10/04

Edited by Steve Kent

Chairs: Stephen Kent <kent@xxxxxxx> & Tim Polk <tim.polk@xxxxxxxx>

The PKIX WG met once during the 61st IETF. A total of approximately 55 individuals participated in the meeting.

Document status - Tim Polk (NIST) One new RFC: SHA-224. Three documents approved by IESG, now in RFC Editor's queue: public key algorithms, CMPbis, and Permanent identifier. Warranty extension awaiting AD followup. Five documents under Security AD review (includes awaiting corrections by authors): AC policies, Certificate path building, Certificate Store, PKIX repository, and CRMFbis. In WG last call: SCVP. Almost ready for WG last call: SIM, various LDAP documents, and Elliptic curve algorithms. See slides for additional details.

SCVP (version 16) - Trevor Freeman (Microsoft) Lots of changes have been made from v15; many were editorial but also many substantive changes and some new features. Another rev of the document will be needed. We need to ensure that the ASN.1 is correct, once we agree on the functionality, and so we will compile it to verify. Presentation reviewed changes and new features (relative to v15). See slides for additional details.

3280bis - Tim Polk (NIST) The co-chairs have selected a lead editor for RFC 3280bis and formed a design team to develop a -00 draft from a issues list complied from PKIX mail messages and mail to the RFC 3280 editors. Draft -00 is expected late in 2004. See slides for additional details.

Using AIA in CRLs - Stefan Santesson (Microsoft) A new PKIX document proposing extending use of the AIA certificate extension in CRLs, to facilitate locating the certificate for the signer of a CRL. This is a simple, new use of this existing (certificate) extension, with straightforward semantics. Examples were presented showing how this new capability accommodates CA rekey and indirect CRL situations. This solution is preferable to use of SIA, since SIA would work only a subset of the cases presented, and because inserting AIA in CRLs is easier than inserting SIA in certificates, given the relative frequency of issuance of each. See slides for additional details.

CRL Processing Rules Issues - Santosh Chokhani (Orion) This presentation provides a review of issues in CRL processing when different keys are used for signing certificates vs. the CRLs that revoke those certificates. This is allowed in X.509 and 3280 for various purposes, e.g., indirect CRLs, CA key rollover, etc. However, these standards do not address the details of how to ensure that the right public key is used to verify CRL signatures in these cases. Problems also may arise due to conflicts in CA names (assigned under different administrative entities). Finally, some problems also may arise when OCSP is used (in lieu of CRLs) and this presentation proposes means to address these problems as well. Russ notes that for this and for Stafan's presentation, a critical feature is that the SAME trust anchor must be used to verify the target certificates and certificates for the corresponding CRLs. See slides for additional details.

LDAP Schemas - David Chadwick (Univ. of Salford) PKIX has a suite of LDAP-PKIX drafts forming a comprehensive solution for LDAP based PKI information distribution. No significant change since the last meeting, just minor updates. So the versions posted last week should not be ready for last call, which will be issued by mid-November. Goal is to issue these as Informational RFCs. In parallel, we will pass these I-Ds to the LDAP folks for review. See slides for additional details.

LDAP PKIX Schema Issues - Kurt Zeilenga (LDAP WG co-chair) This presentation discussed remaining issues associated with PKI LDAP schemas. See slide for additional details.

Lightweight OCSP - Ryan Hurst (Microsoft) This presentation discusses a new document (not a PKIX work item) that describes how to use OCSP in "response pre-production" environments. The document also includes a profile for OCSP clients and servers, and proposes some new extensions to improve functionality. Initial intent was to make this an informational RFC, but they are reconsidering its status, perhaps shooting for a standards track document as an individual submission. See slides for additional details.

Algorithm IDs for ECC in PKIX - Tim Polk presented for Daniel Brown (Certicom) There have been changes since the previous version, for better alignment with NIST algorithm publications. The document also provides info for other EC curves, not just the NIST ones. Suggestion from Russ is to edit this document to address only NIST approved curves, and use a separate document for other curves and for MQV (e.g., vs. EC-DSA and EC-RSA). Issue arose as to whether we need a means of restricting use of a key to a SET of EC algorithms, vs. an individual (EC) algorithm. Russ advises that this is NOT a good idea, given experience with RSA keys. See slides for additional details.

User Interface Requirements for PKIX - Baehyo Park (KISA) This presentation describes a personal draft, not a PKIX work item. The presentation is a follow-up to a presentation on draft -00 at IETF-60. The speaker used his laptop to demonstrate the GUI he proposes, though a scripted scenario.

Prev by Date: Re: Briefing on CRL Path for IETF PKIX WG Meeting
Next by Date: Re: 3280bis: extension criticality treatment
Previous by thread: RE: draft meeting minutes
Next by thread: Protocol Action: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard
Index(es):
- Date
- Thread