Re: [TLS] Consensus call for certificate URL extension

To: Joseph Salowey (jsalowey) <jsalowey at cisco.com>
Subject: Re: [TLS] Consensus call for certificate URL extension
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 23 Sep 2008 09:49:00 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE5069401B0 at xmb-sjc-225.amer.cisco.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE5069401B0 at xmb-sjc-225.amer.cisco.com>
Sender: tls-bounces at ietf.org

(B)

I can live with A, but I don't like having deprecated extensions if wecan avoid them.


On Sep 23, 2008, at 7:52 AM, Joseph Salowey (jsalowey) wrote:

We need to close this open issue.  I think there are two basic options
that address the security issues that have been raised:

A) Deprecate the current extension and create a similar new extension
with the hash mandatory.

B) Make the hash mandatory in the current extension.  This should not
cause deployment problems because there are no known deployments that
make the hash optional.

In either case, we can include hash agility as described in

http://trac.tools.ietf.org/wg/tls/trac/ticket/46. If there issupport in

the working group for the use case where the certificate is updated
offline then we can possibly work on a new extension in a new document
that incorporates ideas expressed on the list.

Please express you preference on the list for one of these options by
10/6/2008.

Thanks,

Joe

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Consensus call for certificate URL extension
  - From: Blumenthal, Uri

References:
- [TLS] Consensus call for certificate URL extension
  - From: Joseph Salowey (jsalowey)

Prev by Date: [TLS] Consensus call for certificate URL extension
Next by Date: Re: [TLS] Consensus call for certificate URL extension
Previous by thread: [TLS] Consensus call for certificate URL extension
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.