> On 18 Sep 2017, at 23:36, Ben Campbell <b...@nostrum.com> wrote: > >> >> On Sep 18, 2017, at 8:15 AM, Tim Bruijnzeels <t...@ripe.net> wrote: >> >> Hi Ben, all, >> >>> On 15 Sep 2017, at 23:20, Ben Campbell <b...@nostrum.com> wrote: >>> >>> Hi, >>> >>> See comments inline. I apologize in advance if I am just being dense, and I >>> cannot claim to be an expert on how one applies a path validation policy >>> OID in general. >>> >>> >>> Thanks! >>> >>> Ben. >>> >>>> On Sep 14, 2017, at 7:00 AM, Tim Bruijnzeels <t...@ripe.net> wrote: >>>> >>>> Hi, >>>> >>>> Sure. I also proceeded to discuss your and Terry’s points, but apparently >>>> not to the desired level of clarity. Let me try again here, and tackle >>>> both your and Terry’s discuss items since they are closely related. >>>> >>>>> Is it legal to mix certificate policies in a given cert path? The last >>>>> paragraph of section 5 implies that you can, but doesn't say so >>>>> explicitly. >>>> >>>> According to this document it is. Section 4.2.2.4 starts with the >>>> following: >>>> >>>> The following is an amended specification for path validation to be >>>> used in place of section 7.2 of [RFC6487] allowing for the validation >>>> of both certificates following the profile defined in [RFC6487], as >>>> well as certificates following the profile described above. >>>> >>>> So the intent here is to describe a single validation algorithm that can >>>> be used to validate a chain of old OIDs only (in which case it’s >>>> semantically equivalent to the current spec in RFC6487), new OIDs only (as >>>> described in the example in 4.3), or indeed a mix - but no example is >>>> given on how that works out. >>>> >>>> >>>>> If you _can_ mix policies, what happens if you do? If I read the rules in >>>>> 4.2.4.4. >>>>> correctly (and it's likely that I am not), if you run into a cert in the >>>>> chain >>>>> that does not follow this profile, it's likely to give a null VRS-IP or >>>>> VRS-AS >>>>> value, which would seem to invalidate an certificate further down the >>>>> chain >>>>> that _does_ follow this policy? >>>> >>>> >>>> The “Validated Resource Sets” (VRS-*) are always calculated, regardless of >>>> whether the old or new OIDs are used. >>> >>> This is where I am confused. The calculation of VRS is described in this >>> draft in the amendment to the path validation in section 7.2 of 6487. I >>> assumed that the amended path validation procedure only applies with the >>> “new” OID. Is that incorrect? If so, can you point to the text that states >>> that? (It’s entirely possible I missed something, or completely >>> misunderstand how the OIDs are applied. ) >> >> First paragraph of 4.2.2.4: >> >> "The following is an amended specification for path validation to be used in >> place of section 7.2 of [RFC6487] >> allowing for the validation of both certificates following the profile >> defined in [RFC6487], as well as certificates >> following the profile described above." >> >> So, yes, as far as I am concerned the intent was to have this cover both the >> old and new OIDs. Where the algorithm if applied to old OID only is >> semantically equivalent to section 7.2 of RFC6487 - or at least: it has the >> same outcome. >> > > That intent surprises me, I was under the impression the entire document was > specific to the new OIDs. This seems to be supported by this text in the > abstract: > > "The use of this updated procedure is signalled by form of a set of > alternative Object Identifiers (OIDs) indicating that the alternative version > of RFC 3779 X.509 Extensions for IP Addresses and AS Identifiers, and > certificate policy for the Resource Public Key Infrastructure ( RFC 6484) > defined in this document should be used.” > > … and in the specific case of the certificate validation policy OID, there is > this text in 4.2.1: > > "This alternative Certificate Policy is the same as the Certificate Policy > described in [ > RFC6484], except that it indicates that the validation rules described in > Section 4.2.4.4 are to be used.” > > If the rules in 4.2.4.4 are used even when that OID is not present, then I’m > confused about what the OID signals in the first place.
The OIDs are used to drive a decision in the rules described in 4.2.4.4. = Old OIDs -> reject over-claim, this has the same result as section 7.2 in RFC6487 = New OIDs -> warn on over-claim So as far as clarity goes, it might be better to either leave out the set regarding the need for the different OIDs in their respective sections, or say “This OID is used to in the decision process of the validation rules described in 4.2.4.4. >> If this needs to be more explicit I am happy to accept a suggestion - as an >> author knowing my own intentions, it’s not always trivial to see how others >> would interpret text differently. > > I’m not sure this is just a matter of clarification. The text I mention above > explicitly says the OID signals the use of the amended CP. I have to assume > that was the working group intent, and what was understood by people during > IETF LC. If that is _not_ the intent, we would need some degree of consensus > to change that text. ( I suspect that would mean going back to the WG or IETF > LC, but I will leave that to Alvaro to decide.) > It was my assumption that my intent was clear. But I will accept whatever Alvaro decides on this. > My strictly personal opinion is that it would be _really_ confusing to have > some aspects of the new CP apply even when the new OID is not used. The assumption on my part here was that RPs can decide to support this RFC-to-be and then use section 4.2.4.4 to validate old and new CP alike. The process described in 4.2.4.4 when used for old OIDs only has the same outcome as section 7.2 of RFC 6487. It’s true that “Validated Resource Sets” are not named in RFC6487, but in a tree where only old OIDs are used one will find that the Validated Resource Set for a given *valid* certificate always matches the certificate itself. Thanks Tim > > Thanks, > > Ben. _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
