W3C home > Mailing lists > Public > www-xkms@w3.org > July 2003

RE: XKMS - AuthorityInfoAccess (AIA) extension

From: Deacon, Alex <alex@verisign.com>
Date: Wed, 9 Jul 2003 13:14:39 -0700
Message-ID: <FBDFBCB7591BD611AB4A00D0B79E60B005B1C945@vhqpostal2.verisign.com>
To: "'Shivaram Mysore'" <Shivaram.Mysore@Sun.COM>
Cc: www-xkms@w3.org

Shivaram,

Other priorities have prevented me from updating this ID, but it is still on
my list of things to do.  I'll be on holiday until mid August, but I'll make
sure I work on it when I return.

Regards,
Alex

> -----Original Message-----
> From: Shivaram Mysore [mailto:Shivaram.Mysore@Sun.COM]
> Sent: Wednesday, July 09, 2003 12:00 PM
> To: Deacon, Alex
> Cc: www-xkms@w3.org
> Subject: Re: XKMS - AuthorityInfoAccess (AIA) extension
> 
> 
> Alex,
> 
> Could you please update the status on this at the earliest.
> 
> Thanks
> 
> /Shivaram
> 
> Stephen Farrell wrote:
> > 
> > Alex,
> > 
> > Sounds like a reasonable idea, (esp if you're willing to take the
> > PKIX flak that'll accumulate:-).
> > 
> > Just a couple of initial comments, which could wait until a later
> > version if you prefer:
> > 
> > - Its not enough to say that the CA includes the location of an
> > xkms service - I think you have to say what the CA is asserting 
> > that the service will do for the PKIX relying party (given that
> > you're operating in PKIX mode!). E.g. you might state that a
> > validate request presented with (parts of?) the certificate will
> > reflect the revocation status in the same way as would an OCSP
> > request. You might want to explicitly state that there're no
> > guarantees about locates (or the opposite! maybe you want to 
> > say that the CA is commiting to answer for its entire DB at
> > that location - both being reasonable). And finally, there's 
> > a whole new rathole to avoid about whether xkms registers etc.
> > can be sent to that location. Stuff along those lines will 
> > be needed anyway, I'd say.
> > 
> > - Security considerations really will have to address the 
> relationship
> > (or lack thereof) between the CA root key and the xkms 
> responder key.
> > Otherwise DNS poisoning attacks could result in trouble happening
> > much more easily than otherwise.
> > 
> > - The reference to XKMS doesn't look right to me. Maybe you
> > should check how e.g. the xmlsig rec is referenced from the
> > equivalent RFC (I didn't check).
> > 
> > Cheers,
> > Stephen.
> > 
> > "Deacon, Alex" wrote:
> > 
> >>All,
> >>
> >>Attached is the 'one page' internet-draft for the XKMS AIA 
> using an OID
> >>assigned from the PKIX ARC.
> >>
> >>I plan to post this to the PKIX list next week, so please 
> send any comments
> >>and/or feedback you may have by then.
> >>
> >>Regards,
> >>
> >>Alex
> >>
> >>
> >>>-----Original Message-----
> >>>From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
> >>>Sent: Thursday, April 24, 2003 12:47 PM
> >>>To: dan ash; Hallam-Baker, Phillip; 'Anders Rundgren'; 
> Hallam-Baker,
> >>>Phillip
> >>>Cc: www-xkms@w3.org
> >>>Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
> >>>
> >>>
> >>>
> >>>Sorr, thought I had done reply to all.
> >>>
> >>>Alex Deaon is writing a 'one page' RFC to request an OID
> >>>point in the IETF
> >>>PKIX arc. If we don't get that OID point we can create it in
> >>>another arc.
> >>>
> >>>I spoke to Russ Housley about this (the keeper of the IETF
> >>>OID arc for PKIX)
> >>>and he is OK with it.
> >>>
> >>>              Phill
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: dan ash [mailto:dash@68summit.com]
> >>>>Sent: Thursday, April 24, 2003 2:34 PM
> >>>>To: Hallam-Baker, Phillip; 'Anders Rundgren'; 
> Hallam-Baker, Phillip
> >>>>Cc: www-xkms@w3.org
> >>>>Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
> >>>>
> >>>>
> >>>>I remember speaking about this at a face-to-face last
> >>>
> >>>summer.  Nothing
> >>>
> >>>>was actually decided, however, we had discussed using Keyinfo from
> >>>>XMLSIG... rather than specifying that such info should be
> >>>
> >>>embeded in a
> >>>
> >>>>certificate.  This still seems to me as the best approach.
> >>>>
> >>>>daniel ash
> >>>>
> >>>>
> >>>>On Thu, 24 Apr 2003 10:43:31 -0700, "Hallam-Baker, Phillip"
> >>>><pbaker@verisign.com> said:
> >>>>
> >>>>>I spoke to Russ Housley about this at RSA.
> >>>>>
> >>>>>Bascially what is going to happen is Alex Deacon will write
> >>>>
> >>>>a one page
> >>>>
> >>>>>RFC
> >>>>>specifying the OID meaning and Russ will assign the OID.
> >>>>>
> >>>>>  Phill
> >>>>>
> >>>>>
> >>>>>>-----Original Message-----
> >>>>>>From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> >>>>>>Sent: Thursday, April 24, 2003 2:09 PM
> >>>>>>To: Hallam-Baker, Phillip
> >>>>>>Cc: www-xkms@w3.org
> >>>>>>Subject: XKMS - AuthorityInfoAccess (AIA) extension
> >>>>>>
> >>>>>>
> >>>>>>There seems to be no defined XKMS -
> >>>>>>AuthorityInfoAccess (AIA) extension [RFC3280]
> >>>>>>
> >>>>>>Does this mean that AIA is considered as less useful?
> >>>>>>
> >>>>>>PKIX's HTTP CertStore which is sort of a subset of XKMS defines
> >>>>>>such an extension.
> >>>>>>
> >>>>>>regards
> >>>>>>Anders Rundgren
> >>>>>>
> >>>>>
> >>>>>
> >>>>--
> >>>>  dan ash
> >>>>  danielash@fastmail.fm
> >>>>
> >>>>--
> >>>>http://www.fastmail.fm - Choose from over 50 domains or 
> use your own
> >>>>
> >>>
> >>  
> --------------------------------------------------------------
> --------------------------------------
> >>                                      Name: 
> draft-ietf-pkix-xkms-aia-00.txt
> >>   draft-ietf-pkix-xkms-aia-00.txt    Type: Plain Text (text/plain)
> >>                                  Encoding: quoted-printable
> > 
> > 
> 
> -- 
> _____________________________________________________________________
> Shivaram H. Mysore <shivaram.mysore@sun.com>
> 
> Software Engineer                   Co-Chair, W3C's XKMS WG
> Java Card Engineering               http://www.w3.org/2001/XKMS
> JavaSoft, Sun Microsystems Inc.
> 
> Direct: (408)276-7524
> Fax:    (408)276-7674
> 
> http://java.sun.com/people/shivaram  (Internal: http://mysore.sfbay/)
> _____________________________________________________________________
> 
Received on Wednesday, 9 July 2003 16:14:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:19 GMT