On Tue, Sep 24, 2013 at 3:19 PM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote:
Phill,
Sure, if we went back to the late 1990's that'd have been worth doing.
On 09/24/2013 05:25 PM, Phillip Hallam-Baker wrote:
> Looking at the extreme breach of trust by US govt re PRISM, I think it is
> time to do something we should have done decades ago but were stopped at US
> Govt request.
>
> Lets kill all support for X.400 mail.
>
> This is still in use, I know. But looking through the PKIX spec the schema
> is ten pages long. I count seven pages of garbage that we could kill if we
> abandoned support for X.400, garbage character sets no longer needed, bogus
> time formats, etc. etc.
>
>
> Certificates do not need to be as complicated as X.509v3 made them. To work
> with certificates issued for the Internet, an application needs to support
> only 20% of the PKIX schema at most.
And sure, if we re-invent rfc 5280 public key certs we can not include
some stuff. Not that I see much benefit in re-inventing 5280 PKCs as a
thing to do in and of itself. (And of course DANE includes hardly any
ASN.1 nonsense if you pick the right options so we already have an
option without that baggage.)
But I see no benefit in messing around with rfc 5280 at this stage for
fun. (I said the same to the ITU-T person who seems to want to do that
with their x.509 spec the other day when the topic came up on wpkops.)
So -1 to that kind of change unless there's a much better reason.
I wasn't thinking so much of re-opening RFC5280 as declaring them obsolete with the intention to remove them in future editions should those ever occur.
Perhaps of more immediate effect, can we revisit the issue of OCSP responders having to report 'VALID' for a non existent certificate?
Every one of the people who objected is a US government contractor and the only party that purportedly has a difficulty with the idea that an OCSP responder should be able to provide a definitive statement is the US DoD.
As I pointed out in the wake of FLAME, this particular change would have made it easier to detect the type of attack performed on Microsoft in the FLAME malware.
Website: http://hallambaker.com/