[TLS] Consensus call for certificate URL extension

To: <tls at ietf.org>
Subject: [TLS] Consensus call for certificate URL extension
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Mon, 22 Sep 2008 21:52:59 -0700
Authentication-results: sj-dkim-2; header.From=jsalowey at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=826; t=1222145590; x=1223009590; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey at cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey at ci sco.com> |Subject:=20Consensus=20call=20for=20certificate=20URL=20ex tension |Sender:=20; bh=4Tb54cvdaUxF0lsSXL4lCaK9FpdI+piczweszVMAA0c=; b=Y3gzz9wI6Y8BtvZM505+b7nP9hd2hN6U6uZqWQyCojl3UKJKHUjRxWiM+d 7nuhC6lxrk43Na7DqEJm6EtwrPvq00J/8EbdxOnJHiPXHruSoqB5bqkPCI+G 6h6aiwfBeu;
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org
Thread-index: AckdOECbfdU7CxSbTMO5eNhYIbQb0Q==
Thread-topic: Consensus call for certificate URL extension

We need to close this open issue.  I think there are two basic options
that address the security issues that have been raised:

A) Deprecate the current extension and create a similar new extension
with the hash mandatory.

B) Make the hash mandatory in the current extension.  This should not
cause deployment problems because there are no known deployments that
make the hash optional.

In either case, we can include hash agility as described in
http://trac.tools.ietf.org/wg/tls/trac/ticket/46. If there is support in
the working group for the use case where the certificate is updated
offline then we can possibly work on a new extension in a new document
that incorporates ideas expressed on the list.

Please express you preference on the list for one of these options by
10/6/2008.

Thanks,

Joe
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Consensus call for certificate URL extension
  - From: Simon Josefsson
- Re: [TLS] Consensus call for certificate URL extension
  - From: Nelson B Bolyard
- Re: [TLS] Consensus call for certificate URL extension
  - From: Mohamad Badra
- Re: [TLS] Consensus call for certificate URL extension
  - From: Pasi.Eronen
- Re: [TLS] Consensus call for certificate URL extension
  - From: Nikos Mavrogiannopoulos
- Re: [TLS] Consensus call for certificate URL extension
  - From: Eric Rescorla
- Re: [TLS] Consensus call for certificate URL extension
  - From: Martin Rex
- Re: [TLS] Consensus call for certificate URL extension
  - From: Yoav Nir

Prev by Date: [TLS] I-D Action:draft-ietf-tls-extractor-02.txt
Next by Date: Re: [TLS] Consensus call for certificate URL extension
Previous by thread: [TLS] I-D Action:draft-ietf-tls-extractor-02.txt
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

[TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.