|
The current protocol has severe limitations.
They have been pointed during the last call at the PKIX
WG level, but the protocol
has not been modified to
address them.The end result has only been to add
text
to explain the limitations without removing these
limitations.
See section 3: "When using these structures
without any additional extension,
for which purposes the trust anchor info
shall be used to verify
certification paths needs to be locally defined;
this means that different
usages for the same or different trust anchors
placed in the same TAS
are not possible either.
One way to have different
usages for different trust anchors without
using extensions is to use a
different TAS for every different usage".
The consequences are as
follows:
All web browser providers
currently use a different model to manage trust anchors.
They are able to
associate different key usages for every leaf certificate
with any trust
anchor (all placed in the same trust anchor store). This can be done
in a single operation.
Furthermore, with the
introduction of EV SSL Certificates
(i.e. Extended Validation SSL
certificates) the Certification Policy OIDs of
leaf certificates that
fulfills the requirements of EV SL certificates
are added to the trust
anchor to which the EV SSL certificate relates.
This means that supporting the
web browser model mandates to be able to add
key usages (e.g. EKU extended
key usages) for leaf certificates
as well as Certification Policies for
leaf certificates.
This is not possible with the
proposed protocol.
As a consequence,
the current protocol is unable to accomodate the web browser
model.
Since the protocol seems to be
sufficient for another community
(but not to the Internet
community), it is proposed to place this document
on the EXPERIMENTAL track
rather than on the standards track.
Denis
Date
: 2010-01-14, 18:34:14
Sujet
: [pkix] Last Call: draft-ietf-pkix-tamp (Trust Anchor Management Protocol
(TAMP)) toProposed Standard
The IESG has received a request from the Public-Key Infrastructure
(X.509) WG (pkix) to consider the following document: - 'Trust
Anchor Management Protocol (TAMP)
' <draft-ietf-pkix-tamp-05.txt> as a Proposed
Standard This document includes a downref to draft-ietf-pkix-new-asn1,
which is under consideration by the IESG for publication as an
Informational RFC. This document updates ASN.1 modules for PKIX
specifications to conform to the 2002 version of ASN.1, but makes no
changes to the bits on the wire. The community is specifically requested to
consider whether down refs to draft-ietf-pkix-new-asn1 are appropriate in
the general case, in addition to the specific case of
draft-ietf-pkix-tamp. The IESG plans to make a decision in the next few
weeks, and solicits final comments on this action. Please send substantive
comments to the ietf@xxxxxxxx mailing
lists by 2010-01-28. Exceptionally, comments may be sent to iesg@xxxxxxxx instead. In either case, please
retain the beginning of the Subject line to allow automated
sorting. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-pkix-tamp-05.txtIESG
discussion can be tracked via https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=17760&rfc_flag=0_______________________________________________ pkix
mailing list pkix@xxxxxxxxhttps://www.ietf.org/mailman/listinfo/pkix
|