pkix@conference.ietf.jabber.com - 2002/11/20
[04:38] %% sjosefsson has left.
[04:38] %% sjosefsson has arrived.
[13:28] %% jaym has arrived.
[13:32] %% Mealling has arrived.
[13:41] <jaym> Document status review: IESG rejected Internet X.509 PKI Roadmap document. Document will sit for moment until DPD/DPV is completed.
[13:43] <jaym> Three documents black-holed. CMP & CRMF (Waiting for Interop rtest report) OCSP v1 (draft has disappeared, not in I-D tracker, will find out)
[13:43] %% agaton has arrived.
[13:44] <jaym> 11 Active dradts: Two DPV, THree LDAP Spec, Attribute Policies, 3161 (TSP_ and 2560 (OSPF)... missed the rest.
[13:45] %% leifj has arrived.
[13:47] <jaym> Logotype Boundries (section 3): one image files represent a logot type SHOULD contain an image within the size range of 60x45 pixels and 200x150 pixels. 4:3 ratio. or at least an audi file representing the logotype SHOULD have a play time between 2 and 30 seconds.
[13:49] <jaym> Rooms says that the above logo boundries should be an "ought" instead of a "SHOULD"
[13:51] %% Mealling has left.
[13:51] %% Mealling has arrived.
[13:54] %% NedFreed has arrived.
[13:55] %% rlbob has arrived.
[13:57] %% ietfwatch has arrived.
[13:59] %% jaym has left.
[14:00] %% jaltman has arrived.
[14:00] %% jaym has arrived.
[14:02] %% hartmans has arrived.
[14:02] <jaym> Moving forward with DPD/DPV: Tim Polk/Steve Kent ... Request "Best and Almost Final" draft from authors with compliance matrix by Dec 6 2002
[14:02] <jaym> Discusson on list based on "Best & Almost FInal" document through Dec 13 2002
[14:02] <jaym> Straw poll on list Dec 16-18 - Vote for only one
[14:03] <jaym> WG Chairs determine consensus choice by middle of Dec
[14:03] <jaym> Runoff straw poll if needed 19-22 (I think that is what the slide said)
[14:03] <jaym> Final revisions: editors will generate one additional draft to satifsy issues raised by the WG in Dec 6-1 discussions
[14:03] <jaym> ForwARD TO THE adS BEFORE THE mARCH MEETING.
[14:04] <jaym> Ooops, guess I should look at my screen every once in a while.
[14:06] <jaym> (is not good for a newbie to take notes as I know no names, my apologies)
[14:06] <Mealling> better than nothing....
[14:07] <Mealling> hmmm
[14:07] %% jis has arrived.
[14:07] <jaym> CVP and SCVP... straw polls regarding reading 3379 (about 10-15)
[14:07] <jaym> read SCVP (<10)
[14:08] <jaym> read CVP (<10)
[14:13] %% paf has arrived.
[14:14] %% jaltman has left.
[14:14] %% Mealling has left.
[14:14] %% Mealling has arrived.
[14:17] %% Mealling has left.
[14:17] %% Mealling has arrived.
[14:22] %% jaym has left.
[14:26] %% jaltman has arrived.
[14:26] %% jaym has arrived.
[14:26] <jaym> horrible WLAN in here... here are some raw notes:
[14:26] <jaym> Denis Pinkass CVP/SCVP presentation presented by Tim. Seems to be issues with SCVP currently. How to support DPV/DPD using consistenly WantBack and CertChecks. Feels CVP is more straightforwad to use. Basically there are style issues in the protocol and ASN.1 slides will be posted to list for detailed review and discussion. No open questions with CVP and it can be done. SCVP has issues and is not ready.
SCVP by Russ: Draft 10 published. Denis supplied with point by point answers. None of Denis comments were in regard to not meeting requirements. Open issues: Criticality of extensions (align definition with 3280). ReplyTypesOfCheck and ReplyWantBack have critical flag (remove, server returns error if does not set of OIDs). Syntax includes place holder for validation of other signed objects (limit scope to identity and attribute certs). Can client supply bad of attribute and identity certs as supporting data to request? (Yes, but can only ask for one to be validated per transaction). What form can trust anchors take? (Direct reference in request DN+Key, Indirect reference - hash of data + URL). Unique SCVP server response identifier (proposal to use hash in the signed attribute). Constraignts on trust anchors (Client can request which set of cert policy to use). Define application specific validation policy in separate document (SMIME, IPSEC, TLS, RA) Way Forward: Draft 10 meets all documented requirements. Draft 11 is clean up and then ready to move along
[14:26] <Mealling> I think someone here is running in adhoc mode.
[14:27] <jaym> yeah, must be near the back of the room. I had Excellent signal there for a little while and could get no IP... now I have IP and have Low signal.
[14:27] <jaym> I'm in the very last row
[14:27] <Mealling> me too....
[14:28] <Mealling> for the record: jaym and Mealling just found out they're sitting directly next to each otehr.
[14:29] <jaym> Heh.
[14:29] <jaym> open mike time
[14:29] <jaym> discussion regarding which protocol to choose...
[14:30] <jaym> Phil (?): what happens if you wnat to do something beyond this current spec... what if you want to do something beyond current draft?
[14:31] <jaym> Phil: has issues with folks who didn't want extension, are now writing exteniosn.
[14:32] <jaym> no other comments
[14:33] <jaym> Next Presentation: PRoxy Certs
[14:33] <Mealling> Phil = Phillip Halam-Baker
[14:34] <jaym> By: Von Mulch
[14:34] <jaym> Welch that is
[14:35] %% raeburn has arrived.
[14:35] <jaym> draft-ietf-pkix-proxy-03, draft worked on in the Global Grid Forum, PKIX is the approprate forum though. Details to draft are open to influence through private conversations
[14:35] <jaym> Grid Computers: users dynamically creating entities (eg: computational jobs)
[14:35] <jaym> Need to name entities
[14:36] <jaym> Need to grant entities rights
[14:36] <jaym> Dynamic nature of creation makes tradition CA process to heavy
[14:36] <jaym> Summary of Approach:
[14:36] <jaym> End entity creates proxy cert for created entity
[14:36] <jaym> - looks like x509 ID cert
[14:37] <jaym> has ID based off of EEC ID
[14:37] <jaym> Has critical exension identifying as proxy
[14:37] <jaym> Can contain intention of EE to delegate all/none/some of it's rights to PC holder
[14:37] <jaym> Works with current protocols (SSL)
[14:38] %% jis5 has arrived.
[14:38] %% jaltman has left.
[14:38] %% jaltman has arrived.
[14:38] %% Mealling has left.
[14:38] %% Mealling has arrived.
[14:38] <jaym> test
[14:39] %% dmarlow has arrived.
[14:39] <jaym> weird wireless... signal strength went from Low to Very GOod now
[14:39] <jaym> ooops, sorry, missing Steve/Tim discussion with Von... regarding how to make this fit
[14:41] %% jis has left.
[14:41] %% raeburn has left.
[14:47] %% jis5 has left.
[14:47] %% Mealling has left.
[14:48] %% Mealling has arrived.
[14:49] %% jaltman has left.
[14:54] %% mrose has arrived.
[14:55] <jaym> An LDAPv3 Schema for X509 Certs by: ________
[14:55] <jaym> Address problem of multiples certificates for one entity (how can client find right one)
[14:55] <jaym> Find a simple and easy to implement solution
[14:55] <jaym> Solution should be usable in the frame of a large scale distributed LDAP/Common Indexing Protocol (CIP) based cert repository
[14:55] <jaym> Schema as a simple solution:
[14:55] %% raeburn has arrived.
[14:56] <jaym> Find a set of cert fields and extensions that one might want to search upon in a meta-data approach
[14:56] <jaym> Parse the cert and setore this set as LDAP attributes
[14:56] <jaym> Advantages: no new server features needed, easy to use in clients, CIP environment
[14:57] <jaym> examples for people and cert repository, see slides
[14:57] %% Mealling has left.
[14:58] %% Mealling has arrived.
[14:58] <jaym> Related Work: LDAP Object Class for Holding Cert Info (ID, expired) draft-greenblatt-ldap-certinfo-schema-02.txt
[14:58] <jaym> Missed the other related work...
[14:58] <jaym> Changes in Draft 01
[14:58] <jaym> Fixed bug in def of objectclass
[14:58] <jaym> updated references RFC 3280/3377
[14:58] <jaym> new attributes: KeyIdentifier, Certissuer, CertSerialNumber, Location, Holder
[14:59] <jaym> new objectclass: X509certifcateHolder
[15:00] <jaym> Deleted ":binary" in examples
[15:00] <jaym> Included new secion: comparison with component matchin approach
[15:00] <jaym> :binary MIGHT need further discussion
[15:00] %% raeburn has left.
[15:00] %% raeburn has arrived.
[15:00] %% raeburn has left.
[15:00] <jaym> Some moniro changes in wording, section titles, other ed changes
[15:01] <jaym> Proposed new changes for next draft version: Abstract x509certifcate object class (see slides or draft)
[15:01] <jaym> (DistributionPoint and Holder)
[15:02] <jaym> New structureal objectclassses
[15:03] %% NedFreed has left.
[15:03] <jaym> No more additional rules needed, following is now defined within the schema
[15:03] <jaym> Open Issues: Support for implementations that can't do multivalued RDNs
[15:04] <jaym> Include some more clarifying language ( redundancy, consistency, transition, CIP, subject names, etc)
[15:04] <jaym> :binary
[15:04] <jaym> Bug in examples
[15:04] <jaym> include a Use Case chapter
[15:04] <jaym> include IANA considerations
[15:04] <jaym> make this part of PKIX work?
[15:05] <jaym> publish as proposed or experimental RFC
[15:05] %% hartmans has left.
[15:05] <jaym> BTW, discussion was by Pete
[15:05] <jaym> Tim: looks like :binary CANNOT go away. majority of implementations use it, but not all
[15:06] %% ggm has arrived.
[15:07] <jaym> Tim: Will this as a short term solution get in the way of a long term solution. If implemented will component matching ever be able to be done?
[15:11] %% Mealling has left.
[15:12] %% Mealling has arrived.
[15:12] <jaym> mike comments discussed: lots of concern of publishing a one off solution, more discussion needs to happen on the lis
[15:12] <jaym> t
[15:13] %% mrose has left.
[15:14] %% capple has arrived.
[15:15] <jaym> Attribute Certificate Policies Extension: Christopher Francis
[15:15] %% Mealling has left.
[15:15] * ggm has changed the subject to: attribute certificate policies extension
[15:16] <jaym> test
[15:16] %% ekr has arrived.
[15:16] %% ekr has left.
[15:17] %% mrose has arrived.
[15:20] %% jaym has left.
[15:20] %% jaym has arrived.
[15:21] <jaym> okay, too many network issues. missed the first part of this presentation, so I'm going to go ahead and quit trying to keep some notes within the pkix conf room.
[15:21] %% capple has left.
[15:22] %% jaym has left.
[15:22] <ggm> attribute certificate policy extension
when issuing PKC
CA can perform various levels of verification with
regard to the subject identity
visible through Cert. Pol.
Referenced in PKC by certPol extension
when issuing an AC
AA can peform various levels of verification with
regard to the asserted attributes
Visible through <non existant!!! cert Pol> == problem!
define new extenstion that explicitly states the AC policies that
apply
use syntax similar to the certPol for PKC's
list of OIDs reference each supported policy
CPS pointer, user Notice (RFC3280)
initial verification and regular verification
[15:22] <ggm> 2nd version. (after Yokohama)
ext only applies to attr certs
repostitary extensions were removed from the draft
various editorial changes
[15:23] <ggm> benefits
allows AA to explicitly state supported policies in
each issued AC
[15:23] <ggm> AAcan issue AC's under multiple policies depending on
the level of verification of asserted attributes
multiple policies can be applied
[15:24] <ggm> Provides a means to convey important information
regarding initial/subsequent verification by the AA
of the cert
[15:25] <ggm> Moving forward
obtain PKIX consensus for acPolicies Extension for ACs
Approve informational RFC
Consider persuing revision to X.509
[15:25] <ggm> (lobby in other forums)
[15:26] <ggm> russ: major concern with this document
assumes the AA is not authoritative for the Attrs in the AC
but have to go somewhere else to validate these things
if the AA is authoritative, a bunch of complexity goes away
(presenter) - don't agree -you still have to apply various levels
of certification, its more generic than that.
[15:27] <ggm> russ policy is ok, the cruft I disagree with. talk offline.
[15:30] <ggm>
??? potential policy 'hysteria' -may not be wrong for AC's
need policies for a lot of things
[15:30] <ggm> gm tried to ask a Q but decided to go to list on chairs advice
[15:31] * ggm has changed the subject to: Warranty certificate extension
[15:31] <ggm> Warranty certificate extension
[15:32] <ggm> not new, seen on list and last IETF
no new draft
quick overview of what/why and where
[15:32] %% mrose has left.
[15:33] <ggm> non-critical, immediate evidence of a CA status/warranty
automates this element of risk management
either base warranty or explicit statement NO WARRANTY
offers extended warranty
format details (see the draft, silly to put in a chatlog)
[15:34] <ggm> warranty types, aggregated and per-transaction
[15:36] <ggm> I have to go now. into RPSEC.
[15:36] %% ggm has left.
[15:44] %% rlbob has left.
[15:44] %% ggm has arrived.
[15:46] %% ietfwatch has left.
[15:56] %% ggm has left.
[16:01] %% leifj has left.
[16:04] %% paf has left.
[16:10] %% agaton has left.
[17:34] %% dmarlow has left.