From nobody Fri Jun 5 15:16:56 2020 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1CF3A0EB2 for ; Fri, 5 Jun 2020 15:16:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.894 X-Spam-Level: X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QITy_CO2MaGL for ; Fri, 5 Jun 2020 15:16:53 -0700 (PDT) Received: from p3plsmtpa07-09.prod.phx3.secureserver.net (p3plsmtpa07-09.prod.phx3.secureserver.net [173.201.192.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC0F83A0EB8 for ; Fri, 5 Jun 2020 15:16:52 -0700 (PDT) Received: from spectre ([173.8.184.78]) by :SMTPAUTH: with ESMTPSA id hKdwjshjJZQ3PhKdwj7Rm0; Fri, 05 Jun 2020 15:16:52 -0700 X-CMAE-Analysis: v=2.3 cv=L7RjvNb8 c=1 sm=1 tr=0 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:117 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:17 a=DAwyPP_o2Byb1YXLmDAA:9 a=48vgC7mUAAAA:8 a=NCtsWwP4hSsTNKD-ppQA:9 a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=0PimdZ2lm1ByBP7M:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=w1C3t2QeGrPiZgrLijVG:22 X-SECURESERVER-ACCT: peter@akayla.com From: "Peter Yee" To: "'Reilly James'" Cc: References: <115e01d637d9$348d6180$9da82480$@akayla.com> <5832928C-99C2-444F-BE2E-976168726139@hpe.com> <9525BFCE-BADC-42EA-ABDC-F4EA4F516EBC@cisco.com> In-Reply-To: <9525BFCE-BADC-42EA-ABDC-F4EA4F516EBC@cisco.com> Date: Fri, 5 Jun 2020 15:16:46 -0700 Message-ID: <175301d63b87$00894c30$019be490$@akayla.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1754_01D63B4C.542BFAD0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFTB8rCeLXTjHOcBqAFvRrKlcaWCQG+c2lSAniaDt8ApdGXW6mqFP2A Content-Language: en-us X-CMAE-Envelope: MS4wfGMcI7+nklUKW7BU8huWmrxT44tPftHVEs0EGEmqdckiqsK4+aF62443BwSUM3B2dzkvEFVK860Iday91O01jWZWzY62Dn/gVU1eh67DetnrofNvUs4E xsgI2k/KdLDtYPeuynLJq1t17Fs/HVVYmM5QUCc47jH2c+fEhEJWcjoVwrnKN7aOPo7VQ3SQJ/TfKA== Archived-At: Subject: Re: [pkix] Question about RFC 7030 - Enrollment over Secure Transport X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 22:16:54 -0000 This is a multipart message in MIME format. ------=_NextPart_000_1754_01D63B4C.542BFAD0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable James, =20 I consulted my co-authors. While none of us have a = strong recollection of our discussions on this point, our feeling is = that to make that statement a MUST would be inconsistent with how many = CAs are deployed. Specifically, CA support of rollover is not mandatory. = And since there=E2=80=99s a fallback mechanism (manual bootstrap), = clients do have the ability to get new CA certs, albeit with a certain = amount of effort. Whether CA=E2=80=99s should be required to support = rollover is a different question. =20 -Peter =20 From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Reilly James Sent: Friday, May 22, 2020 3:55 AM To: pkix@ietf.org Subject: [pkix] Question about RFC 7030 - Enrollment over Secure = Transport =20 Hello =20 We are looking at RFC 7030 =E2=80=93 Enrollment over Secure Transport. =20 Is there a reason or thought process in section =E2=80=984.1.3 CA = Certificates Response=E2=80=99 =E2=80=98The EST server SHOULD include the three "Root CA Key Update" certificates OldWithOld, OldWithNew, and NewWithOld in the response chain. These are defined in Section 4.4 of CMP [RFC4210].=E2=80=99 =20 why SHOULD rather than example MUST was used in the specification by the = authors? James =20 ------=_NextPart_000_1754_01D63B4C.542BFAD0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

James,

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 I consulted my co-authors. While none of us have a = strong recollection of our discussions on this point, our feeling is = that to make that statement a MUST would be inconsistent with how many = CAs are deployed. Specifically, CA support of rollover is not mandatory. = And since there=E2=80=99s a fallback mechanism (manual bootstrap), = clients do have the ability to get new CA certs, albeit with a certain = amount of effort. Whether CA=E2=80=99s should be required to support = rollover is a different question.

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -Peter

 

From:=  pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Reilly = James
Sent: Friday, May 22, 2020 3:55 = AM
To: pkix@ietf.org
Subject: [pkix] Question about RFC = 7030 - Enrollment over Secure Transport
=

 =

Hello<= /o:p>

 =

We are = looking at RFC 7030 =E2=80=93 Enrollment over Secure = Transport.

 =

Is there a = reason or thought process in section =E2=80=984.1.3 CA Certificates = Response=E2=80=99

   =E2=80=98The EST server SHOULD =
include the three "Root CA Key Update"

   = certificates OldWithOld, OldWithNew, and NewWithOld in the = response=

   chain.  These are defined in Section 4.4 of CMP = [RFC4210].=E2=80=99=

 =

why SHOULD = rather than example MUST was used in the specification by the = authors?

James

 

------=_NextPart_000_1754_01D63B4C.542BFAD0--