Still more feedback on draft-igoe-secsh-x509v3-01

To: ietf-ssh%NetBSD.org@localhost
Subject: Still more feedback on draft-igoe-secsh-x509v3-01
From: Joseph Galbraith <galb-list%vandyke.com@localhost>
Date: Wed, 31 Mar 2010 18:54:40 -0600

In section 2.  X.509 Version 3 Certificates, we have:

>    o  The self-signed certificate specifying the root authority MAY be
>       omitted.

which seems to indicate that all certificates except the self-signed
certificate at the root MUST be included.

I'm not sure that's what we want (or if that was actually what was
intended.)

I think it would be better to say:

o The chain encoded MAY be incomplete; it is usually not
  necessary to include the self-signed certificate specifying
  the root authority.

  It is NOT REQUIRED to specify any certificates other than
  the senders certificate.  If the verifier has a trust anchor
  that is not the self signed root, these other certificates may
  not be needed.  However, omitting certificates from the chain
  may make it more likely that certificate verification will fail
  because the verifier is not able to build a chain to a trusted
  anchor.

I'm worried in particular that there might be cases where the
signer doesn't have all the certificates necessary to chain
to the root easily available.  (I'm not sure if this is a
real life use case or not.)

If we do decide we want to REQUIRE all the certificates, I think
we should change the paragraph referenced to make that clear:

o The self-signed certificate specifying the root authority MEY be
  omitted.  All other certificates in the chain up to the root
  authority MUST be included.

Also, is there any correlation between certificates and OSCP
responses?  Currently, there is nothing that constrains
the OCSP responses included to have anything to do with the
certificate.

Is there a need for more than one OCSP response per issuer?
Would it make more sense to do:

        uint32    certificate-count
          string    certificate
          string    ocsp-response-from-certificate-issuer
	  [1..certificate-count]

Use a 0 length string if no OCSP response is available.

I'm not sure whether this is a good idea or if I'm just
showing my ignorance.

Thanks,

Joseph

Follow-Ups:
- RE: Still more feedback on draft-igoe-secsh-x509v3-01
  - From: Igoe, Kevin M.
- Re: Still more feedback on draft-igoe-secsh-x509v3-01
  - From: Nicolas Williams

Prev by Date: Re: More feedback on draft-igoe-secsh-x509v3-01
Next by Date: Re: Still more feedback on draft-igoe-secsh-x509v3-01
Previous by Thread: More feedback on draft-igoe-secsh-x509v3-01
Next by Thread: Re: Still more feedback on draft-igoe-secsh-x509v3-01
Indexes:

Home | Main Index | Thread Index | Old Index