Re: XKMS - AuthorityInfoAccess (AIA) extension from Stephen Farrell on 2003-05-02 (www-xkms@w3.org from May 2003)

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Fri, 02 May 2003 14:11:01 +0100
To: "Deacon, Alex" <alex@verisign.com>
CC: www-xkms@w3.org
Message-ID: <3EB26E65.D0356E86@baltimore.ie>
Alex,

Sounds like a reasonable idea, (esp if you're willing to take the
PKIX flak that'll accumulate:-).

Just a couple of initial comments, which could wait until a later
version if you prefer:

- Its not enough to say that the CA includes the location of an
xkms service - I think you have to say what the CA is asserting 
that the service will do for the PKIX relying party (given that
you're operating in PKIX mode!). E.g. you might state that a
validate request presented with (parts of?) the certificate will
reflect the revocation status in the same way as would an OCSP
request. You might want to explicitly state that there're no
guarantees about locates (or the opposite! maybe you want to 
say that the CA is commiting to answer for its entire DB at
that location - both being reasonable). And finally, there's 
a whole new rathole to avoid about whether xkms registers etc.
can be sent to that location. Stuff along those lines will 
be needed anyway, I'd say.

- Security considerations really will have to address the relationship
(or lack thereof) between the CA root key and the xkms responder key.
Otherwise DNS poisoning attacks could result in trouble happening
much more easily than otherwise.

- The reference to XKMS doesn't look right to me. Maybe you
should check how e.g. the xmlsig rec is referenced from the
equivalent RFC (I didn't check).

Cheers,
Stephen.

"Deacon, Alex" wrote:
> 
> All,
> 
> Attached is the 'one page' internet-draft for the XKMS AIA using an OID
> assigned from the PKIX ARC.
> 
> I plan to post this to the PKIX list next week, so please send any comments
> and/or feedback you may have by then.
> 
> Regards,
> 
> Alex
> 
> > -----Original Message-----
> > From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
> > Sent: Thursday, April 24, 2003 12:47 PM
> > To: dan ash; Hallam-Baker, Phillip; 'Anders Rundgren'; Hallam-Baker,
> > Phillip
> > Cc: www-xkms@w3.org
> > Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
> >
> >
> >
> > Sorr, thought I had done reply to all.
> >
> > Alex Deaon is writing a 'one page' RFC to request an OID
> > point in the IETF
> > PKIX arc. If we don't get that OID point we can create it in
> > another arc.
> >
> > I spoke to Russ Housley about this (the keeper of the IETF
> > OID arc for PKIX)
> > and he is OK with it.
> >
> >               Phill
> >
> > > -----Original Message-----
> > > From: dan ash [mailto:dash@68summit.com]
> > > Sent: Thursday, April 24, 2003 2:34 PM
> > > To: Hallam-Baker, Phillip; 'Anders Rundgren'; Hallam-Baker, Phillip
> > > Cc: www-xkms@w3.org
> > > Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
> > >
> > >
> > > I remember speaking about this at a face-to-face last
> > summer.  Nothing
> > > was actually decided, however, we had discussed using Keyinfo from
> > > XMLSIG... rather than specifying that such info should be
> > embeded in a
> > > certificate.  This still seems to me as the best approach.
> > >
> > > daniel ash
> > >
> > >
> > > On Thu, 24 Apr 2003 10:43:31 -0700, "Hallam-Baker, Phillip"
> > > <pbaker@verisign.com> said:
> > > >
> > > > I spoke to Russ Housley about this at RSA.
> > > >
> > > > Bascially what is going to happen is Alex Deacon will write
> > > a one page
> > > > RFC
> > > > specifying the OID meaning and Russ will assign the OID.
> > > >
> > > >   Phill
> > > >
> > > > > -----Original Message-----
> > > > > From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> > > > > Sent: Thursday, April 24, 2003 2:09 PM
> > > > > To: Hallam-Baker, Phillip
> > > > > Cc: www-xkms@w3.org
> > > > > Subject: XKMS - AuthorityInfoAccess (AIA) extension
> > > > >
> > > > >
> > > > > There seems to be no defined XKMS -
> > > > > AuthorityInfoAccess (AIA) extension [RFC3280]
> > > > >
> > > > > Does this mean that AIA is considered as less useful?
> > > > >
> > > > > PKIX's HTTP CertStore which is sort of a subset of XKMS defines
> > > > > such an extension.
> > > > >
> > > > > regards
> > > > > Anders Rundgren
> > > > >
> > > >
> > > >
> > > --
> > >   dan ash
> > >   danielash@fastmail.fm
> > >
> > > --
> > > http://www.fastmail.fm - Choose from over 50 domains or use your own
> > >
> >
> 
>   ----------------------------------------------------------------------------------------------------
>                                       Name: draft-ietf-pkix-xkms-aia-00.txt
>    draft-ietf-pkix-xkms-aia-00.txt    Type: Plain Text (text/plain)
>                                   Encoding: quoted-printable

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com
Received on Friday, 2 May 2003 09:11:35 UTC