Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi Erik, On 09/23/2013 08:50 AM, Erik Andersen wrote: Hi Folks, How did that talk about changing the ASN.1 come into the discussion? There is no plan what so ever to change old ASN.1 in the edition we are about to publish. I just noticed that the English text talks about certificate path instead of certification path, which is the term normally used. I just proposed to adjust the English text to be accordance with the ASN.1 and in according with the text in other part of X.509. How such a simple question could result in such confused discussion is beyond my imagination. I guess that's because we've been here before with ASN.1 modules;-) I don't recall if that was an x.509/IETF screw-up or a purely IETF one, but I think we have had cases where editorial changes to ASN.1 modules were proposed that would have broken stuff. And of course, it wasn't clear at that point that you're only planning on making editorial changes for now. S. Kind regards, Erik -Oprindelig meddelelse- Fra: Sean Turner [mailto:turn...@ieca.com] Sendt: 22. september 2013 18:32 Til: t...@yaanatech.com Cc: wpkops@ietf.org; Erik Andersen Emne: Re: [wpkops] Fwd: [T17Q11] Attribute certificate path That ASN.1 has been in X.509 since what 1997. I wouldn't change it even if somebody did ask because it's been in there for so long and it doesn't seemed to have cause any interoperability issues. I could see adding some text that explains it's incorrectly named but because it's been in there for so long that erring on the side of caution and not changing it seems the prudent thing to do. spt On 9/21/13 8:42 AM, Tony Rutkowski wrote: does anyone have any druthers here for Erik who is trying to update the old X.509 spec? --tony Original Message Subject: [T17Q11] Attribute certificate path Date:Sat, 21 Sep 2013 14:10:20 +0200 From:Erik Andersen e...@x500.eu To: t13sg17...@lists.itu.int Hi Folks, I noticed that 12.2 of X.509 talks about attribute certificate path. However, the associated ASN.1 is a data type is called AttributeCertificationPath. As we for public-key certificates talk about certification path, it seems reasonable to use the term attribute certification path rather that attribute certificate path. I also noticed that the ASN.1 indicates that the path is bottom up rather top down: AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPathSEQUENCE OF ACPathData OPTIONAL, ... } Please come back with comments. Erik ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Not sure what the question is really, but I absolutely do wonder why anyone would consider it a good plan to change specs like x.509 apparently without there being any implementers who want those changes. Luckily, rfc 5280 has all you need anyway so its not that important any more if x.509 changes. S On 09/21/2013 01:42 PM, Tony Rutkowski wrote: does anyone have any druthers here for Erik who is trying to update the old X.509 spec? --tony Original Message Subject: [T17Q11] Attribute certificate path Date: Sat, 21 Sep 2013 14:10:20 +0200 From: Erik Andersen e...@x500.eu To: t13sg17...@lists.itu.int Hi Folks, I noticed that 12.2 of X.509 talks about attribute certificate path. However, the associated ASN.1 is a data type is called AttributeCertificationPath. As we for public-key certificates talk about certification path, it seems reasonable to use the term attribute certification path rather that attribute certificate path. I also noticed that the ASN.1 indicates that the path is bottom up rather top down: AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPathSEQUENCE OF ACPathData OPTIONAL, ... } Please come back with comments. Erik ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
On 21/09/2013 13:48, Stephen Farrell wrote: Not sure what the question is really, but I absolutely do wonder why anyone would consider it a good plan to change specs like x.509 apparently without there being any implementers who want those changes. Luckily, rfc 5280 has all you need anyway so its not that important any more if x.509 changes. Yes for PKCs, but it does not address Erik's point which is about ACs David S On 09/21/2013 01:42 PM, Tony Rutkowski wrote: does anyone have any druthers here for Erik who is trying to update the old X.509 spec? --tony Original Message Subject: [T17Q11] Attribute certificate path Date: Sat, 21 Sep 2013 14:10:20 +0200 From: Erik Andersen e...@x500.eu To: t13sg17...@lists.itu.int Hi Folks, I noticed that 12.2 of X.509 talks about attribute certificate path. However, the associated ASN.1 is a data type is called AttributeCertificationPath. As we for public-key certificates talk about certification path, it seems reasonable to use the term attribute certification path rather that attribute certificate path. I also noticed that the ASN.1 indicates that the path is bottom up rather top down: AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPathSEQUENCE OF ACPathData OPTIONAL, ... } Please come back with comments. Erik ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hiya David, On 09/21/2013 04:32 PM, David Chadwick wrote: On 21/09/2013 13:48, Stephen Farrell wrote: Not sure what the question is really, but I absolutely do wonder why anyone would consider it a good plan to change specs like x.509 apparently without there being any implementers who want those changes. Luckily, rfc 5280 has all you need anyway so its not that important any more if x.509 changes. Yes for PKCs, but it does not address Erik's point which is about ACs He asked about ACs, I asked about motivation. Mine is a real question btw, I really don't get why its useful to keep messing with x.509, nor why folks want to do that when no implementers afaik want them to. If you know the answer, I'd love to hear it. Also, Tim just sent a mail looking for editors in this wg. Doing that would seem to me to be far more beneficial to all interested in PKI. As for ACs, rfc 5755 does the job there, but is afaik almost ubiquitously ignored. In the 20 or so years since I started working with attribute certs (*) every single proposed use-case turned out to have a better non-AC approach. But maybe I've just been (un)lucky;-) Cheers, S. (*) They were called PACs back then, based on ETSI TR/46. The x.509 flavour ACs were added some time later. David S On 09/21/2013 01:42 PM, Tony Rutkowski wrote: does anyone have any druthers here for Erik who is trying to update the old X.509 spec? --tony Original Message Subject: [T17Q11] Attribute certificate path Date: Sat, 21 Sep 2013 14:10:20 +0200 From: Erik Andersen e...@x500.eu To: t13sg17...@lists.itu.int Hi Folks, I noticed that 12.2 of X.509 talks about attribute certificate path. However, the associated ASN.1 is a data type is called AttributeCertificationPath. As we for public-key certificates talk about certification path, it seems reasonable to use the term attribute certification path rather that attribute certificate path. I also noticed that the ASN.1 indicates that the path is bottom up rather top down: AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPathSEQUENCE OF ACPathData OPTIONAL, ... } Please come back with comments. Erik ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi Stephen you are an AD for the IETF so this is your constituency. Clearly one would expect you to know what folks who attend IETF meetings want. But Erik is the editor for X.509 so his constituency is somewhat different to yours, so he is best placed to answer the motivation question. I can tell you that ACs are not ubiquitously ignored. We still have over a thousand downloads per year of our PERMIS opensource infrastructure, with new people enrolling each month. (I have recently compiled a list of the top 20 IP addresses of those requesting the software, and you might be surprised at the answer). FYI I have already offered to help Tim (yesterday) regards David On 21/09/2013 17:07, Stephen Farrell wrote: Hiya David, On 09/21/2013 04:32 PM, David Chadwick wrote: On 21/09/2013 13:48, Stephen Farrell wrote: Not sure what the question is really, but I absolutely do wonder why anyone would consider it a good plan to change specs like x.509 apparently without there being any implementers who want those changes. Luckily, rfc 5280 has all you need anyway so its not that important any more if x.509 changes. Yes for PKCs, but it does not address Erik's point which is about ACs He asked about ACs, I asked about motivation. Mine is a real question btw, I really don't get why its useful to keep messing with x.509, nor why folks want to do that when no implementers afaik want them to. If you know the answer, I'd love to hear it. Also, Tim just sent a mail looking for editors in this wg. Doing that would seem to me to be far more beneficial to all interested in PKI. As for ACs, rfc 5755 does the job there, but is afaik almost ubiquitously ignored. In the 20 or so years since I started working with attribute certs (*) every single proposed use-case turned out to have a better non-AC approach. But maybe I've just been (un)lucky;-) Cheers, S. (*) They were called PACs back then, based on ETSI TR/46. The x.509 flavour ACs were added some time later. David S On 09/21/2013 01:42 PM, Tony Rutkowski wrote: does anyone have any druthers here for Erik who is trying to update the old X.509 spec? --tony Original Message Subject: [T17Q11] Attribute certificate path Date: Sat, 21 Sep 2013 14:10:20 +0200 From: Erik Andersen e...@x500.eu To: t13sg17...@lists.itu.int Hi Folks, I noticed that 12.2 of X.509 talks about attribute certificate path. However, the associated ASN.1 is a data type is called AttributeCertificationPath. As we for public-key certificates talk about certification path, it seems reasonable to use the term attribute certification path rather that attribute certificate path. I also noticed that the ASN.1 indicates that the path is bottom up rather top down: AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPathSEQUENCE OF ACPathData OPTIONAL, ... } Please come back with comments. Erik ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi all, This is a key question that many people (and national administrations) are asking. For many years now, it was apparent that only the late John Larmouth, Eric, and David ever attended a meeting. There is essentially no X.509 related email on any ITU-T list except for Eric, David and an occasional other party. There are no document inputs to the meetings except for Eric's own material and maybe David's - which Eric as rapporteur approves. The ITU itself is now apparently supporting Eric doing this work. So exactly who is the constituency here? --tony On 9/21/2013 2:03 PM, Stephen Farrell wrote: On 09/21/2013 06:46 PM, David Chadwick wrote: Hi Stephen you are an AD for the IETF so this is your constituency. Clearly one would expect you to know what folks who attend IETF meetings want. But Erik is the editor for X.509 so his constituency is somewhat different to yours, so he is best placed to answer the motivation question. I'd really like to know that answer. ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops