headers
Denis Pinkas | 2 May 2007 10:09
Picon

Re: RE: Lightweight Certificate Validation Protocol (LCVP)


Stefan,

>Denis,
>
>I have read your e-mail and your draft, at least a majority of it. It does not provide the answers I need.

What are your TECHNICAL  questions ?

>I need you to motivate why we need yet another protocol for on-line status checking.
>A "Read the document" reply is not sufficient for me.

You got the arguments in previous emails. They may not be sufficient, but so far 
you have not raised arguments against them.

>I don't want a list of technical features you provide. I want an analysis of the impact of the industry.

It is the first time that a chair asks for "an analysis of the impact of the industry".

We may discuss technical advantages and drawbacks of one solution to a problem 
versus another, but an "an analysis of the impact of the industry" is an inappropriate 
question in the context of this WG..

Denis

>Personally I'm totally against writing yet another protocol for this, and you have so far not been able to
convince me.

>
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Stefan Santesson | 2 May 2007 10:23
Picon
Favicon

RE: RE: Lightweight Certificate Validation Protocol (LCVP)


Denis,

Your job is to convince the WG that there is substantial reason to work on your draft. So far you have not been successful.

I can only offer you honestly what I personally need to be convinced. In this case I will mostly not be
convinced by technical arguments listing all things you can do with your protocol. To convince me you need
to demonstrate the need in the industry and also convince me that the negative impact on the industry by
adding another protocol, is less than the benefits.

That consideration is valid for IETF in its mission to make the internet better and therefore also for this WG.

However I'm not telling you what to do and I am not the WG. As chair I do determine consensus but I'm only 1 voice.

Stefan Santesson
Senior Program Manager
Windows Security, Standards

> -----Original Message-----
> From: Denis Pinkas [mailto:denis.pinkas <at> bull.net]
> Sent: den 2 maj 2007 10:10
> To: Stefan Santesson
> Cc: pkix
> Subject: Re: RE: Lightweight Certificate Validation Protocol (LCVP)
>
>
> Stefan,
>
> >Denis,
> >
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Sylvester | 2 May 2007 17:49
Picon
Picon
Favicon

Re: Lightweight Certificate Validation Protocol (LCVP)

Denis,

I have asked some questions and you haven't yet answered. So far, I cannot
see, as well as others, where do you actually see important differences and
missing things in existing texts.

You have mentioned some optimisation problems or unnecssary encapsulations
as one argument. Like other I think that if this is important, you can 
easily
come up with let's says as an example, just exchange directly the 
content of  some
requests or responses and protect them in whatever appropriate way you 
want.
This was mentioned as a possible ajustment to SCVP for example or you
just do it with XKMS.

In your text you have added (this is a standard techniques of yours) a new
concept which is 'revalidation'. Since this is optional, I don't see what is
the advantage to have it in a lightweight protocol. IN a providet message
you did not explain what is is good for, what service is behind etc, 
using the
argumenbt that this is optional anyway.
Actually you seem to propose two essentially different protocol features.
In any case, both of them seem possible to me using any existing protocol.
If you want to make simple profiles/protocols, define one for each
feature.

I have asked that you might want to explain what you mean
exactly by certficate validity. What is the distinction between revocation
checking, and to explain whether and what impact this has to a server.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Hoffman | 2 May 2007 18:31

RE: RE: Lightweight Certificate Validation Protocol (LCVP)


At 9:23 AM +0100 5/2/07, Stefan Santesson wrote:
>Your job is to convince the WG that there is substantial reason to 
>work on your draft. So far you have not been successful.
>
>I can only offer you honestly what I personally need to be 
>convinced. In this case I will mostly not be convinced by technical 
>arguments listing all things you can do with your protocol. To 
>convince me you need to demonstrate the need in the industry and 
>also convince me that the negative impact on the industry by adding 
>another protocol, is less than the benefits.
>
>That consideration is valid for IETF in its mission to make the 
>internet better and therefore also for this WG.
>
>However I'm not telling you what to do and I am not the WG. As chair 
>I do determine consensus but I'm only 1 voice.

Let me add a second voice, agreeing with Stefan. From this thread, I 
see that your proposal is close to SCVP in functionality with some 
differences he considers important. Others have said that most of the 
differences you gave are already in SCVP.

If there is a large industry segment who need your differences, we 
might consider it for WG action. Otherwise, this should be an 
individual contribution with its own mailing list and occasional 
pointers here to the new drafts.

--Paul Hoffman, Director
--VPN Consortium
(Continue reading)

Permalink | Reply | 0 comments |
headers
Denis Pinkas | 3 May 2007 15:52
Picon

Re: Lightweight Certificate Validation Protocol (LCVP)


Paul and Stefan,

>At 9:23 AM +0100 5/2/07, Stefan Santesson wrote:
>>Your job is to convince the WG that there is substantial reason to 
>>work on your draft. So far you have not been successful.
>>
>>I can only offer you honestly what I personally need to be 
>>convinced. In this case I will mostly not be convinced by technical 
>>arguments listing all things you can do with your protocol. To 
>>convince me you need to demonstrate the need in the industry and 
>>also convince me that the negative impact on the industry by adding 
>>another protocol, is less than the benefits.
>>
>>That consideration is valid for IETF in its mission to make the 
>>internet better and therefore also for this WG.
>>
>>However I'm not telling you what to do and I am not the WG. As chair 
>>I do determine consensus but I'm only 1 voice.
>
>Let me add a second voice, agreeing with Stefan. From this thread, I 
>see that your proposal is close to SCVP in functionality with some 
>differences he considers important. Others have said that most of the 
>differences you gave are already in SCVP.
>
>If there is a large industry segment who need your differences, we 
>might consider it for WG action. Otherwise, this should be an 
>individual contribution with its own mailing list and occasional 
>pointers here to the new drafts.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Denis Pinkas | 3 May 2007 15:45
Picon

Re:Lightweight Certificate Validation Protocol (LCVP)


Peter,

>Denis,
>
>I have asked some questions and you haven't yet answered. So far, I cannot
>see, as well as others, where do you actually see important differences and
>missing things in existing texts.
>
>You have mentioned some optimisation problems or unnecssary encapsulations
>as one argument. Like other I think that if this is important, you can 
>easily
>come up with let's says as an example, just exchange directly the 
>content of  some
>requests or responses and protect them in whatever appropriate way you 
>want.
>This was mentioned as a possible ajustment to SCVP for example or you
>just do it with XKMS.

I might provide, next week, a full analysis of :

- the sentences from SCVP that do not allow a light weight protocol,
- the features from LCVP that SCVP does not support (unless extending it).

>In your text you have added (this is a standard techniques of yours) a new
>concept which is 'revalidation'. Since this is optional, I don't see what is
>the advantage to have it in a lightweight protocol. IN a providet message
>you did not explain what is is good for, what service is behind etc, 
>using the
>argumenbt that this is optional anyway.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Denis Pinkas | 3 May 2007 15:41
Picon

Re:Lightweight Certificate Validation Protocol (LCVP)


Peter (Sylvester),

(...)

>I have read the text, and I am waiting to at least a response to one 
>question concerning the service (send some days ago).

Your questions were:

1 -  "LCVP  as well as SCVP allows two different ways to identify a certificate.
Either by providing the certificate or by a reference".

It may be the right time to say that way to provide the certificate in SCVP 
does not allow its support by thin clients.

The certificate is defined by Certificate, which means tha the client must 
fully decode the whole certificate.

The change I mentioned while answering to Stefan, was to define the certificate 
as an OCTET STRING, which has the advantage to only require, for the client, 
the extraction of the public key that is within the certificate.

2 - " In the second case the server needs to access a repository to obtain
a certificate. To which degree does a server trust the repository to
deliver a valid certificate? Or, in other words, would it be equivalent
or not that the client obtains by whatever means a certificate and
provides it as input".

It is equivalent. No trust is needed. However when using electronic signatures
(Continue reading)

Permalink | Reply | 1 comment |
headers
Paul Hoffman | 3 May 2007 16:22

Re: Lightweight Certificate Validation Protocol (LCVP)


At 3:52 PM +0200 5/3/07, Denis Pinkas wrote:
>  >If there is a large industry segment who need your differences, we
>>might consider it for WG action. Otherwise, this should be an
>>individual contribution with its own mailing list and occasional
>>pointers here to the new drafts.
>
>Maybe you could help me, by describing before "the large industry segment"
>that has already implemented or is currently implementing the whole 
>content of SCVP.

You misunderstood my message (or you are being purposely nasty; I 
hope the former). We have a standard today that is beginning to be 
implemented. You are proposing that the WG start work on a second 
standard that is like the first one with a few differences. It is 
your responsibility to show the WG why they should spend their time 
on this, given the similarity. If there is a large industry segment 
who needs your proposal, it would help the WG choose in your favor.

>If this market segment is not large but small, maybe you could indicate
>which parts of SCVP have been or are being implemented.

I know of at least two vendors who are implementing all of SCVP; they 
may or may not choose to speak up on the list.

>Thenafter, I might be able to tell you, in my opinion, what is the 
>market segment for LCVP.

If you have no idea what the market for LCVP is, please don't waste 
our time with it.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Sylvester | 3 May 2007 17:26
Picon
Picon
Favicon

Re: Lightweight Certificate Validation Protocol (LCVP)


> I might provide, next week, a full analysis of :
>
> - the sentences from SCVP that do not allow a light weight protocol,
> - the features from LCVP that SCVP does not support (unless extending it).
>  
>   
>
Sounds interesting.

>
> I will group all these features in the analysis.
>
>   
Go ahead.

> Denis
>
>   
>> Peter
>>
>> Peter
>>     
>
>
>
>
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stevens, Frits | 4 May 2007 10:35

RE: Update request for RFC3279 and 4055


As one of the originators of this request to update rfc3279 and 4055 I
would like that the discussion is moved away from the attack
possiblities of SHA1.
In general SHA2 is meant to be used for building more secure
certificates. It is expected that by 2010 SHA1 should not be used
anymore for X.509 certificates. But, with the current rfc's it is not
possible to totally move away from SHA1. 
The current standards should be updated so that it will become possible
to create X.509 certificates that do not use SHA1 anymore for any
purpose. 
This is the only way to also convince the "normal" users that the
certificate in question is strong enough.   

--Frits Stevens 

-----Oorspronkelijk bericht-----
Van: Santosh Chokhani [mailto:chokhani <at> orionsec.com]
Verzonden: donderdag 29 maart 2007 12:43
Aan: ietf-pkix <at> imc.org
Onderwerp: RE: Update request for RFC3279 and 4055

Because of the blanket statement about the security of the hash
algorithm.  It does matter that it be something akin to SHA1

-----Original Message-----
From: Paul Hoffman [mailto:paul.hoffman <at> vpnc.org]
Sent: Wednesday, March 28, 2007 9:24 PM
To: Santosh Chokhani; ietf-pkix <at> imc.org
Subject: RE: Update request for RFC3279 and 4055
(Continue reading)

Permalink | Reply | 16 comments |

Gmane