Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

Slides:

Advertisements

Similar presentations

Design by Contract.

Advertisements

1 Authorization XACML – a language for expressing policies and rules.

1 Behcet Sarikaya Frank Xia July 2010 Flexible DHCPv6 Prefix Delegation in Mobile Networks IETF 78

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Introduction to XLink Transparency No. 1 XML Information Set W3C Recommendation 24 October 2001 (1stEdition) 4 February 2004 (2ndEdition) Cheng-Chia Chen.

4/16/2007Declare a Schema File I1. 4/16/2007Declare a Schema File I2 Declare a Schema File A collection of semantic validation rules designed to constrain.

High Performance Faceted Interfaces Using S2S Eric Rozell, Tetherless World Constellation.

Trusted Archive Protocol (TAP) Carl Wallace

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Warranty Certificate Extension draft-ietf-pkix-warranty-extn th IETF Meeting November 2002.

Fundamentals of Python: From First Programs Through Data Structures

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

Introduction to Object Identifiers (OIDs) France Telecom Orange Olivier Dubuisson 15 June 2009.

XP New Perspectives on XML Tutorial 3 1 DTD Tutorial – Carey ISBN

Validating DOCUMENTS with DTDs

Chapter 5 Java Script And Forms JavaScript, Third Edition.

Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions.

August Chapter 2 - Markup and Core Concepts Learning XML by Erik T. Ray Slides were developed by Jack Davis College of Information Science and Technology.

Introduction to JavaServer Pages (JSP) Slides from Dr. Mark Llewellyn.

XP 1 DECLARING A DTD A DTD can be used to: –Ensure all required elements are present in the document –Prevent undefined elements from being used –Enforce.

Processing of structured documents Spring 2002, Part 2 Helena Ahonen-Myka.

1 Tutorial 13 Validating Documents with DTDs Working with Document Type Definitions.

Introducing CoMI Aligned with RestCONF (draft-ietf-netconf-restconf-04) Common data modeling language (YANG defined in RFC 6020) Protocol (CoAP instead.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Processing of structured documents Spring 2003, Part 7 Helena Ahonen-Myka.

Ad Hoc Constraints Objectives of the Lecture : To consider Ad Hoc Constraints in principle; To consider Ad Hoc Constraints in SQL; To consider other aspects.

Session Peering Protocol over SOAP I-D ( draft-ietf-drinks-spp-over-soap-01) draft-ietf-drinks-spp-over-soap-01 0 Presenter: Vikas Bhatia (On behalf of.

XML 2nd EDITION Tutorial 4 Working With Schemas. XP Schemas A schema is an XML document that defines the content and structure of one or more XML documents.

1 Tutorial 14 Validating Documents with Schemas Exploring the XML Schema Vocabulary.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

JavaScript Scripting language What is Scripting ? A scripting language, script language, or extension language is a programming language.

Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.

IBM TSpaces Lab 2 Customizing tuples and fields. Summary Blocking commands Tuple Expiration Extending Tuples (The SubclassableTuple) Reading/writing user.

Agenda - CALSCH working group Agenda bashing Guide to Internet Calendaring draft update –inclusion of Timezone data, most recent changes –additional examples.

Abierman-netconf-mar07 1 NETCONF WG 68 th IETF Prague, CZ March 19, 2007.

SonOf3039 Status Russ Housley Security Area Director.

Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.

Slide 1 July 2006, Montreal, QuebecIETF DNSEXT 2929bis Donald E. Eastlake 3 rd

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.

Engin Gündüz, Shane Kerr. IETF 61, November 2004, Washington DC. 1 IRIS AREG Draft draft-ietf-crisp-iris-areg versions 07 & 08.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Draft-ietf-p2psip-base-08 Cullen Jennings Bruce Lowekamp Eric Rescorla Salman Baset Henning Schulzrinne March 25, 2010.

An Introduction to Programming with C++ Sixth Edition Chapter 5 The Selection Structure.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Winter 2016CISC101 - Prof. McLeod1 CISC101 Reminders Quiz 3 next week. See next slide. Both versions of assignment 3 are posted. Due today.

1 XSL Transformations (XSLT). 2 XSLT XSLT is a language for transforming XML documents into XHTML documents or to other XML documents. XSLT uses XPath.

World of Wokcraft The very best in Single pan cooking themed fantasy gaming!

FG Group -Afrilia BP -Liana F.B.I -Maulidatun Nisa -Riza Amini F.

CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung

SCVP 18 Tim Polk. Mea Culpa ● Draft -19 omits some promised changes from the March IETF meeting – Document management problems compounded by ID submission.

Unit 4 Representing Web Data: XML

Third Party Transfers & Attribute URI ideas

Denis Pinkas. Bull SA. Cryptographic Maintenance Policy IETF LTANS meeting in Paris August, 1rst , 2005 Denis Pinkas. Bull SA.

ALTO Protocol draft-ietf-alto-protocol-14

Stefan Santesson Microsoft

The Selection Structure

Public Key Infrastructure Using X.509 (PKIX) Working Group

draft-ietf-geopriv-lbyr-requirements-02 status update

Service Layer Dynamic Authorization [SLDA]

Implementing Non-Static Features

New Perspectives on XML

AP Power Down Notification

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

CPPA3 Overview.

Presentation transcript:

Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

2 Some extracts SCVP allows a client to delegate certificate path construction and certificate path validation to a server. The path construction or validation (e.g. making sure that none of the certificates in the path are revoked) is performed according to a validation policy, which contains one or more trust anchors. A validation policy (as defined in RFC 3379 [RQMTS]) specifies the rules and parameters to be used by the SCVP server when validating a certificate. In SCVP, the validation policy to be used by the server can either be fully referenced in the request by the client (and thus no additional parameters are necessary) or it can be referenced in the request by the client with additional parameters. When the validation policy defines every parameter necessary, an SCVP request needs only to contain the certificate to be validated, the referenced validation policy, and any run-time parameters for the request.

3 Current syntax of Validation Policy ValidationPolicy ::= SEQUENCE { validationPolRef ValidationPolRef, validationAlg [0] ValidationAlg OPTIONAL, userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL, inhibitPolicyMapping [2] BOOLEAN OPTIONAL, requireExplicitPolicy [3] BOOLEAN OPTIONAL, inhibitAnyPolicy [4] BOOLEAN OPTIONAL, trustAnchors [5] TrustAnchors OPTIONAL, keyUsages [6] KeyUsages OPTIONAL, extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL }

4 Current syntaxes of ValidationPolRef and ValidationAlg ValidationPolRef::= CHOICE { valPolRefByOID OBJECT IDENTIFIER, valPolRefByURI IA5String} ValidationAlg ::= SEQUENCE { valAlgId OBJECT IDENTIFIER, parameters ANY DEFINED BY valAlgId OPTIONAL }

5 Current text The validationPolRef item is required, but the remaining items are optional. The optional items are used to provide validation policy parameters. When the client uses the validation policy's default values for all parameters, all of the optional items are absent. The validationAlg item specifies the validation algorithm. […] The default validation policy MUST use the basic validation algorithm as its default validation algorithm. When using the default validation policy, the client can override any of the default parameter values by supplying a specific value in the request. only a limited set of optional parameters The concept of default validation policy is incorrect. It may use any “algorithm”, and in the response it MUST be known which “real” policy has been used.

6 Issues with the current syntax The current syntax does not allow to specific individual parameters for each trust anchor, like: userPolicySet inhibitPolicyMapping, requireExplicitPolicy, inhibitAnyPolicy keyUsages, KeyUsages and extendedKeyUsages. Also, if an additional parameter needs to be added policy (e.g. a QCStatement test), it currently needs to be added as : –a parameter of the “validation algorithm”, instead of –a parameter of the “validation policy”.

7 Example with current syntax A validation policy is supporting several trust anchors, each one with its own certificate policy, path length and naming constrains, but the client may request to have a QCstatement equal to a specific value. There would be the need to have two OIDs: –one for the validation policy, and another –one for the validation algorithm, while the specific parameter to support the QCstatement would be a parameter of the validation algorithm (instead of a parameter from a validation policy) : ValidationPolicy ::= SEQUENCE { validationPolRef ValidationPolRef, validationAlg [0] ValidationAlg OPTIONAL, }

8 The syntax should be simplified and changed into : ValidationPolicy ::= SEQUENCE { valPolId OBJECT IDENTIFIER, parameters ANY DEFINED BY valPolId OPTIONAL } Then a specific validation policy, based on the algorithm described in RFC 3280, should defined «id-svp-basicValPol», with its own parameters : userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL, inhibitPolicyMapping [2] BOOLEAN OPTIONAL, requireExplicitPolicy [3] BOOLEAN OPTIONAL, inhibitAnyPolicy [4] BOOLEAN OPTIONAL, trustAnchors [5] TrustAnchors OPTIONAL, keyUsages [6] KeyUsages OPTIONAL, extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL } Section 6.1 from 3280bis specifies a single trustAnchor.

9 Advantages The request and mandatory-to-implement clients parameters becomes much simpler. For thin clients, there is no need to support (i.e. to incorporate in the client code) parameters like : userPolicySet inhibitPolicyMapping, requireExplicitPolicy, inhibitAnyPolicy keyUsages, KeyUsages and extendedKeyUsages.

10 Default validation policy When a default parameter is being used, usually it is left empty by the client. Why would this draft make an exception ? –validationPolicy in Query should be optional. Then, when the default validation policy is being invoked by the client, the server MUST return the real OID of the validation policy (which MAY only have fixed parameters),... but the current text is silent about this.

11 policyID from CVResponse « The policy ID representing the version of the default validation policy that was used by the SCVP server when it processed the request ». –A validation policy is fully defined by an OID. An OID has no version. –Please suppress.

12 validationPolicyAttr RespValidationPolicy ::= SEQUENCE { validationPolicy ValidationPolicy, validationPolicyAttr SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL } validationPolicyAttr exists in a response, but not in a request ?!?

13 In addition... The use of valPolRefByURI does not appear to be adequate. The IESG has refused in the past to accept the use of URIs for long term and stable references. (RFC Permanent Identifier)