PKIX WG Meeting March 22, 2010


Edited by Steve Kent

Co-Chairs: Stephen Kent <>

 Stefan Santesson <>


The PKIX WG met once, for 2 hours, during the 77th  IETF. A total of approximately 53 individuals participated in the meeting.



Document Status Review - Stefan Santesson (3xA Security)

There has been significant progress in document status since the previous meeting.

-      3 RFCs published since Hiroshima: 5755, 5756, & 5758

-      4 document in the RFC EditorŐs queue: ESSCertIDv2 update for RFC 3161, MIME Media Type for attribute certificate, new ASN.1 modules for PKIX, and Trust Anchor Format

-      3 documents in IESG processing: OCSP algorithm agility, TAMP, and clearance attribute and authority clearance constraints

-      4 I-Ds in process in the WG: certificate image, TAMP requirements, PRQP, and ASN.1 translation

-      2 non-WG document under consideration: Certificate ID and Key ID, Transport protocols for CMP



PKIX WG Documents


Trust Anchor Management Requirements – Carl Wallace (Orion)

 Carl provided a status update on the suite of TAMP documents. The format document is blocked, waiting on the new ASN.1 doc to be approved. Carl reminded the PKIX chairs that the TAM requirements document should be published as informational, now that TAMP has been approved. There are two related, independent IDs related to using TAMP, which are seeking informational status. (Slides)


ASN.1 Translation - Carl Wallace (Orion)

          This document has been forwarded to Tim.


Certificate Image - Stefan Santesson (3xA Security)

          This document completed WGLC a week ago. Several changes were made in response to comments received during the previous WGLC, and one additional revision of the document is in the I-D publication queue. In this revision, changes were made to the Security Considerations section, to address privacy concerns that were raised on during WGLC. Steve Kent will announce his decision regarding the outcome of the WGLC after the IETF meeting. (Slides)


RFC 5280 Implementation Report – David Cooper (NIST)

         David reviewed the implementation test results that Tim presented as the previous meeting. The plan is to publish a 5280bis to address the two issues that were identified last time.


The encoding rules for the explicitText field of the userNotice policy qualifier need to be revised to ŇredeemÓ VisibleString (make it a MAY), and deprecate IA5String for a userNotice in a policy qualifier. We will conduct a straw poll on the list to decide whether to make BMPString a MAY here (a co-equal alternative), to accommodate what appears to be common Microsoft CA practice, or leave it as a deprecated alternative. Note that support for UTF8String is the SHOULD here, but no support was found for that capability. DavidŐs report suggests relegating it to MAY status. Tim said that we could probably get an exception for progressing the document despite the lack of support for internationalized names. Paul Hoffman suggested that we check with CAs in Japan that would serve as an example of support for this function. He also offered to generate certificates based on (where the first e in example has an accent). David also identified a lack of support for the string prep processing of internationalized names, especially for domains names in domain component attributes in DNs. Although this has not yet proved to be a significant operational problem, it is an example of a MUST for which we have filed to find implementation support. Stefan Santesson raised the question whether the internationalization could be moved to an informative annex since the fields that contain internationalized characters are opaque with respect to the certificate syntax. This will be investigated. (Slides)



Related Specifications Presentations


Suite B Profile for CMC (Sean Turner – IECA)

         This is an informational document, not in PKIX, intended to help complete the set of Suite B crypto RFCs. He is looking to add several additional features that represent changes in how CMC works, e.g., being able to request a certificate where the subject name in the request does not match the name in the certificate associated with the signature on the request. (Slides)


Making X.509 Certificate Revocation more Robust Magnus Nystrom (Microsoft)

         The concern Magnus has raised is whether weaknesses in hash functions used in signing certificates should be addressed by defining additional mechanisms for OCSP and for CRLs. For example, an adversary that can exploit hash collisions might issue a certificate with a serial number that conflicts with a valid certificate, so that the CA cannot revoke the invalid certificate without also revoking a valid certificate. Or the adversary might generate a certificate with CRLDP that points to a bad location (where no CRL will be found, or at least a CRL without the rogue certificateŐs serial number). He suggested one might add a new extension to a CA certificate to allow it to make an assertions about where to acquire revocation status info for certificates below it, rather than having such info included in the certificates themselves (as is the case for AIA and CRDDP). This is a significant change to the standard PKI model, and ought not be considered lightly, it requires changes to the path validation algorithm. The presentation evoked some comments at the microphone. Magnus noted that this is not a well-formed, complete proposal at this stage. Paul Hoffman raised the question of whether it might not be better to address weak hash functions via other means that are more fundamental, e.g., adding a random # to a signature. Magnus feels that there is a more fundamental issue here re relying on data in a certificate (e.g., CDP) before the certificate is validated. Magnus suggests putting a certificate hash instead of a serial number in CRLs, but this would typically make CRLs bigger unless the hash value is truncated.



Server Identity Checking for TLS – Peter Saint-Andre (Cisco)

          A document has been written in the APP area that describes how to verify the identity asserted by a server against the Subject name (or Subject alt name) contained in a certificate offered by the server. The goal is to make such identity checks uniform across a wide range of applications that make use of TLS for security in a client/server model. Note that there are lots of types of identities that may be asserted, e.g., DNS name, IP address, URL/URI, etc. One needs different rules for different name types and applications, and this document provides such rules. This presentation was made to PKIX for informational purposes, and to solicit feedback from PKI experts. Russ Housley suggests that the authors solicit comments from PKIX, TLS, SAAG, and various application WGs. Then submit the document as an individual BCP. (Slides)


Certificate ID Key ID - Sean Leonard (Penango)

This document was inadvertently approved (by Steve) as a WG item; it is not. SeanŐs goal is to document one way to refer to another certificate or key.  He recognizes that there are various extant ways to do this, e.g., ESSCertID, Certificate ID in OCSP, SCVPCertID. He would like just one, e.g., in new protocols, provided as guidance to authors. Separately, Sean addressed the question of why he wants to define a preferred reference to keys. Russ likes the suggestion of encouraging wider use of ESSCertIDv2 for certificate identification. Stephen Farrell asked why there is a need for public key identifiers, since SeanŐs presentation did not provide one. Sean admitted that he did not have one at this time. Russ suggested that having one, preferred way to point to certificates was a good goal for PKIX, and that ESSCertIDv2 was the obvious candidate. There was general agreement on this point. Sean indicated that this would satisfy his goal of having one such method preferred. There was no support for changing the name of the existing data structure. It is not clear if PKIX needs to issue a very, very brief document codifying this decision.



Proxy Architecture on DRM Service – Zhipeng Zhou (Huawei)

          This presentation discussed the possible need for an architecture for authorization in the context of a proxy. Digital rights management (DRM), in a context that makes use of certificates and CRLs, has been the primary, motivating example, but Zhipeng feels that the scenario he presented is generic. It was noted that attribute certificates are the extant, standard way to achieve authorization delegation, in the general case, so why is a different solution needed?  Also, if one uses attribute certificates, there are various, application-specific ways to communicate them, which raises questions about whether there is a need for a standard protocol for conveyance of ACs.  (Slides)