headers
The IESG | 10 Jun 2013 16:45
Picon
Favicon

Last Call: <draft-ietf-pkix-est-07.txt> (Enrollment over Secure Transport) to Proposed Standard


The IESG has received a request from the Public-Key Infrastructure
(X.509) WG (pkix) to consider the following document:
- 'Enrollment over Secure Transport'
  <draft-ietf-pkix-est-07.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf <at> ietf.org mailing lists by 2013-06-24. Exceptionally, comments may be
sent to iesg <at> ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract

   This document profiles certificate enrollment for clients using
   Certificate Management over CMS (CMC) messages over a secure
   transport.  This profile, called Enrollment over Secure Transport
   (EST), describes a simple yet functional certificate management
   protocol targeting Public Key Infrastructure (PKI) clients that need
   to acquire client certificates and associated Certification Authority
   (CA) certificate(s).  It also supports client-generated public/
   private key pairs as well as key pairs generated by the CA.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-pkix-est/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-pkix-est/ballot/

No IPR declarations have been submitted directly on this I-D.
(Continue reading)

Permalink | Reply | 83 comments |
headers
RFC Errata System | 17 May 2013 12:34
Favicon

[Technical Errata Reported] RFC5912 (3626)

The following errata report has been submitted for RFC5912,
"New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5912&eid=3626

--------------------------------------
Type: Technical
Reported by: Carl Wallace <carl <at> redhoundsoftware.com>

Section: 14

Original Text
-------------
   -- CRL number extension OID and syntax
   ext-CRLNumber EXTENSION ::= {SYNTAX
       INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

   CRLNumber ::= INTEGER (0..MAX)

Corrected Text
--------------
   -- CRL number extension OID and syntax
   CRLNumber ::= INTEGER  (0..MAX)

   ext-CRLNumber EXTENSION ::= {SYNTAX
       CRLNumber IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
(Continue reading)

Permalink | Reply | 3 comments |
headers
Erik Andersen | 17 May 2013 12:31
Picon

Whitelisting

There were some ideas about whitelisting of certificates. What is the status?

 

Erik

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 18 comments |
headers
RFC Errata System | 16 May 2013 13:07
Favicon

[Technical Errata Reported] RFC5912 (3623)

The following errata report has been submitted for RFC5912,
"New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5912&eid=3623

--------------------------------------
Type: Technical
Reported by: Carl Wallace <carl <at> redhoundsoftware.com>

Section: 14

Original Text
-------------
   -- CRL number extension OID and syntax
   ext-CRLNumber EXTENSION ::= {SYNTAX
       INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

   CRLNumber ::= INTEGER (0..MAX)

Corrected Text
--------------
   -- CRL number extension OID and syntax
   CRLNumber ::= INTEGER 

   ext-CRLNumber EXTENSION ::= {SYNTAX
       CRLNumber IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

Notes
-----
The CRLNumber extension was not defined to use the CRLNumber type.  The CRLNumber type uses MAX to limit the
maximum value.  This limitation is inconsistent with section 5.2.3 and Appendix B, which allow CRLNumber
values up to 20 octets in length.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5912 (draft-ietf-pkix-new-asn1-08)
--------------------------------------
Title               : New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
Publication Date    : June 2010
Author(s)           : P. Hoffman, J. Schaad
Category            : INFORMATIONAL
Source              : Public-Key Infrastructure (X.509)
Area                : Security
Stream              : IETF
Verifying Party     : IESG
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 18 comments |
headers
Paul Hoffman | 13 May 2013 19:08

A well-researched article on use of CRLs in browsers

http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html

The Netcraft folks are well-known for their research and non-flamingness.

--Paul Hoffman
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 4 comments |
headers
johnsonhammond1 | 27 Apr 2013 19:28
Favicon

Biggest Fake Conference in Computer Science

Biggest Fake Conference in Computer Science

We are researchers from different parts of the world and conducted a study on  
the world’s biggest bogus computer science conference WORLDCOMP 
( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia 
from University of Georgia, USA.

We submitted a fake paper to WORLDCOMP 2011 and again (the same paper 
with a modified title) to WORLDCOMP 2012. This paper had numerous 
fundamental mistakes. Sample statements from that paper include: 

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model 
(5). Distributed systems deal with only one computer
(6). Laptop is an example for a super computer
(7). Operating system is an example for computer hardware

Also, our paper did not express any conceptual meaning.  However, it 
was accepted both the times without any modifications (and without 
any reviews) and we were invited to submit the final paper and a 
payment of $500+ fee to present the paper. We decided to use the 
fee for better purposes than making Prof. Hamid Arabnia (Chairman 
of WORLDCOMP) rich. After that, we received few reminders from 
WORLDCOMP to pay the fee but we never responded. 

We MUST say that you should look at the above website if you have any thoughts 
to submit a paper to WORLDCOMP.  DBLP and other indexing agencies have stopped 
indexing WORLDCOMP’s proceedings since 2011 due to its fakeness. See 
http://www.informatik.uni-trier.de/~ley/db/conf/icai/index.html for of one of the 
conferences of WORLDCOMP and notice that there is no listing after 2010. See Section 2 of
http://sites.google.com/site/dumpconf for comments from well-known researchers 
about WORLDCOMP. 

The status of your WORLDCOMP papers can be changed from scientific
to other (i.e., junk or non-technical) at any time. Better not to have a paper than 
having it in WORLDCOMP and spoil the resume and peace of mind forever!

Our study revealed that WORLDCOMP is a money making business, 
using University of Georgia mask, for Prof. Hamid Arabnia. He is throwing 
out a small chunk of that money (around 20 dollars per paper published 
in WORLDCOMP’s proceedings) to his puppet (Mr. Ashu Solo or A.M.G. Solo) 
who publicizes WORLDCOMP and also defends it at various forums, using 
fake/anonymous names. The puppet uses fake names and defames other conferences
to divert traffic to WORLDCOMP. He also makes anonymous phone calls and tries to 
threaten the critiques of WORLDCOMP (See Item 7 of Section 5 of above website). 
That is, the puppet does all his best to get a maximum number of papers published 
at WORLDCOMP to get more money into his (and Prof. Hamid Arabnia’s) pockets. 

Monte Carlo Resort (the venue of WORLDCOMP for more than 10 years, until 2012) has 
refused to provide the venue for WORLDCOMP’13 because of the fears of their image 
being tarnished due to WORLDCOMP’s fraudulent activities. That is why WORLDCOMP’13 
is taking place at a different resort. WORLDCOMP will not be held after 2013. 

The draft paper submission deadline is over but still there are no committee 
members, no reviewers, and there is no conference Chairman. The only contact 
details available on WORLDCOMP’s website is just an email address! 

Let us make a direct request to Prof. Hamid arabnia: publish all reviews for 
all the papers (after blocking identifiable details) since 2000 conference. Reveal 
the names and affiliations of all the reviewers (for each year) and how many 
papers each reviewer had reviewed on average. We also request him to look at 
the Open Challenge (Section 6) at https://sites.google.com/site/moneycomp1 

Sorry for posting to multiple lists. Spreading the word is the only way to stop 
this bogus conference. Please forward this message to other mailing lists and people. 

We are shocked with Prof. Hamid Arabnia and his puppet’s activities 
http://worldcomp-fake-bogus.blogspot.com   Search Google using the 
keyword worldcomp fake for additional links.

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 0 comments |
headers
Tony Rutkowski | 26 Apr 2013 15:39

Actions taken at current ITU-T meeting

WARNING: contains banned part
From: Tony Rutkowski <tony <at> yaanatech.com>
Subject: Actions taken at current ITU-T meeting
Date: 2013-04-26 13:39:06 GMT
The attached material has just been
"approved" at the ITU-T SG17 meeting
in Geneva.  It is worth being aware of.
They IETF may wish to take a position,
although it's not apparent the ITU is
soliciting the IETF's views.

It is also possible to contact your
favorite national government representative
to the ITU-T to assert a position,
as the ITU-T is an intergovernmental
body and the changes can have global
normative consequences.

Although X.509 is a fairly fundamental
security spec that emerged from the ITU-T
years ago, PKIX and other bodies have
effectively taken over the spec.  This has
not set well at the ITU-T where the couple
of people still there dealing with X.509
are seeking a role.  It is a subgroup known
as "Rapporteur Group Q11/17."

One of the remaining persons introduced an
academic paper at the meeting in which he
and a few colleagues provided their views
on the world of PKI provisioning, as well
as some fundamental changes they see
desirable. He and a colleague or two then
approved the proposal to make fundamental
changes to X.509 at the meeting - including
adding the notion of a new PKI "juridical expert"
described in his paper.  See TD 131 attached.

I've also attached the Q11/17 Report with
this action highlighted in yellow, as
well as the changes being made to X.509.
See TDs 43 and 241.

Although these are interesting (perhaps
even desirable) ideas, the potential
consequences are significant, and the
actions here seem premature at best.
These matters should be vetted among a broad
array of parties affected.

--tony
Attachment (T13-SG17-130417-TD-PLEN-0043!R2!MSW-E.docx): application/vnd.openxmlformats-officedocument.wordprocessingml.document, 79 KiB
Attachment (T13-SG17-130417-TD-PLEN-0131_X.509proposal.docx): application/vnd.openxmlformats-officedocument.wordprocessingml.document, 516 KiB
Attachment (T13-SG17-130417-TD-PLEN-0241_X.509changes.docx): application/vnd.openxmlformats-officedocument.wordprocessingml.document, 411 KiB
Attachment (smime.p7s): application/pkcs7-signature, 4509 bytes
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 0 comments |
headers
Dan Harkins | 22 Apr 2013 23:59

issuing a certificate from a signing request


  Hello,

  Is a CA obligated to issue a certificate using the subjectName that is in
a certificate signing request or can it modify, update, and change the
subjectName in the CSR and issue any certificate it wants?

  Let's say I generate a CSR with "CN=dharkins" but the CA wants my
certificate to have "CN=Daniel Harkins" or even "CN=Employee428".
Is it allowed to issue such a certificate in response to my signing request
or must it use what I sent in the CSR?

  I was unable to find an answer to this question in any RFC or any
standard issued by another SDO. If anyone knows a definitive answer
to this and can point to a published standard I would greatly appreciate
it.

  thanks,

  Dan.

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 2 comments |
headers
Paul Hoffman | 22 Apr 2013 23:33

Off-topic: OCSP response times and drop rates

http://news.netcraft.com/archives/2013/04/22/ocsp-server-performance-in-march-2013.html
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 10 comments |
headers
Piyush Jain | 21 Apr 2013 02:24

Re: Extended Validation Certificate OIDs

Microsoft enterprise EV is only meant for intranet and Internet explorer.

Intranet sites with these certificates will display the green bar only in internet explorer which is configured (typically using a GPO) with the special policy OID and the root CA.

 

Clients/browser outside your intranet won’t even consider the certificate to be valid because they won’t be able to chain the certificate to a trusted root in their local trust store.

 

-Piyush

 

From: pkix-bounces <at> ietf.org [mailto:pkix-bounces <at> ietf.org] On Behalf Of Hasan T. Emdad
Sent: Thursday, April 18, 2013 8:37 AM
To: pkix <at> ietf.org
Subject: [pkix] Extended Validation Certificate OIDs

 

Hi,

 

Is EV only limited through CAB Forums?

On Microsoft CA, there are many ways to implement Enterprise EV certificates. Now my question is, how do they do it if it’s the only answer that the browsers acknowledges to its embedded forum members OID only?

 

Hasan T. Emdad

 

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 0 comments |
headers
Hasan T. Emdad | 18 Apr 2013 17:36
Favicon

Extended Validation Certificate OIDs

Hi,

 

Is EV only limited through CAB Forums?

On Microsoft CA, there are many ways to implement Enterprise EV certificates. Now my question is, how do they do it if it’s the only answer that the browsers acknowledges to its embedded forum members OID only?

 

Hasan T. Emdad

 

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix
Permalink | Reply | 0 comments |

Gmane