PKIX WG Meeting March 28, 2011
Edited by Steve Kent
Co-Chairs: Stephen Kent <kent@bbn.com>
Stefan Santesson <stefans@aaa-sec.com>
The PKIX WG met once, for 2 hours, during the 80th IETF. A total of approximately 47
individuals participated in the meeting.
Document Status Review - Stefan Santesson (3xA
Security)
There
has been significant progress in document status since the previous meeting.
-
0 new RFCs
published since Beijing
-
2 documents in
the RFC EditorÕs queue: certificate-image & OCSP agility
-
0 documents in
IESG processing
-
5 I-Ds in
process in the WG: CMC Updates, 5280 clarifications, OCSP Update, Transport Protoclls for CMP, Internet mail addresses in X.509, S/MIME
Capabilities for public keys
-
1 non-WG
document to be discussed: future PKIX certificate enrollment protocols
(Slides)
PKIX WG Documents
S/MIME Capabilities for
Public Key Definitions - Jim
Schaad (Soaring Hawk Consulting)
The same data structure is used for several RSA variants, another one
for ECC, another one for DSA and DH, and yet one more for RSASSA-PSS signature.
Jim thinks that this document is ready for WGLC. The question is whether the
OCSP algorithm agility document, which is in the RFC editor queue, ought to be
changed to use the S/MIME capability data structures instead of the Algorithm
ID data structure. Options are to issue an update later, pull the document back
and process again, or leave it as is. Note there is no on-the-wire change for
anything by but the RSASSA-PSS case. Stefan like Algorithm ID, as it is used
everywhere else in PKIX data structures, but recognizes the added flexibility
of the S/MIME capability. Jim also notes that there is a subtle difference
between the S/MIME structure, (which expresses a capability), vs. the Algorithm
ID (which says what is carried in a structure). Tim Polk suggested that we
could change this w/o starting over, if the WG wants. The chairs agree to
execute a one-week WGLC on this change and let Sean know how the WG wants to
proceed. (Slides)
Updates to OCSP Agility – Stefan Santesson (3xA Security)
There were a few minor changes in response to IESG comments, in the
security considerations sections and a minor change to the ASN.1 syntax, to add
the S/MIME capability syntax as an optional, second element. (Slides)
Internationalized
Email Addresses in X.509 Certificates – Alexey Melnikov
The
EAI WG (application area) is completing a revision RFC 5335bis and RFC 5336bis.
These changes will allow UTF-8 characters on both sides of the Ō@Ķ in an e-mail
address. RFC 5280 defines an RFC822 address as an SAN, but does not define
addresses relative to UTF-8 encoding. There is also a desire to support
multiple aliases for both sides of the e-mail address (user name and domain
name). This could result in a very big certificate, if the cross product of
both sets of aliases have to be represented individually in a certificate. So,
there are two issues: updating 5280 to support IDNA2008 in DNS and e-mail SANs, and how to accommodate aliases in e-mail SANs (in a space-efficient fashion). Win the past we have
had a lack of widespread vendor support for UTF-8 in certificates. Most
recently it appeared that few RPs supported the matching rules that 5280
defines, in lieu of the simple, binary matching rules that were defined in
3280. This may argue for a return to the older, simple rules, if we want to
support UTF-8 in these two SANs Paul argued that the
alias issue is a red herring, since we may already have this problem, .e.g.,
foo.com and foo.net. So, we can bring to the list the topic of an update to
5280 that makes UTF-8 support a SHOULD in DNS and e-mail address SANs, and to revert to the simpler matching rules. (Slides)
Certificate Management
over CMS (CMC) Updates - Jim
Schaad (Soaring Hawk Consulting)
The document is
blocked, awaiting a reference to a document written by Sean Turner. Unless
something surprising arises in SeanÕs document, JimÕs document is ready to go.
(no slides)
Presentations
on non-WG Topics (seeking WG adoption)
The
European standardization mandate and activities in ETSI - Stefan Santesson (3xA Security)
Stefan provided a brief
overview of activities in ETSI related to digital signatures, motivated by a
new EC mandate (M460). Two of these activities are relevant to PKIX: fixes to
qualified certificates and a profile for certificates issued to people. The
fixes being pursued include: associating semantics with name data types,
indicating the security afforded to a private key (corresponding to a public
key in a certificate), and policy expressions relative to a qualified
certificate. Sean noted that the second issue usually be addressed via policy
OIDs. Stefan agreed that he would work to avoid creating a new extension (for
example) to deal with this issue. Stefan believes that the last issue might
affect PKIX, because of CAs making errors in certificate policy inclusion in
intermediate CA certificates vs. EE certificates. (Slides)
The Future of PKIX Certificate Enrollment
Protocols– Joe Salowey for Max Pritkin (Cisco)
This is an initial discussion on the
topic of pursuing development of a new, lightweight certificate enrollment
protocol, as an alternative to the full-featured certificate management
protocols that are extant PKIX standards (CMC and CMP). A fundamental
observation is that the extant PKIX standards are transport independent. This
makes evaluation of the security of the protocols easier, because one does not
have to rely on the security of an underlying transport protocol. This proposal
(EST) calls for implementing a subset of CMC, and relying on a secure
transport, i.e., TLS/HTTPS. Goals for EST would be support for enrollment and
re-key, and algorithm agility, e.g., ECC support. Tim Polk asked whether
revocation ought to be include as well? Paul Hoffman suggests that we try to
avoid function creep in order to make progress initially. Sean would like to
move CMC and CMP to historic, but Steve Kent notes that we need to offer
sufficient functionality in EST before we retire the other protocols, and we
have to keep the 3GPP folks (who use CMPv2). PHB expressed skepticism that this
effort would yield a simpler protocol that will be more widely deployed. Stefan
noted the need to employ some form of channel binding mechanism, to avoid MITM
attacks against a TLS session. Several folks noted the importance of making the
target audience clearly defined. Steve Kent observed that TLS/HTTPS are
actually very poorly specified in IETF standards, relative to PKI details. Thus
we need to be careful that we do not inherit any ambiguities or vulnerabilities
of TLS/HTTPS. (Slides)