[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt

From: Stephen Kent <kent at bbn.com>
To: "Jim Schaad" <jimsch at nwlink.com>
Cc: pkix at ietf.org
Date: Mon, 16 Nov 2009 11:40:07 -0500
In-reply-to: <01cf01ca6292$d31079a0$79316ce0$ at com>
References: <01cf01ca6292$d31079a0$79316ce0$ at com>
List-id: PKIX Working Group <pkix.ietf.org>

At 2:50 PM +0900 11/11/09, Jim Schaad wrote:

1.  Should this document update the mandatory set of algorithms that OCSP
responders much support.  I do not remember seeing that this had been done
anywhere.  Given that the last step in section 4.1 is to use a mandatory
algorithm, upgrading the set of mandatory algorithms at this point in time
would be a good idea.

good idea if we get quick agreement on the upgraded set of mandatoryalgorithms.

2.  The sentence "This requirement is clearly insufficient to ensure
interoperability."
Should probably end w/ agility rather than interoperability.  With one
mandatory algorithm there is easily the ability to have interoperability.

OK.

3.  For the definition of sigIdentifier - are the parameters always absent
or just in this case?


Stefan?


4.  s/certtIdentifier/certIdentifier/

OK


5.  Old
Although this
   case does not permit the responder to make use of the client data
   directly, the responder may anticipate the client request and
   generate a set of signed responses so as to maximize the probability
   that it is possible to generate a response that is assigned the
   highest preference weighting following the selection logic in 4.1.

Suggested new:
   The case may not permit the responder to make use of the client request
data during the response generation, however the responder still uses the
client request data during the selection of the pre-generated response to be
returned.  Responders may use the historical client requests as part of the
input to the decisions of what different algorithms should be used in
signing algorithms should be used in creating the pre-generated responses.

OK.

6.  I wonder if a security consideration should be added to address the
question of a DoS attack on the client by either changing the request data
or by not being able to get a match with the server on what algorithms
can/should be used for the signing process. Esp w/ cached responses.


good idea.

7.  You are generating ASN.1 that is new - you need to have a new ASN.1
module as part of this document.


right.

Steve

Follow-Ups:
- Re: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
  - From: Stefan Santesson
- [pkix] OCSP and Privacy Issues
  - From: Massimiliano Pala

References:
- [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
  - From: Jim Schaad

Prev by Date: [pkix] WGLC for draft-ietf-pkix-asn1-translation-01.txt
Next by Date: [pkix] way forward for 5280
Previous by thread: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
Next by thread: [pkix] OCSP and Privacy Issues
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.