CA DN collisions? from Thomas Roessler on 2007-12-06 (public-wsc-wg@w3.org from December 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 6 Dec 2007 18:16:56 +0100
To: public-wsc-wg@w3.org
Cc: stephen.farrell@cs.tcd.ie, pbaker@verisign.com
Message-ID: <20071206171656.GI270@iCoaster.does-not-exist.org>

Please find below the summary from the PKIX session at IETF70.  I
found the part about DN collisions most interesting in light of our
discussion on Thursday (in particular since it refers to "real-world
situations"), and would be curious what precisely is behind this.

Stephen, Phill, can one of you shed some light on this?

Thanks,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






----- Forwarded message from Stephen Kent <kent@bbn.com> -----

From: Stephen Kent <kent@bbn.com>
To: saag@mit.edu, ietf-pkix@imc.org
Date: Wed, 5 Dec 2007 18:58:40 -0500
Subject: [saag] summary of PKIX session on 12.3.2007
Message: 1

PKIX WG Summary for IETF 70

Ongoing WG Activities

- SCVP was approved and is in AUTH 48 now.

- The CMC trio has been revised by Jim, and was approved by Tim on Wednesday.

- 3280bis is undergoing minor fixes in response to IETF last call with the intent that the fixes will 
be agreed to by the Wg by the time the IET last call is completed. The WG is now trying to finalize the 
requisite text.

- The EC algorithm info design team , lead by Tim Polk, presented a new proposal, which requires an 
update to RFC 4055 and 3279, but is in keeping with the spirit of 4055. The proposal would make 
PKIX-compliant representation of ECC algorithm info a compatible subset of what ANSI X9.62 proposed. 
The WG has been asked to agree to this proposed way forward, which will require two new documents (one 
very small).

- PHB proposed an optional extension to OCSP to facilitate agility for both hash and signature 
algorithms, thus removing some ambiguity I the current specs. The WG will be asked to consider this as 
a new work item, once Phil has posted an I-D describing his proposal.

Other Actions

- PKIX will respond to two liaison statements from ITU-T. The first statement deals with removing the 
upper bound from X.520 attributes used in DNs.  The PKIX position is "just say no (to unbounded strings 
in DNs)." He second statement deals with he real world situation of DN collisions in CA and EE Subject 
names in the global context. Here the PKIX position is that yes, this does happen and no, we are not 
going to try to fix the problem (e.g., by creating guidelines for CA name selection or by establishing 
a list of extant CA names).

- Paul Hoffman and Jim Schaad have developed an open source ASN.1 compiler for the 1998/2002 versions 
of ASN.1. PKIX needs to determine if it wants to update its specs to use the newer syntax.

- PKIX was briefed on a proposal for a model for trust anchor management, and a companion management 
protocol. The WG will decide if it wishes to pursue this as a work item. A straw poll was initiated on 
Wednesday.

- PRPQ was briefed again by Max, and will be considered by the WG as a possible Experimental RFC work 
item. A straw poll was initiated on Wednesday.

----- End forwarded message -----

Received on Thursday, 6 December 2007 17:17:05 UTC