Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi Erik,
On 09/23/2013 08:50 AM, Erik Andersen wrote:
Hi Folks,
How did that talk about changing the ASN.1 come into the discussion? There
is no plan what so ever to change old ASN.1 in the edition we are about to
publish. I just noticed that the English text talks about certificate path
instead of certification path, which is the term normally used. I just
proposed to adjust the English text to be accordance with the ASN.1 and in
according with the text in other part of X.509. How such a simple question
could result in such confused discussion is beyond my imagination.
I guess that's because we've been here before with ASN.1 modules;-)
I don't recall if that was an x.509/IETF screw-up or a purely IETF
one, but I think we have had cases where editorial changes to
ASN.1 modules were proposed that would have broken stuff. And of
course, it wasn't clear at that point that you're only planning
on making editorial changes for now.
S.
Kind regards,
Erik
-Oprindelig meddelelse-
Fra: Sean Turner [mailto:turn...@ieca.com]
Sendt: 22. september 2013 18:32
Til: t...@yaanatech.com
Cc: wpkops@ietf.org; Erik Andersen
Emne: Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
That ASN.1 has been in X.509 since what 1997. I wouldn't change it even if
somebody did ask because it's been in there for so long and it doesn't
seemed to have cause any interoperability issues. I could see adding some
text that explains it's incorrectly named but because it's been in there for
so long that erring on the side of caution and not changing it seems the
prudent thing to do.
spt
On 9/21/13 8:42 AM, Tony Rutkowski wrote:
does anyone have any druthers here for Erik who is trying to update
the old
X.509 spec?
--tony
Original Message
Subject: [T17Q11] Attribute certificate path
Date:Sat, 21 Sep 2013 14:10:20 +0200
From:Erik Andersen e...@x500.eu
To: t13sg17...@lists.itu.int
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk
about certification path, it seems reasonable to use the term
attribute certification path rather that attribute certificate path.
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPathSEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Not sure what the question is really, but I absolutely
do wonder why anyone would consider it a good plan to
change specs like x.509 apparently without there being
any implementers who want those changes.
Luckily, rfc 5280 has all you need anyway so its not
that important any more if x.509 changes.
S
On 09/21/2013 01:42 PM, Tony Rutkowski wrote:
does anyone have any druthers here for
Erik who is trying to update the old
X.509 spec?
--tony
Original Message
Subject: [T17Q11] Attribute certificate path
Date: Sat, 21 Sep 2013 14:10:20 +0200
From: Erik Andersen e...@x500.eu
To: t13sg17...@lists.itu.int
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk about
certification path, it seems reasonable to use the term attribute
certification path rather that attribute certificate path.
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPathSEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
On 21/09/2013 13:48, Stephen Farrell wrote:
Not sure what the question is really, but I absolutely
do wonder why anyone would consider it a good plan to
change specs like x.509 apparently without there being
any implementers who want those changes.
Luckily, rfc 5280 has all you need anyway so its not
that important any more if x.509 changes.
Yes for PKCs, but it does not address Erik's point which is about ACs
David
S
On 09/21/2013 01:42 PM, Tony Rutkowski wrote:
does anyone have any druthers here for
Erik who is trying to update the old
X.509 spec?
--tony
Original Message
Subject: [T17Q11] Attribute certificate path
Date: Sat, 21 Sep 2013 14:10:20 +0200
From: Erik Andersen e...@x500.eu
To: t13sg17...@lists.itu.int
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk about
certification path, it seems reasonable to use the term attribute
certification path rather that attribute certificate path.
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPathSEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hiya David,
On 09/21/2013 04:32 PM, David Chadwick wrote:
On 21/09/2013 13:48, Stephen Farrell wrote:
Not sure what the question is really, but I absolutely
do wonder why anyone would consider it a good plan to
change specs like x.509 apparently without there being
any implementers who want those changes.
Luckily, rfc 5280 has all you need anyway so its not
that important any more if x.509 changes.
Yes for PKCs, but it does not address Erik's point which is about ACs
He asked about ACs, I asked about motivation. Mine is
a real question btw, I really don't get why its useful
to keep messing with x.509, nor why folks want to do
that when no implementers afaik want them to. If you
know the answer, I'd love to hear it.
Also, Tim just sent a mail looking for editors in this
wg. Doing that would seem to me to be far more beneficial
to all interested in PKI.
As for ACs, rfc 5755 does the job there, but is afaik
almost ubiquitously ignored. In the 20 or so years
since I started working with attribute certs (*) every
single proposed use-case turned out to have a better
non-AC approach. But maybe I've just been (un)lucky;-)
Cheers,
S.
(*) They were called PACs back then, based on ETSI TR/46.
The x.509 flavour ACs were added some time later.
David
S
On 09/21/2013 01:42 PM, Tony Rutkowski wrote:
does anyone have any druthers here for
Erik who is trying to update the old
X.509 spec?
--tony
Original Message
Subject: [T17Q11] Attribute certificate path
Date: Sat, 21 Sep 2013 14:10:20 +0200
From: Erik Andersen e...@x500.eu
To: t13sg17...@lists.itu.int
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk about
certification path, it seems reasonable to use the term attribute
certification path rather that attribute certificate path.
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPathSEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi Stephen
you are an AD for the IETF so this is your constituency. Clearly one
would expect you to know what folks who attend IETF meetings want.
But Erik is the editor for X.509 so his constituency is somewhat
different to yours, so he is best placed to answer the motivation question.
I can tell you that ACs are not ubiquitously ignored. We still have over
a thousand downloads per year of our PERMIS opensource infrastructure,
with new people enrolling each month. (I have recently compiled a list
of the top 20 IP addresses of those requesting the software, and you
might be surprised at the answer).
FYI I have already offered to help Tim (yesterday)
regards
David
On 21/09/2013 17:07, Stephen Farrell wrote:
Hiya David,
On 09/21/2013 04:32 PM, David Chadwick wrote:
On 21/09/2013 13:48, Stephen Farrell wrote:
Not sure what the question is really, but I absolutely
do wonder why anyone would consider it a good plan to
change specs like x.509 apparently without there being
any implementers who want those changes.
Luckily, rfc 5280 has all you need anyway so its not
that important any more if x.509 changes.
Yes for PKCs, but it does not address Erik's point which is about ACs
He asked about ACs, I asked about motivation. Mine is
a real question btw, I really don't get why its useful
to keep messing with x.509, nor why folks want to do
that when no implementers afaik want them to. If you
know the answer, I'd love to hear it.
Also, Tim just sent a mail looking for editors in this
wg. Doing that would seem to me to be far more beneficial
to all interested in PKI.
As for ACs, rfc 5755 does the job there, but is afaik
almost ubiquitously ignored. In the 20 or so years
since I started working with attribute certs (*) every
single proposed use-case turned out to have a better
non-AC approach. But maybe I've just been (un)lucky;-)
Cheers,
S.
(*) They were called PACs back then, based on ETSI TR/46.
The x.509 flavour ACs were added some time later.
David
S
On 09/21/2013 01:42 PM, Tony Rutkowski wrote:
does anyone have any druthers here for
Erik who is trying to update the old
X.509 spec?
--tony
Original Message
Subject: [T17Q11] Attribute certificate path
Date: Sat, 21 Sep 2013 14:10:20 +0200
From: Erik Andersen e...@x500.eu
To: t13sg17...@lists.itu.int
Hi Folks,
I noticed that 12.2 of X.509 talks about attribute certificate path.
However, the associated ASN.1 is a data type is called
AttributeCertificationPath. As we for public-key certificates talk about
certification path, it seems reasonable to use the term attribute
certification path rather that attribute certificate path.
I also noticed that the ASN.1 indicates that the path is bottom up
rather top down:
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPathSEQUENCE OF ACPathData OPTIONAL,
... }
Please come back with comments.
Erik
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Fwd: [T17Q11] Attribute certificate path
Hi all, This is a key question that many people (and national administrations) are asking. For many years now, it was apparent that only the late John Larmouth, Eric, and David ever attended a meeting. There is essentially no X.509 related email on any ITU-T list except for Eric, David and an occasional other party. There are no document inputs to the meetings except for Eric's own material and maybe David's - which Eric as rapporteur approves. The ITU itself is now apparently supporting Eric doing this work. So exactly who is the constituency here? --tony On 9/21/2013 2:03 PM, Stephen Farrell wrote: On 09/21/2013 06:46 PM, David Chadwick wrote: Hi Stephen you are an AD for the IETF so this is your constituency. Clearly one would expect you to know what folks who attend IETF meetings want. But Erik is the editor for X.509 so his constituency is somewhat different to yours, so he is best placed to answer the motivation question. I'd really like to know that answer. ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
