[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key InfrastructurePermanent Identifier to Proposed Standard

To: "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key InfrastructurePermanent Identifier to Proposed Standard
From: Leslie Daigle <leslie@thinkingcat.com>
Date: Wed, 16 Apr 2003 19:39:02 -0400
Cc: IESG Secretary <iesg-secretary@ietf.org>, Internet Engineering Steering Group <iesg@ietf.org>
References: <20030416163426.D825A7B4D@berkshire.research.att.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020826

Steven M. Bellovin wrote:

Precisely -- any sort of name, permanent or not, is useless outside of the administrative context. That's why I think this is such a bad idea, especially as specified here. Why, for example, does it need to have the CA's name in the PI field, when you always have to carry the CA name elsewhere in the certificate?

Hmmm. I did not think the document said that. The Assignment
Authority is supposed to be represented in the Identifier
Type:

" The IdentifierType field, when present, identifies both the Assigner Authority and the type of that field."

But the Assigner Authority doesn't have to be the CA.
The document is not clear enough about how you go about
creating IdentifierType's -- I think that goes to Ted's
points. There are some underlying assumptions (aka hand
waving) that need to be reviewed.

OTOH, if there is no "IdentifierType" field, then the AA is
assumed to be the CA, and it is essentially local to that
CA. But that's not the same as repeating the CA identifier.

Beyond that, the comparison rules for UTF8 strings look wrong --
I'm glad there's a matching rule specified, but from the little I
understand about such things there will be a lot of complaints
about the lack of more CJK-friendly matching rules.

Actually, they should not -- because URIs, as currently
defined, are strictly a subset of 0-127 ascii.  If you
want anything else, you have to encode it (e.g., hex encoding).

OK -- but in that case, why does the document say that the identifier can be a UTV8 string?

Probably 'cause most people don't realize that URIs are
ascii character strings :-) I.e., I only pointed out the
matching rules should work; that may be by accident.

So, I think there are some engineering issues, but I think
we've understood the proposal differently, and perhaps
buffing off some of the engineering burrs would yield something
rational.
Leslie.

--

-------------------------------------------------------------------
"Reality:
Yours to discover."
-- ThinkingCat
Leslie Daigle
leslie@thinkingcat.com
-------------------------------------------------------------------

Follow-Ups:
- Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key Infrastructure Permanent Identifier to Proposed Standard
  - From: Russ Housley <housley@vigilsec.com>

References:
- Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key Infrastructure Permanent Identifier to Proposed Standard
  - From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: FINAL: IESG Telechat Agenda and Package for April 17, 2003
Next by Date: Re: draft-ietf-msdp-spec
Previous by thread: Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key Infrastructure Permanent Identifier to Proposed Standard
Next by thread: Re: Evaluation: draft-ietf-pkix-pi - Internet X.509 Public Key Infrastructure Permanent Identifier to Proposed Standard
Index(es):
- Date
- Thread