Re: [TLS] Re: Last Call: 'TLS User Mapping Extension' toProposedStandard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eric:

> I can see many situations where the information in this is not
> sensitive.  In fact, in the primary use case, the use mapping
> information is not sensitive.  An enterprise PKI is used in this
> situation, and the TLS extension is used to map the subject name in
> the certificate to the host account name.

But then we're left with the performance rationale that the user has
some semi-infinite number of mappings that makes it impossible to send
all of them and too hard to figure out which one. In light of the fact
that in the original -01 proposal there wasn't even any negotiation
for which type of UME data should be sent, is there any evidence that
this is going to be an important/common case?

This requires a crystal ball.... Apparently yours is different than mine, as the negotiation that you reference above was added to resolve comments from my AD review.

We all know that there is not going to be a single name form that is useful in all situations. We also know that you cannot put every useful name form into the certificate. In fact, the appropriate value can change within the normal lifetime of a certificate, so putting it in the certificate will result in high revocation rates.

This is the reason that I believe this TLS extension will be useful in environments beyond the one that was considered by the Microsoft authors. Your perspective may differ ....

Russ


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]