Sorry for being late to the show. Email and health problems then catch
up times...
I agree.
On 07/21/2016 07:39 AM, Julien Laganier wrote:
(trimming the whole IESG from the thread for now)
HIP WG folks:
Unless someone objects or has a better proposal, I intend to implement
the following proposal to resolve Stephen's DISCUSS.
OLD:
If the certificate in the parameter is not accepted, the registrar
MUST reject the corresponding registrations with Failure Type [IANA
TBD] (Invalid certificate).
NEW:
If the certificate in the parameter is not accepted, the registrar
MUST reject the corresponding registrations with the appropriate
Failure Type:
[IANA TBD] (Bad certificate): The certificate is corrupt, contains
invalid signatures, etc.
[IANA TBD] (Unsupported certificate): The certificate is of an
unsupported type.
[IANA TBD] (Certificate expired): The certificate is no longer valid.
[IANA TBD] (Certificate other): The certificate could not be
validated for some unspecified reason.
[IANA TBD] (Unknown CA): The issuing CA certificate could not be
located or is not trusted.
Thanks,
--julien
On Thu, Jul 21, 2016 at 7:35 AM, Julien Laganier <[email protected]> wrote:
Thanks, Stephen.
The HIP WG was CC'd on these emails so participants have seen the
proposal, I will seek their feedback in a separate note.
Best,
--julien
On Thu, Jul 21, 2016 at 4:22 AM, Stephen Farrell
<[email protected]> wrote:
Hiya,
That'd be fine for clearing my discuss.
I'd encourage you to also get feedback from the WG though as I
don't think I've ever seen a list of cert handling errors that
was correct first time around:-)
Cheers,
S.
On 20/07/16 16:11, Julien Laganier wrote:
Hi Stephen,
Thanks for reviewing the document.
I think there would be value in making the cause of certificate error
explicit. Would the following change be acceptable?
OLD:
If the certificate in the parameter is not accepted, the registrar
MUST reject the corresponding registrations with Failure Type [IANA
TBD] (Invalid certificate).
NEW:
If the certificate in the parameter is not accepted, the registrar
MUST reject the corresponding registrations with the appropriate
Failure Type:
[IANA TBD] (Bad certificate): The certificate is corrupt, contains
invalid signatures, etc.
[IANA TBD] (Unsupported certificate): The certificate is of an
unsupported type.
[IANA TBD] (Certificate expired): The certificate is no longer valid.
[IANA TBD] (Certificate other): The certificate could not be
validated for some unspecified reason.
[IANA TBD] (Unknown CA): The issuing CA certificate could not be
located or is not trusted.
Please let us know.
Best,
--julien
On Tue, Jul 5, 2016 at 7:01 AM, Stephen Farrell
<[email protected]> wrote:
Stephen Farrell has entered the following ballot position for
draft-ietf-hip-rfc5203-bis-10: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-hip-rfc5203-bis/
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
3.3 - This fails to distinguish between an invalid
certificate (e.g. bad signature, unknown signer) and one
that is valid, but is not acceptable for this purpose. I
don't get why that is ok for HIP, can you explain? If it
is ok, I think you need to say so. If it is not ok (as I'd
suspect) then you appear to need to change text or one more
new error code.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Section 7 - I'm fine that this doesn't repeat stuff
from 5203, but a sentence saying to go look there too
would maybe be good. (I'm not sure if that would fix
Alexey's discuss or not. If not, then ignore me and
just talk to him about his discuss.)
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
