Public-Key Infrastructure (X.509) (pkix)

Hoyt L. Kesterson II | 1 Oct 2001 04:42

announcement of the rescheduled directory meeting in Flagstaff


hello all

The announcement of the rescheduled Flagstaff meeting is at

     ftp://ftp.bull.com/pub/OSIdirectory/Flagstaff2001/announcementRev3.pdf

The major differences in the announcement are;

The date is 12 - 16 November 2001

The agenda is changed - e.g., work on X.509/part 8 is now on 12 and 13 November

Reservations must be made by 20 October. The room rate is lowered to 
$90 but it will be colder.

Additional input documents are identified.

Travel directions from Las Vegas to the hotel are included. Several 
people found that it was less expensive to book a flight to Las Vegas 
than to Phoenix.

As before, the input documents for this meeting can be found at

   ftp://ftp.bull.com/pub/OSIdirectory/Flagstaff2001/InputDocuments/  and

   ftp://ftp.bull.com/pub/OSIdirectory/Geneva2001Output/

    hoyt

(Continue reading)

headers

Takeshi AKUTSU | 2 Oct 2001 16:23

question about the DN Qualifier


Dear all,

I have a question about DN Qualifier.

RFC2459 states 
   Implementations of this specification MUST be prepared to 
   receive the following standard attribute types in issuer
   names: country, organization, organizational-unit, 
   distinguished name qualifier, state or province name,  
   and common name (e.g., "SusanHousley").

but I don't understand how the DN Qualifier is used.

I put the following description of X.520(draft). 
I confuse the DSA part.
How can I use the DN Qualifier? 
Is there any good example how to use it?

-----------------
5.2.8	DN Qualifier 

The DN Qualifier attribute type specifies disambiguating information
to add to the relative distinguished name of an entry. It is intended
to be used for entries held in multiple DSAs which would otherwise
have the same name, and that its value be the same in a given DSA for
all entries to which this information has been added.
-----------------

Sincerely,

(Continue reading)

headers

Bernd Matthes | 2 Oct 2001 19:21

Re: New test TSA available

Peter Gutmann wrote:
> 
> There's a new TSA available at tsa.cryptoapps.com:3318, running in a FIPS 140-1
> level 4 device (it's just a demo which runs single-threaded, so if you throw
> a huge number of concurrent requests at it you may get some refused
> connections, although I doubt it'll be a big issue for now).  There will also
> be an OCSP responder at ocsp.cryptoapps.com and a CMP server at
> cmp.cryptoapps.com in the near future running on the same hardware, at the
> moment I think the ports are still blocked so you won't be able to get to them.
> 
> Peter.

Hi Peter!

I tried Your TSA.
I could connect and got a response.
In parsing the response I got an ASN.1 error.
Here is Yours: 
   0 30 1706: SEQUENCE {
   4 30    3: . SEQUENCE {
   6 02    1: . . INTEGER 0
            : . . }
   9 30 1697: . SEQUENCE {
  13 06    9: . . OBJECT IDENTIFIER pkcs7signedData (1 2 840 113549 1 7
2)
  24 A0 1682: . . [CONTEXT-SPECIFIC 0] {
  28 30 1678: . . . SEQUENCE {
  32 02    1: . . . . INTEGER 1
  35 31   11: . . . . SET {
  37 30    9: . . . . . SEQUENCE {

(Continue reading)

headers

Peter Gutmann | 3 Oct 2001 09:05

Re: New test TSA available


>In parsing the response I got an ASN.1 error.

It's already fixed (I was using the PKCS #7 rather than CMS interpretation),
but because it's a pain to update the system it's running on it's still using
old code.  I'll have to reload the system at some point...

Peter.

headers

Rachel | 6 Oct 2001 04:29

Key Recovery in PKIX CMP

Hi all,

I have some questions here regarding the PKI messages used for key recovery purposes.
They are Key Recovery Request and Key Recovery Response messages.
According to RFC2510 and RFC2511, the key recovery request is of type CertReqMessages and
KeyRecRepContent respectively. My questions are:

1) Why the key recovery request is made identical as cert request format ? I can't see both of them
have the same nature.Cert request is used when someone want to register for his new key pair. In
order to complete that, one has to send in the CertTemplate with all those necessary fields filled
in, also, he has to provide Proof-of-Possession about his key pair. Now, if we look at the typical
procedure for a key recovery system (or key escrow system), anyone (the owner of the key, a third
party) can issue a request for the recovery of the key. In this context, does the key recovery
requester need to send in the cert template again ? Also, how can an authorised third party
presents his POP of the key to be recovered (although he is not the owner, but he has the right to
do so) ??

2) The 2nd question is about the key recovery response PKI message. Does anyone know why
newSigCert, caCerts and keyPairHist is returned to the recovery requester ? And can you explain the
scenario is which the new signature certificate should be returned and why ? The RFC I have do not
cover that, I mean the explanation on the existance of a particular field.

Hope to hear from you soon. Thanks in advance.

regards,
Rachel
UTM

(Continue reading)

headers

Peter Gutmann | 9 Oct 2001 16:40

Re: New test TSA available

Bernd Matthes <bernd.matthes <at> gemplus.com> writes:

>But the next question: You send the root of the TSA cert in certificates
>field. My verify function complains that a self sign cert is in cert chain.
>Should I tolerate this or is the complaint ok? I'm not sure.

Given the open-ended interpretation of what you can put in there, I'm sure it
could be argued that stuffing PGP certs in there is valid.  For my part, I just
put the whole chain in and let the relying party pepper and salt it as they
please.

Peter.

headers

Bernd Matthes | 9 Oct 2001 15:56

Re: New test TSA available

Peter Gutmann wrote:
> 
> >In parsing the response I got an ASN.1 error.
> 
> It's already fixed (I was using the PKCS #7 rather than CMS interpretation),
> but because it's a pain to update the system it's running on it's still using
> old code.  I'll have to reload the system at some point...
> 
> Peter.

Hi Peter!

Today I've test again Your TSA server. It looks good.

But the next question: You send the root of the TSA cert
in certificates field. My verify function complains 
that a self sign cert is in cert chain. 
Should I tolerate this or is the complaint ok?
I'm not sure.

with kind regards
--

-- 
Bernd Matthes               Celo Communications GmbH
Senior Software Engineer          - a Gemplus Company
Dipl.-Ing.(FH)              mailto:bernd.matthes <at> gemplus.com
------------------------------------------------------------
"Complexity breeds bugs. Bugs prevent adoption,
lack of adoption results in death. Death not good."

Attachment (smime.p7s): application/x-pkcs7-signature, 2030 bytes

headers

Magnus Nystrom | 11 Oct 2001 22:46

Re: Polling in CMP


Amit,

Thanks for your comments.

On Mon, 17 Sep 2001, Amit Kapoor wrote:

> Hi Magnus, Gareth,
>
>      A quick glance seems the proposal is inline with the original
> discussion. However, I would like to expand the scope of polling a
> little bit.  One of the other problems we have been dealing with is
> that issuance of certificates sometimes require a back and forth
> question & answer session between the end entity and the server
> for identity authentication.  The current interoperable subset of
> the CMP protocol assumes

> (a) all the information needed by the server is in the original
> request or
> (b) the server does out of band verification if information needed
> is not sufficient.
>
>      I believe this requirement is generic enough to require
> interoperable support and should go into the CMP protocol.  Based on
> the use of the proposed CMP poll request & response, it looks like a
> good choice. Would like to hear your thoughts......

This is probably rather a question for the ir/ip pair, or cr/cp,
perhaps in conjunction with enhancements to PKIStatus. In any event, I
rather not mix the polling functionality with interactions between the

(Continue reading)

headers

Fantou Patrick | 16 Oct 2001 17:04

AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt


Two small things:

1. pseudonym should be supported in issuer and subject names,
 but the oid for pseudonym is missing in this document (id-at-pseudonym : id-at 65 from X.520 2000)

2. Clause 4.2.2.1 Authority Information Access says that RFC 2560 defines the access descriptor for OCSP,
but in fact id-ad-ocsp (id-ad 1) is defined in this draft and RFC 2560 imports it 
and uses it as base for the OCSP OID arc.

Regards
Patrick

> -----Ursprüngliche Nachricht-----
> Von: Internet-Drafts <at> ietf.org [mailto:Internet-Drafts <at> ietf.org]
> Gesendet: Dienstag, 16. Oktober 2001 13:08
> Cc: ietf-pkix <at> imc.org
> Betreff: I-D ACTION:draft-ietf-pkix-new-part1-09.txt
> 
> 
> A New Internet-Draft is available from the on-line 
> Internet-Drafts directories.
> This draft is a work item of the Public-Key Infrastructure 
> (X.509) Working Group of the IETF.
> 
> 	Title		: Internet X.509 Public Key 
> Infrastructure Certificate 
>                           and CRL Profile
> 	Author(s)	: R. Housley, W. Ford, W. Polk, D. Solo
> 	Filename	: draft-ietf-pkix-new-part1-09.txt

(Continue reading)

headers

Housley, Russ | 16 Oct 2001 21:30

Re: AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt


Patrick:

>1. pseudonym should be supported in issuer and subject names,
>  but the oid for pseudonym is missing in this document (id-at-pseudonym : 
> id-at 65 from X.520 2000)

Section 4.1.2.4 lists pseudonym as one of the attributes that SHOULD be 
supported.  However, pseudonym is missing from the ASN.1 module.  We need 
to add:

    -- Naming attributes of type X520Pseudonym

    id-at-localityName      AttributeType ::= { id-at 65 }

    X520Pseudonym ::= CHOICE {
       teletexString     TeletexString   (SIZE (1..ub-pseudonym)),
       printableString   PrintableString (SIZE (1..ub-pseudonym)),
       universalString   UniversalString (SIZE (1..ub-pseudonym)),
       utf8String        UTF8String      (SIZE (1..ub-pseudonym)),
       bmpString         BMPString       (SIZE (1..ub-pseudonym)) }

    ub-pseudonym INTEGER ::= 128

>2. Clause 4.2.2.1 Authority Information Access says that RFC 2560 defines 
>the access descriptor for OCSP, but in fact id-ad-ocsp (id-ad 1) is 
>defined in this draft and RFC 2560 imports it and uses it as base for the 
>OCSP OID arc.

You are quite right.  I will propose replacement text after coordinating

(Continue reading)

34	May 2013
86	April 2013
93	March 2013
81	February 2013
226	January 2013
63	December 2012
134	November 2012
181	October 2012
96	September 2012
180	August 2012
226	July 2012
92	June 2012
111	May 2012
309	April 2012
363	March 2012
114	February 2012
83	January 2012
96	December 2011
167	November 2011
111	October 2011
81	September 2011
136	August 2011
180	July 2011
78	June 2011
114	May 2011
185	April 2011
215	March 2011
88	February 2011
2	January 2011
27	December 2010
76	November 2010
94	October 2010
73	September 2010
204	August 2010
121	July 2010
126	June 2010
32	May 2010
54	April 2010
120	March 2010
81	February 2010
15	January 2010
152	December 2009
120	November 2009
112	October 2009
18	September 2009
86	August 2009
101	July 2009
41	June 2009
105	May 2009
80	April 2009
138	March 2009
33	February 2009
127	January 2009
107	December 2008
162	November 2008
215	October 2008
39	September 2008
55	August 2008
85	July 2008
88	June 2008
11	May 2008
52	April 2008
14	March 2008
83	February 2008
128	January 2008
149	December 2007
101	November 2007
72	October 2007
101	September 2007
49	August 2007
48	July 2007
41	June 2007
61	May 2007
68	April 2007
108	March 2007
59	February 2007
97	January 2007
118	December 2006
160	November 2006
104	October 2006
184	September 2006
20	August 2006
78	July 2006
47	June 2006
32	May 2006
104	April 2006
58	March 2006
148	February 2006
56	January 2006
35	December 2005
54	November 2005
63	October 2005
77	September 2005
109	August 2005
133	July 2005
189	June 2005
206	May 2005
67	April 2005
82	March 2005
126	February 2005
14	January 2005
142	December 2004
256	November 2004
150	October 2004
217	September 2004
165	August 2004
128	July 2004
19	June 2004
121	May 2004
293	April 2004
102	March 2004
161	February 2004
87	January 2004
172	December 2003
241	November 2003
177	October 2003
284	September 2003
73	August 2003
193	July 2003
122	June 2003
48	May 2003
110	April 2003
193	March 2003
122	February 2003
325	January 2003
208	December 2002
290	November 2002
192	October 2002
184	September 2002
102	August 2002
82	July 2002
146	June 2002
272	May 2002
442	April 2002
214	March 2002
202	February 2002
239	January 2002
50	December 2001
314	November 2001
57	October 2001
192	September 2001
107	August 2001
68	July 2001
311	June 2001
288	May 2001
326	April 2001
361	March 2001
155	February 2001
432	January 2001
175	December 2000
430	November 2000
294	October 2000
277	September 2000
211	August 2000
494	July 2000
296	June 2000
277	May 2000
194	April 2000
159	March 2000
214	February 2000
113	January 2000
179	December 1999
384	November 1999
159	October 1999
244	September 1999
490	August 1999
364	July 1999
254	June 1999
296	May 1999
297	April 1999
267	March 1999
203	February 1999
126	January 1999
135	December 1998
213	November 1998
181	October 1998
389	September 1998
344	August 1998
272	July 1998
187	June 1998
214	May 1998
316	April 1998
337	March 1998
108	February 1998
155	January 1998
189	December 1997
184	November 1997
134	October 1997
124	September 1997
196	August 1997
147	July 1997
116	June 1997
89	May 1997
77	April 1997
87	March 1997
78	February 1997
62	January 1997
65	December 1996
101	November 1996
151	October 1996
28	September 1996
3	June 1995
1	May 1995
2	April 1995
9	March 1995
3	February 1995
5	January 1995
2	November 1994
2	August 1994
4	July 1994
1	June 1994
9	April 1994
3	March 1994
1	February 1994
2	December 1993
3	November 1993

Mon	Tue	Wed	Thu	Fri	Sat	Sun

1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31