PKIX WG Meeting 3-23-09
Edited by Steve Kent
Co-Chairs: Stephen Kent <kent@bbn.com>
Stefan Santesson <stefans@aaa-sec.com>
The PKIX WG met once for 2.5 hours, during the 74th IETF. A total of approximately 47
individuals participated in the meeting.
Document Status Review - Stefan Santesson (AAA-sec)
One new RFC (5480, ECC
Subject Publick Key Info) published since the prior
meeting. One document (TSAES-OAEP Algorithm Parameters) in the RFC editorÕs
queue. No documents are now with the IESG and we have 11 I-DÕs in
progress. (Slides)
PKIX WG Documents
PKI Resource Query
Protocol (PRQP) - Massimiliano Pala (Dartmouth)
This is a
WG item targeted toward experimental status. Max made minor editorial changes
since the prior IETF meeting. The IANA considerations section was updated to
request assignments for various DHCP (v4/v6) options, and DHCP (v4/v6) and DNS
SRV record material appears in an appendix. Max provided a status
update on deployment plans for PRQP in the TACAR testbed, which is delayed for
a few months. (Participants in the testbed include EuGridPMA,
IGTF, EduGain, etc. which covers over 50 CAs) Max also reported that the U.S. federal
Bridge CA, and one large commercial CA, have has expressed some interest in
deploying PRQP. Max also noted that he plans to integrate PRQP into the OpenCA software, maybe as soon as the June 2009 release.
Max will issue version 03 soon and requested WGLC at that time. If deployment
experience is good, Max would like PKIX to consider changing the status of the document
to standards track from experimental. (Slides)
Traceable Anonymous Certificates Protocol – SangHwan Park (KISA)
The authors made numerous changes in
response to comments from David Cooper (NIST), and documented these changes in
two long messages to the list in February and March. Among the more significant
changes were
-
change the ASN.
Syntax to use ContentInfo for the Token, rather than
nested SignedData constructs
-
specify use of
OCSP or CRLs but not SCVP by the AI
-
clarified
mandatory vs. optional PKCS #10 and CMC attributes
-
defer
specification of how to use DSA (vs. RSA) for split signing by AI and BI
Since then no other
comments have been received. Version 03 will be posted after this meeting, and
Mr. Park requested that this I-D move to WGLC after publication of that
version. Several folks at the microphone suggested that additional references
to how to do threshold crypto should be provided if/when this document
progresses to standards track. David Cooper argued that it is not clear that the
complexity that arises from the use of split key technology and blind
signatures is warranted. Steve Kent argued why he believed that these mechanism
made it easier
(Slides)
Trust Anchor Management Documents
– Carl Wallace (Orion)
In response to on and
off-list discussions, the documents were significantly reorganized. The
requirements document passed WGLC and is viewed as a stable reference for the
other document, although there are no plans to publish it as an RFC at this
time. A new, brief, trust anchor format draft is ready for WGLC. This format is
will be used by the TA I-D in the SIDR WG, when it is next revised. A revised
TAMP spec, minus the CMS content constraints (CCC) material, is available and Carl
is looking for more list comments. (The CCC material that was removed is now an
individual submission.) The scope of TAMP is now limited to push-based
protocols, and use of constraints in certificate path validation has been
removed. Numerous edits were made to align with the revised requirements doc,
the removal of the CCC text, etc. Stefan suggested that Carl look at a European
spec (TSL) for TA info dissemination, although it appears to have a different
focus, and it XML-based. (Slides)
OCSP Algorithm Agility - Stefan Santesson
(AAA-sec) for Phillip
Hallam-Baker (Verisign)
Phil
was unable to attend so Stefan presented the slides on PhilÕs behalf. Phil
produced an initial, brief I-D characterizing describing some OCSP agility
algorithm problems, describing the default behavior of OCSP (which is not
present in that RFC), and a proposed solution to the problem in the case when a
certificate does not exist. However, SHA-1 is hardwired into the OCSP spec, and
PhilÕs proposal does not address this issue. Phil suggests that this problem
needs to be addressed before OCSP progresses to STANDARD, but such a change
will be very significant. Russ Housley (VigilSec)
argued that the SHA-1 dependence needs to be fixed sooner, not later, despite
the impact on the protocol. Paul Hoffman (VPNC) suggested that we explore using
a different protocol or port number to get the required agility, as a way of
allowing co-existence and moving to other algorithms. Several other folks
Phil also identified an issue for archival
applications, but maybe this can be dealt with in LTANS. (Slides)
RFC 3161 (Time-Stamp Protocol) Update Stefan Santesson (AAA-sec) for Denis Pinkas
(Bull SAS)
Denis has generated an
update to RFC 3161 to provide for signature and hash algorithm agility, in a
fashion requested by the ETSI TC ESC (electronic signature committee). A
certificate ID optionally added to the response, to allow an RP to know how to
select the right certificate to use in verifying the time stamp response. The
potential for multiple certificates for the TSA arises in part because a TSA
may have multiple time stamping units, each with its own certificate. (There
are naming conventions that require the Subject names to be related.) Stefan is
not convinced that there is a credible security threat that these changes address,
but folks are deploying this feature, and it is an easy addition, he is not too
upset about this. Stefan has agreed to provide some text for the security
considerations to reflect his concerns. Denis wants to issue a new RFC that
supersedes 3161, but an alternative would be to issue an update to 3161, with
an informational annex. None of the previous co-editors want to participate in
writing a revised RFC. Paul Hoffman suggests that we not replace 3161, but
instead issue an informational RFC that adds the new terminology and the
optional field, as a way to not adversely affect existing implementations. (Slides)
Advancing RFC 5280 to DRAFT –
David Cooper (NIST)
In order for an RFC to
advance, one needs to demonstrate at least two interoperable implementations
that support all of the MUSTS and it is desirable that all of the normative
references are at the same level. David has identified over 300 ÒfeaturesÓ that
need to be verified, and a handful of normative references. A couple of issues
have surfaced: AIA is not being used consistently in terms of the MIME type,
policy qualifiers using Visible String rather than UTF8 or IA5. Visible String
is a subset of IA5, so this is not a big deal in some sense, but the tag is
different so we need to address this. A bigger concern is that several
ÒfeaturesÓ do not appear to be in certificates issued by any CAs: Indirect
CRLs, Delta-CRLs, Freshest CRL, some SIA and AIA extensions, etc. BUT, this
does not mean that CA software is not capable of generating certificates with
these features, or that client software cannot process certificates with these
features. Steve Kent and Max Pala offered to see if they can generate some
certificates for David to assist in this process. (Slides)
New ASN.1 for PKIX – Jim Schaad (Soaring Hawk Consulting)
Document has been revised in response to
comments, especially from Alfred. Given the comments, a question is whether the
document should be standards track or informational or experimental, e.g., to
address the complaint from several folks want the 1988 ASN.1 to not be replaced
by this spec. Tim Polk wants the WG to move promptly to WGLC, and agreed that
the WG chairs should conduct a straw poll, with the intent of advising him (as
the cognizant AD) as to the preferred status of the document (thus removing
this topic from the WGLC). (Slides)
DSA ECDSA with SHA2 OIDs – Quynh Dang (NIST)
Now at version 06,
blocked waiting for publication of FIPS 186-3. Minor edits from the last
version. Authors believe that the doc is ready for WGLC, despite waiting for
the FIPS cited above. Steve Kent agrees that WGLC should proceed. (Slides)
Related Specifications Presentations
NSA
Suite B Certificate and CRL Profile – Sam Ashmore
(NSA) on behalf of Jerry Solinas and Lydia Zieglar (NSA)
This
document has been submitted as an individual draft, targeted as an
informational RFC. It profiles RFC 5280 and 5480, and provides OIDs for
specific Suite B ECC algorithms. The authors are looking for comments from PKIX
members. (Slides)
Visual
Certificate-based eID - Stefan Santesson (AAA-sec)
This is a successor to
the logotype extension that Stefan authored years ago. The intent is to
represent the Subject of a certificate in a form that most users can relate to.
For many corporate or governmental entities, logos are a common way to convey
this info, and for individuals, facial photos perform the same function. There
are no common set of attributes to convey this info, and no common semantics
for many attributes (e.g., serial number). RFC 3709 tried to address these
issues by defining a way to add a URL (and a hash of the URL content) for the
issuer and subject organization, but this has not been successful. Stefan noted
that 3709 is extensible, and so we can try again! He suggests creating a single
image that the subject wants to be displayed as the image of his certificate,
period. He suggests using PDF as the image format (and is now an ISO standard),
and a hash of that file, ala 3709. One could update 3709 to better accommodate
this, use the other logo option in 3709, or create a new RFC for this. Also, some folks have said they would
like to be able to embed the PDF in the certificate (but this seems like a
local optimization). The national Bank ID organization in Sweden likes this
idea. An obvious security concern is that the subject and issuer info do not
align with the logo image, but Stefan argues that this form of misbehavior can
be prosecuted, since a misbehaving CA will produce evidence of its fraud by signing
the bad certificates. Stefan suggested
that one might need to be able to determine, through policy or chaining to a
highly trusted root, that a certificate can be trusted enough to provide
certificate images, which would be displayed in lieu of the usual UI. Max Pala
agrees that the problem cited by Stefan is a serious issue, but he thinks we
might need to try an XML style sheet approach to displaying certificate
contents, instead of images. There was a jabber comment arguing against this
proposal as a security feature, vs. other mechanisms. Paul Hoffman suggests
that this be a new, experimental track, if done in PKIX. He also notes the need
to get browser vendors to display this info in a way that is assured. A
VeriSign employee suggests that browser vendors are reluctant to pursue this
path because of liability concerns. He also suggests that the CA Browser Forum
might be the right to pursue this work. Wes Hardaker
(Sparta) also raises concerns about the ability of other folks to cause a
browser to display an image of its choice. Charlie Kaufman (MS) asks about
details of how Òtrusted to display an imageÓ would work, and Stefan suggests an
EV certificate model. Tim Polk suggests that we get input from application area
folks if we pursue this.