PKIX WG Meeting 3-20-07
Edited by Steve Kent
Chairs: Stephen Kent <kent@bbn.com> & Stefan Santesson
<stefans@microsoft.com>
The PKIX WG met once for one hour, during the 68th IETF. A total of
approximately 48 individuals participated in the meeting.
Document
Status Review - Stefan Santesson
(Microsoft)
No
new RFCs have been issued since the last meeting. SCVP, Lightweight OCSP, and
the SAN for Service Names have been reported out of the WG and are in various
stages of IESG review. RFC 3280bis is awaiting a review write up by Steve Kent.
Three CMC documents are undergoing revisions (see below) in response to IESG
feedback. The ECC algorithms I-D is stalled, pending a revision in response to
comments from Russ Housley (see below). The ECDSA and DSA with SHA-2 draft has
expired and is blocked, awaiting publication of FIPS 186-3.
PKIX WG Specifications
Certificate
Management Messages over CMS (CMC)
Jim Schaad (Soaring Hawk Consulting)
Three documents were being reviewed by the IESG, but
will need enough changes to go back for WG approval: 2797-bis-04, cmc-trans-05,
and cmc-compl-03. Several changes requested by IESG. A suggestion was made that
we drop support for PKCS #10 from a MUST, and instead make CRMF a MUST.
However, it was noted that Microsoft does use PKCS #10 as the request format
inside of CMC, so there was no resolution of this suggestion. It was suggested
that these documents provide guidance for shared secret sizes for use in POP;
Jim will make up some numbers since there are no published standards for this.
Recent changes to SP 800-56A (a NIST document) allow using an RSA key that is
marked as encryption-only, for signing a message in the context of POP.
However, this document does not grant an exemption for using such a key for
signing a revocation request, so there is still a mismatch here. (see slides.)
Subject
public key info resolution for ECC Tim Polk (NIST)
We have made no progress on ecc-pkalgs-03 since the
last meeting. Tim agreed to
reconstitute the design team to address this issue again, and hopefully develop
a solution that will be acceptable to the new IETF Chair (former SEC AD). (no
slides)
Subject
Alternative Name for Expression of Service Name: Stefan Santesson (Microsoft)
This document
(srvsan-04) is blocked on internationalization concerns, and a DISCUSS related
to the need for a more specific applicability statement re application use of
the name form. Stefan agreed to make necessary changes required by IESG to
resolve the internationalization issue. He objected to the currently requested
applicability statement, which will require further discussions to resolve. If
encoding is changed to accommodate the internationalization concerns, this will
trigger a new WG last call once this change has been made. (see slides)
Related Specifications & Liaison Presentations
Internationalized
e-mail: Stefan Santesson (Microsoft)
The e-mail
address Internationalization group (eai) is working on internationalization of
the local part (vs. the domain name part) of e-mail addresses. This raises the
question of how we accommodate these names in certificates i.e., in the subject
alternative name extension for e-mail. Stefan suggests that we track what is
happening here; Paul Hoffman notes that we have plenty of time to wait and see how
the EAI WG progresses. Russ Housley noted that there will be a presentation at
the IAB plenary on the topic of internationalization. (see slides)
Certificates in CRLs:
Stephen Kent (BBN)
Steve Kent conducted a straw poll on whether the WG
would adopt a document authored by Stefan (santesson-pkix-vccrl) as a work
item. The poll resulted in 34 replies, 11 for and 22 against adopting this
document. Some of the negative comments suggested that it would be OK for the
WG to pursue standardization of a method to address the problem raised here,
but not this specific solution approach. So, the specific proposal identified
in this document is rejected as a WG item for now. (no slides)
Framework on Key
Compromise, Key Loss & Key Rollover: Stephen Kent on behalf of Denis Pinkas
(Bull)
This is a
proposal from Denis for a new PKIX work item to create a guidance document (and
Informational RFC) for key rollover situations, both planned and unanticipated
for CAs, AAs, TSAs, etc. Some questions were raised as to the size of the
document that might result from this effort, and there was a desire to se more
details, e.g., a document outline. It also was asked whether there is an extant
or nascent ETSI document on this topic that PKIX was being asked to adopt.
Steve Kent agreed to conduct a straw poll on the list to gauge interest in
pursuing this work item, and to request a document outline and size estimate
from Denis. (see slides)
Domain Certificates in
the Session Initiation Protocol (SIP): Scott Lawrence (Pingtel)
Scott is looking for help in developing an
appropriate certificate profile for use with a TLS connection established
between two SIP proxies. In particular there is a need to be able to represent
identities that will indicate the scope of the authorization of a SIP proxy to
act on behalf of a set of SIP users, who are identified by SIP URIs. An added
complexity is that this authority may be asymmetric, i.e., OK for outbound but
not OK for inbound calls. There is also a need to be able to appropriately express
a DNS name for proxies in support of the RECORD ROUTE facility in SIP. Finally,
there is a desire to make sure that certificates issued for this
purpose not be used inappropriately for other applications. This discussion
will move to the list. (see slides)