Re: [TLS] AIA cert fetching seen as harmful

To: tls at ietf.org
Subject: Re: [TLS] AIA cert fetching seen as harmful
From: Mike <mike-list at pobox.com>
Date: Fri, 11 Apr 2008 19:59:30 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <47FFBC7B.1050600 at bolyard.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200804101549.m3AFnH5T008818 at fs4113.wdf.sap.corp> <47FE39E7.2020209 at pobox.com> <47FEB492.6020209 at bolyard.com> <47FED914.7050609 at pobox.com> <47FFBC7B.1050600 at bolyard.com>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

> Please look at a diagram of the US Federal Bridge CA PKI, or the equivalent
> bridged PKI in Japan or South Korea, and tell us how your proposal would
> work in those environments.

I don't know the specifics of any PKI, but I think the answer is
the same for any one of them.  A server can not blindly retrieve
any URL presented by a client, so it needs to be configured as to
what URL's are acceptable.  One way to accomplish that is to put
the information in the CA certificates as I suggested.

If your question was meant to say that this would be difficult
to do for those PKI's because servers don't know all of the
intermediate CA's and don't have all of their certificates, then
the answer is that they either need to be configured with those
missing certificates, or they can't safely support the client
certificate URL extension for those clients.  This seems to be
a case where you can't have your cake and eat it too.

Mike

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Martin Rex
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Mike
- [TLS] AIA cert fetching seen as harmful
  - From: Nelson B Bolyard
- Re: [TLS] AIA cert fetching seen as harmful
  - From: Mike
- Re: [TLS] AIA cert fetching seen as harmful
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] AIA cert fetching seen as harmful
Next by Date: Re: [TLS] AIA cert fetching seen as harmful
Previous by thread: Re: [TLS] AIA cert fetching seen as harmful
Next by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] AIA cert fetching seen as harmful

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.