Presentation is loading. Please wait.

Presentation is loading. Please wait.

SonOf3039 Status Russ Housley Security Area Director.

Published byKelly Bryant Modified over 9 years ago

Similar presentations

Presentation on theme: "SonOf3039 Status Russ Housley Security Area Director."— Presentation transcript:

1 SonOf3039 Status Russ Housley Security Area Director

2 History 21-Jan-04PKIX WG Last Call closed 21-Jan-04PKIX Chair sent document to IESG 26-Jan-04AD Evaluation complete 26-Jan-04Denis Pinkas posts 38 comments 26-Jan-04IETF Last Call begins 31-Jan-04Responses to 38 comments posted to PKIX mail list 2-Feb-04PKIX Chair confirms to AD that the rough consensus is maintained 9-Feb-04IETF Last Call ends 11-Feb-04Updated document posted 19-Feb-04IESG approved document 23-Feb-04Denis Pinkas declares that some comments were not resolved

3 Proposed Changes Denis Pinkas will be “happy” if five changes are made None of the changes impact MUST or SHOULD statements  No MUST or SHOULD statements are added  No existing MUST statements are changed  Editorial change to existing SHOULD statement Next slides provide details

4 Change 1 Change section 2.2, Statement of Purpose, 3rd paragraph OLD TEXT: "This profile defines two complementary ways to include this information:" NEW TEXT: "This profile defines two ways to include this information:"

5 Change 2 Move the following paragraphs of section 3.2.6, Qualified Certificate Statements “A statement suitable for inclusion in this extension MAY be a statement by the issuer that the certificate is issued as a Qualified Certificate in accordance with a particular legal system (as discussed in Section 2.2).” and “Other statements suitable for inclusion in this extension MAY be statements related to the applicable legal jurisdiction within which the certificate is issued. As an example this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability.” Place them after the ASN.1 declarations in the same section

6 Change 3 Change text in section 3.2.3, certificate policies, 3rd paragraph: OLD TEXT: The certificate policies extension MUST include all policy information needed for certification path validation. If policy information is included in the QCStatements extension (see 3.2.6), then this information SHOULD also be defined by indicated policies. NEW TEXT: The certificate policies extension MUST include all policy information needed for certification path validation. If policy related statements are included in the QCStatements extension (see 3.2.6), then these statements SHOULD also be contained in the identified policies.

7 Change 4 Change section 3.1.2, subject, 1st paragraph following the list of attributes: OLD TEXT: Other attributes MAY also be present; however, the use of other attributes MUST NOT be necessary to distinguish one subject name from another subject name. That is, the attributes listed above are sufficient to ensure unique subject names. NEW TEXT: Other attributes MAY also be present; however, the use of other attributes MUST NOT be necessary to distinguish one subject from another subject. That is, the attributes listed above are sufficient to uniquely identify the subject.

8 Change 5 Replace paragraph in the Security Considerations section: OLD TEXT: Combining the nonRepudiation bit in the keyUsage certificate extension with other keyUsage bits may have security implications depending on the context in which the certificate is to be used. Applications validating electronic signatures based on such certificates should determine whether the present key usage combination is appropriate for their use. Replacement text on next slide …

9 Change 5 NEW TEXT: Combining the nonRepudiation bit in the keyUsage certificate extension with other keyUsage bits may have security implications depending on the certificate policy and the context in which the certificate is to be used. If the subject's environment can be fully controlled and trusted, then there are no specific security implications. For example, in cases where the subject is fully confident about exactly which data is signed or cases where the subject is fully confident about the security characteristics of the authentication protocol being used. If the subject's environment is not fully controlled or not fully trusted, then unintentional signing of commitments are possible. Examples include the use of badly formed authentication exchanges and the use of a rogue software component. If untrusted environments are used by a subject, these security implications can be limited through use of the following measures: - To not combine nonRepudiation key usage setting in certificates with any other key usage setting and to use the corresponding private key only with this certificate. - To limit the use of private keys associated with certificates that have the nonRepudiation key usage bit set, to environments which are considered adequately controlled and trustworthy.

10 Way Forward Two choices  Tell Denis Pinkas that his comments are too late  Accept the changes, which requires a seven step process

11 The Seven Steps 1 - The authors post the list of changes that they will be requested to the working group mail list. 2 - Give a clear deadline for comments in the message. I suggest one week. 3 - Address comments from the working group mail list immediately. 4 - At the end of the comment period, summarize the changes that the RFC Editor will be asked to make during AUTH48. 5 - The Working group chairs confirm that the changes do not break rough consensus. 6 - The Area Directors will handle IESG review of the changes, if needed. 7 - The Area Directors will submit the changes to the RFC Editor, avoiding the need for them to seek my approval for the changes.

12 Straw Poll Choice 1: Tell Denis Pinkas that his comments are too late Choice 2: Use the seven steps to determine if there is consensus to adopt the five changes

Download ppt "SonOf3039 Status Russ Housley Security Area Director."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
21-05-0215-03-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-05-0215-04 Title: IEEE 802.21 Down Selection Process Date Submitted: January 18, 2005.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IEEE Down Selection Process Date Submitted: January 18, 2005.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Digital Signature Technologies & Applications Ed Jensen Fall 2013.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
1 Update on draft-ietf-smime-cades-02. 2 Current Status Completed last call. Under review by IESG. Comments to be incorporated: –From Pavel Smirnov (during.

1 Update on draft-ietf-smime-cades Current Status Completed last call. Under review by IESG. Comments to be incorporated: –From Pavel Smirnov (during.

Similar presentations

Ads by Google