Re: XKMS - AuthorityInfoAccess (AIA) extension from Shivaram Mysore on 2003-07-09 (www-xkms@w3.org from July 2003)

From: Shivaram Mysore <Shivaram.Mysore@Sun.COM>
Date: Wed, 09 Jul 2003 12:00:22 -0700
To: "Deacon, Alex" <alex@verisign.com>
Cc: www-xkms@w3.org
Message-id: <3F0C6646.6040006@sun.com>
Alex,

Could you please update the status on this at the earliest.

Thanks

/Shivaram

Stephen Farrell wrote:
> 
> Alex,
> 
> Sounds like a reasonable idea, (esp if you're willing to take the
> PKIX flak that'll accumulate:-).
> 
> Just a couple of initial comments, which could wait until a later
> version if you prefer:
> 
> - Its not enough to say that the CA includes the location of an
> xkms service - I think you have to say what the CA is asserting 
> that the service will do for the PKIX relying party (given that
> you're operating in PKIX mode!). E.g. you might state that a
> validate request presented with (parts of?) the certificate will
> reflect the revocation status in the same way as would an OCSP
> request. You might want to explicitly state that there're no
> guarantees about locates (or the opposite! maybe you want to 
> say that the CA is commiting to answer for its entire DB at
> that location - both being reasonable). And finally, there's 
> a whole new rathole to avoid about whether xkms registers etc.
> can be sent to that location. Stuff along those lines will 
> be needed anyway, I'd say.
> 
> - Security considerations really will have to address the relationship
> (or lack thereof) between the CA root key and the xkms responder key.
> Otherwise DNS poisoning attacks could result in trouble happening
> much more easily than otherwise.
> 
> - The reference to XKMS doesn't look right to me. Maybe you
> should check how e.g. the xmlsig rec is referenced from the
> equivalent RFC (I didn't check).
> 
> Cheers,
> Stephen.
> 
> "Deacon, Alex" wrote:
> 
>>All,
>>
>>Attached is the 'one page' internet-draft for the XKMS AIA using an OID
>>assigned from the PKIX ARC.
>>
>>I plan to post this to the PKIX list next week, so please send any comments
>>and/or feedback you may have by then.
>>
>>Regards,
>>
>>Alex
>>
>>
>>>-----Original Message-----
>>>From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
>>>Sent: Thursday, April 24, 2003 12:47 PM
>>>To: dan ash; Hallam-Baker, Phillip; 'Anders Rundgren'; Hallam-Baker,
>>>Phillip
>>>Cc: www-xkms@w3.org
>>>Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
>>>
>>>
>>>
>>>Sorr, thought I had done reply to all.
>>>
>>>Alex Deaon is writing a 'one page' RFC to request an OID
>>>point in the IETF
>>>PKIX arc. If we don't get that OID point we can create it in
>>>another arc.
>>>
>>>I spoke to Russ Housley about this (the keeper of the IETF
>>>OID arc for PKIX)
>>>and he is OK with it.
>>>
>>>              Phill
>>>
>>>
>>>>-----Original Message-----
>>>>From: dan ash [mailto:dash@68summit.com]
>>>>Sent: Thursday, April 24, 2003 2:34 PM
>>>>To: Hallam-Baker, Phillip; 'Anders Rundgren'; Hallam-Baker, Phillip
>>>>Cc: www-xkms@w3.org
>>>>Subject: RE: XKMS - AuthorityInfoAccess (AIA) extension
>>>>
>>>>
>>>>I remember speaking about this at a face-to-face last
>>>
>>>summer.  Nothing
>>>
>>>>was actually decided, however, we had discussed using Keyinfo from
>>>>XMLSIG... rather than specifying that such info should be
>>>
>>>embeded in a
>>>
>>>>certificate.  This still seems to me as the best approach.
>>>>
>>>>daniel ash
>>>>
>>>>
>>>>On Thu, 24 Apr 2003 10:43:31 -0700, "Hallam-Baker, Phillip"
>>>><pbaker@verisign.com> said:
>>>>
>>>>>I spoke to Russ Housley about this at RSA.
>>>>>
>>>>>Bascially what is going to happen is Alex Deacon will write
>>>>
>>>>a one page
>>>>
>>>>>RFC
>>>>>specifying the OID meaning and Russ will assign the OID.
>>>>>
>>>>>  Phill
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Anders Rundgren [mailto:anders.rundgren@telia.com]
>>>>>>Sent: Thursday, April 24, 2003 2:09 PM
>>>>>>To: Hallam-Baker, Phillip
>>>>>>Cc: www-xkms@w3.org
>>>>>>Subject: XKMS - AuthorityInfoAccess (AIA) extension
>>>>>>
>>>>>>
>>>>>>There seems to be no defined XKMS -
>>>>>>AuthorityInfoAccess (AIA) extension [RFC3280]
>>>>>>
>>>>>>Does this mean that AIA is considered as less useful?
>>>>>>
>>>>>>PKIX's HTTP CertStore which is sort of a subset of XKMS defines
>>>>>>such an extension.
>>>>>>
>>>>>>regards
>>>>>>Anders Rundgren
>>>>>>
>>>>>
>>>>>
>>>>--
>>>>  dan ash
>>>>  danielash@fastmail.fm
>>>>
>>>>--
>>>>http://www.fastmail.fm - Choose from over 50 domains or use your own
>>>>
>>>
>>  ----------------------------------------------------------------------------------------------------
>>                                      Name: draft-ietf-pkix-xkms-aia-00.txt
>>   draft-ietf-pkix-xkms-aia-00.txt    Type: Plain Text (text/plain)
>>                                  Encoding: quoted-printable
> 
> 

-- 
_____________________________________________________________________
Shivaram H. Mysore <shivaram.mysore@sun.com>

Software Engineer                   Co-Chair, W3C's XKMS WG
Java Card Engineering               http://www.w3.org/2001/XKMS
JavaSoft, Sun Microsystems Inc.

Direct: (408)276-7524
Fax:    (408)276-7674

http://java.sun.com/people/shivaram  (Internal: http://mysore.sfbay/)
_____________________________________________________________________
Received on Wednesday, 9 July 2003 15:00:29 UTC