I have no objections to making these changes. Steve _______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
At 9:34 PM +0200 8/31/09, Stefan Santesson wrote: >I'm OK with the change. > At 7:51 PM -0400 8/31/09, Stephen Kent wrote: >I have no objections to making these changes. > Just to be clear: both of you are fine with us changing the modules *for RFC 3281* to be different than what is in that RFC? _______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
On a second thought I think I agree with Paul.
The OID error is unfortunate, but the ASN.1 document is not the place to
correct it.
/Stefan
On 09-08-31 9:39 PM, "Paul Hoffman" <phoffman <at> imc.org> wrote:
> At 3:10 PM -0400 8/31/09, Sean Turner wrote:
>> During the updates to RFC 3281 it was noted that the wrong OID was used for
>> id-at-clearance. We fixed this in draft-ietf-pkix-3281bis. I would like to
>> make sure we incorporate the same fix in draft-ietf-pkix-new-asn1. If we
>> don't, then we'll need to do another ID that incorporates this one change in
>> an '02 ASN.1 module. What I'm proposing is that make the following change:
>>
>> OLD:
>>
>> id-at-clearance OBJECT IDENTIFIER ::=
>> { joint-iso-ccitt(2) ds(5) module(1)
>> selected-attribute-types(5) clearance (55) }
>>
>> NEW:
>>
>> id-at-clearance OBJECT IDENTIFIER ::= {
>> joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
>>
>> -- Uncomment the following declaration and comment the above line if
>> -- using the id-at-clearance attribute as defined in [RFC3281]
>>
(Continue reading)
I made an update on my position, but there seems to be quite a delay in mail delivery currently :) /Stefan On 09-09-01 2:38 AM, "Paul Hoffman" <phoffman <at> imc.org> wrote: > At 9:34 PM +0200 8/31/09, Stefan Santesson wrote: >> I'm OK with the change. >> > > At 7:51 PM -0400 8/31/09, Stephen Kent wrote: >> I have no objections to making these changes. >> > > Just to be clear: both of you are fine with us changing the modules *for RFC > 3281* to be different than what is in that RFC? > > > _______________________________________________ > pkix mailing list > pkix <at> ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix(Continue reading)
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : ESSCertIDv2 update for RFC 3161 Author(s) : S. Santesson, N. Pope Filename : draft-ietf-pkix-rfc3161-update-02.txt Pages : 10 Date : 2009-09-07 This document updates RFC 3161 [RFC3161]. It allows the use of ESSCertIDv2 defined in RFC 5035 [ESSv2] to specify the hash of a signer certificate when the hash is calculated with a function other than SHA-1 [SHA1]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc3161-update-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : ESSCertIDv2 update for RFC 3161(Continue reading)
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : ESSCertIDv2 update for RFC 3161 Author(s) : S. Santesson, N. Pope Filename : draft-ietf-pkix-rfc3161-update-03.txt Pages : 10 Date : 2009-09-08 This document updates RFC 3161 [RFC3161]. It allows the use of ESSCertIDv2 defined in RFC 5035 [ESSv2] to specify the hash of a signer certificate when the hash is calculated with a function other than SHA-1 [SHA1]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc3161-update-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : ESSCertIDv2 update for RFC 3161(Continue reading)
Folks, I apologize for cross-posting, but the following excerpt of my post to namedroppers might be of interest for PKIX and SMIME, the originators of RFCs 4490 and 4491, for which I have filed Errata -- in part to solicit discussion. The full message is archived at: http://ops.IETF.ORG/lists/namedroppers/namedroppers.2009/msg02525.html ----- Forwarded message ----- > From: Alfred Hönes <ah <at> TR-Sys.de> > To: dol <at> cryptocom.ru, ran <at> cryptocom.ru, igus <at> cryptocom.ru, > namedroppers <at> ops.ietf.org > Message-Id: <200909171025.MAA15356 <at> TR-Sys.de> > Subject: draft-dolmatov-dnsext-dnssec-gost-01 technical & editorial issues > Date: Thu, 17 Sep 2009 12:25:12 +0200 (MESZ) > > Folks, > > I have reviewed draft-dolmatov-dnsext-dnssec-gost-01 and found > a number of issues of varying degree of severeness. > Items (1)..(3) below are the hard stuff, the nits are in (4). > > > (1) > > First of all, I'm confused by, and strongly oppose to, the > introduction of little-endian encoding for the on-the-wire > encoding of specific elements of this proposal, as requested(Continue reading)
I *think* this came up on this list before, but I can't find a reference. Has any standards body (e.g. NIST) published guidance on servers using the same keypair for key establishment (e.g., SSL) and data signing (e.g. XML-Dsig)? aTdHvAaNnKcSe. -- Tim
_______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
Paul Hoffman wrote: > Do you consider "don't do it" to be guidance? NIST requires that a public key be used for only one purpose in a handful of their documents. I don't believe that it fully justifies this requirement anywhere, but I could be wrong. The best reason that I have heard is that most organizations have very different escrow policies for encryption keys than for signing keys, and having one key do both would muddle the policy. To me, that's a good enough argument, and it trumps "but I only want to manage one private key". SSL/TLS using DHE key agreement would only be used the key pair for digital signature. Key encipherment or key agreement would only be needed for the DH and RSA key exchange ciphersuites. In cases where the ciphersuite is limited to DHE key exchange, would you agree one key for both uses is acceptable? -- Tim
_______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
At 8:27 AM -0500 9/24/09, Timothy J. Miller wrote: >I *think* this came up on this list before, but I can't find a reference. Has any standards body (e.g. NIST) published guidance on servers using the same keypair for key establishment (e.g., SSL) and data signing (e.g. XML-Dsig)? Do you consider "don't do it" to be guidance? NIST requires that a public key be used for only one purpose in a handful of their documents. I don't believe that it fully justifies this requirement anywhere, but I could be wrong. The best reason that I have heard is that most organizations have very different escrow policies for encryption keys than for signing keys, and having one key do both would muddle the policy. To me, that's a good enough argument, and it trumps "but I only want to manage one private key". _______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
RSS Feed34 | |
|---|---|
86 | |
93 | |
81 | |
226 | |
63 | |
134 | |
181 | |
96 | |
180 | |
226 | |
92 | |
111 | |
309 | |
363 | |
114 | |
83 | |
96 | |
167 | |
111 | |
81 | |
136 | |
180 | |
78 | |
114 | |
185 | |
215 | |
88 | |
2 | |
27 | |
76 | |
94 | |
73 | |
204 | |
121 | |
126 | |
32 | |
54 | |
120 | |
81 | |
15 | |
152 | |
120 | |
112 | |
18 | |
86 | |
101 | |
41 | |
105 | |
80 | |
138 | |
33 | |
127 | |
107 | |
162 | |
215 | |
39 | |
55 | |
85 | |
88 | |
11 | |
52 | |
14 | |
83 | |
128 | |
149 | |
101 | |
72 | |
101 | |
49 | |
48 | |
41 | |
61 | |
68 | |
108 | |
59 | |
97 | |
118 | |
160 | |
104 | |
184 | |
20 | |
78 | |
47 | |
32 | |
104 | |
58 | |
148 | |
56 | |
35 | |
54 | |
63 | |
77 | |
109 | |
133 | |
189 | |
206 | |
67 | |
82 | |
126 | |
14 | |
142 | |
256 | |
150 | |
217 | |
165 | |
128 | |
19 | |
121 | |
293 | |
102 | |
161 | |
87 | |
172 | |
241 | |
177 | |
284 | |
73 | |
193 | |
122 | |
48 | |
110 | |
193 | |
122 | |
325 | |
208 | |
290 | |
192 | |
184 | |
102 | |
82 | |
146 | |
272 | |
442 | |
214 | |
202 | |
239 | |
50 | |
314 | |
57 | |
192 | |
107 | |
68 | |
311 | |
288 | |
326 | |
361 | |
155 | |
432 | |
175 | |
430 | |
294 | |
277 | |
211 | |
494 | |
296 | |
277 | |
194 | |
159 | |
214 | |
113 | |
179 | |
384 | |
159 | |
244 | |
490 | |
364 | |
254 | |
296 | |
297 | |
267 | |
203 | |
126 | |
135 | |
213 | |
181 | |
389 | |
344 | |
272 | |
187 | |
214 | |
316 | |
337 | |
108 | |
155 | |
189 | |
184 | |
134 | |
124 | |
196 | |
147 | |
116 | |
89 | |
77 | |
87 | |
78 | |
62 | |
65 | |
101 | |
151 | |
28 | |
3 | |
1 | |
2 | |
9 | |
3 | |
5 | |
2 | |
2 | |
4 | |
1 | |
9 | |
3 | |
1 | |
2 | |
3 |
