[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security section of draft-ietf-pkix-opp-ftp-http

To: ietf-pkix@xxxxxxx
Subject: Security section of draft-ietf-pkix-opp-ftp-http
From: Paul Hoffman / IMC <phoffman@xxxxxxx>
Date: Mon, 20 Apr 1998 15:11:04 -0700
Sender: owner-ietf-pkix@xxxxxxx

Russ' "how to get certs and CRLs over FTP and HTTP" draft seems fine, but
the Security section is incomplete. Specifically, it doesn't mention the
hidden security problems that HTTP proxy caches can introduce. I propose
that the following be added to the Security section:

The HTTP 1.1 protocol specifically allows HTTP proxies to cache responses
for repeated requests for URLs. Although RFC 2068 carefully specifies how
HTTP proxies should work, there are many non-conformant proxies in use on
the Internet. A non-conformant HTTP proxy can have serious security
implications for requesting CRLs. If a new CRL is issued before the
nextUpdate time in a CRL, but an HTTP proxy incorrectly gives the requestor
an older CRL, the requestor will get wrong revocation information and will
have no way of knowing that the information is out of date. CRL
distributors following this specification have no way of forcing the latest
CRL through to a requestor.


--Paul Hoffman, Director
--Internet Mail Consortium

Follow-Ups:
- Re: Security section of draft-ietf-pkix-opp-ftp-http
  - From: Moshe Litvin
- RE: Security section of draft-ietf-pkix-opp-ftp-http
  - From: Michael Myers

Prev by Date: pkix subject \ issuer names and RFC2247
Next by Date: OCSP Response Values and Structure
Previous by thread: pkix subject \ issuer names and RFC2247
Next by thread: RE: Security section of draft-ietf-pkix-opp-ftp-http
Index(es):
- Date
- Thread