Re: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02

To: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Subject: Re: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02
From: Eric Rescorla <ekr at networkresonance.com>
Date: Thu, 24 Jul 2008 09:06:05 -0700
Cc: draft-ietf-tls-rfc4366-bis at tools.ietf.org, tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE506384C05@xmb-sjc-225.amer.cisco.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE506384C05@xmb-sjc-225.amer.cisco.com>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Thu, 24 Jul 2008 08:13:49 -0700,
Joe Salowey wrote:
> 
> I would like to get this document ready for working group last call.  I
> think there is only one major outstanding issue on the certificate URL
> extension.  
> 
> The issue is whether to make the hash mandatory in the client
> certificate URL extension.  Without the hash it presents some
> vulnerabilities in that the certificate can be replaced.  With the hash
> it will cause difficulty for clients that are issued a new certificate
> that is populated in the repository before they have a chance to
> retrieve it.  It seems that on the list there was some very rough
> consensus to make the hash mandatory.  
> 
> In order to resolve this issue I propose that we make the hash mandatory
> for this extension.  If this causes an operational problem in some
> environments then a new extension can be defined that has an optional or
> no hash.  

I agree with this plan.

-Ekr
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02
  - From: Joseph Salowey (jsalowey)

Prev by Date: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02
Next by Date: [TLS] Review of draft-ietf-tls-rfc4366-bis-02
Previous by thread: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02
Next by thread: Re: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02
Index(es):
- Date
- Thread

Re: [TLS] Certificate URL extension in draft-ietf-tls-rfc4366-bis-02

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.