Re: [IPsec] CRL checking when selecting a certifcate

To: "ipsec at ietf.org WG" <ipsec at ietf.org>
Subject: Re: [IPsec] CRL checking when selecting a certifcate
From: David Wierbowski <wierbows at us.ibm.com>
Date: Thu, 3 Sep 2009 10:01:25 -0400
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <19103.34279.253359.922428 at fireball.kivinen.iki.fi>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <B7898B51-A7F9-42BA-BD1D-67931058E640 at checkpoint.com> <19101.10929.181733.7940 at fireball.kivinen.iki.fi> <D408FAB6-59C9-4CB9-BF42-0CEC8697CDFB at checkpoint.com> <19102.25856.800410.560288 at fireball.kivinen.iki.fi> <OF9DF42776.45D16AA5-ON85257625.00541DFA-85257625.00557265 at us.ibm.com> <19103.34279.253359.922428 at fireball.kivinen.iki.fi>

Tero, thanks for the comments and the clarification on how to read a lower case must. I do have a few more comments.

>So implementations cannot just search uppercase "MUST/SHOULD/MAY" >texts and assume it is enough to make sure those are correct. It also >needs to do what the text says... >
I think most implementers focus on the MUST and SHOULDs and then apply common sense to the remaining text.
>> CRL checking is not cheap and >> performing CRL checking when selecting a certificate seems like an optional >> usability feature to me.> >The you probably want to make change to the current text which says >you must do it...
Correct. I think when selecting a certificate that consulting revocation information is a lower case should or could at best. I agree that on the accepting side a lower case must is appropriate for revocation checking from an interoperability perspective. By that I mean the failure to do so will not hinder interoperability, but from a security perspective it really should be done.

Dave Wierbowski

z/OS Comm Server Developer

Phone:
Tie line: 620-4055
External: 607-429-4055

Follow-Ups:
- Re: [IPsec] CRL checking when selecting a certifcate
  - From: Tero Kivinen

References:
- [IPsec] Issue #26: Missing treatment of error cases
  - From: Yoav Nir
- [IPsec] Issue #26: Missing treatment of error cases
  - From: Tero Kivinen
- Re: [IPsec] Issue #26: Missing treatment of error cases
  - From: Yoav Nir
- Re: [IPsec] Issue #26: Missing treatment of error cases
  - From: Tero Kivinen
- [IPsec] CRL checking when selecting a certifcate
  - From: David Wierbowski
- [IPsec] CRL checking when selecting a certifcate
  - From: Tero Kivinen

Prev by Date: [IPsec] Last Call: draft-ietf-rohc-ikev2-extensions-hcoipsec (IKEv2 Extensions to Support Robust Header Compression over IPsec (ROHCoIPsec)) to Proposed Standard
Next by Date: Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ikev2-resumption (IKEv2 Session Resumption) to Proposed Standard
Previous by thread: [IPsec] CRL checking when selecting a certifcate
Next by thread: Re: [IPsec] CRL checking when selecting a certifcate
Index(es):
- Date
- Thread

Re: [IPsec] CRL checking when selecting a certifcate

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.