Unfortunately, the concerns have not been addresses. I pointed out in a
message on April 26 that the text still incorrectly referring to the
malicious CA issuing the bogus EE certificate as two CAs, and my message
was ignored.
Byran Ford sent a message on May 19 agreeing that the current text
As others have pointed out, the
description below is fundamentally flawed, and as a result the
conclusion is flawed as well. See comments in-line below.
On 03/14/2016 10:39 AM, Stephen Kent wrote:
Below is the text I plan to insert as a
Kent's text, not on DKG's description of
the attack.
On 03/15/2016 11:04 AM, Rob Stradling wrote:
On
15/03/16 14:57, David A. Cooper wrote:
If there is an attack here, it seems that
it would be as follows. Upon
On 03/17/2016 11:13 AM, Stephen Kent
wrote:
David,
I have never believed that "the
X.500 directory tree is the basis for all names in certs.,"
and you know that!
your assertion that X.509
I have never believed that "the X.500
directory tree is the basis for all names in certs.," and you know
that! Nor does that have anything to do with what I said in my
previous email.
There's no reason for you to rebut my analysis. What is needed is
Steve was describing in his text.
If Steve would just describe DKG's attack instead of trying to use this
as a forum for advancing his personal beliefs about X.509, then we
wouldn't have to deal with these metaphysical arguments.
On 03/30/2016 12:09 PM, Watson Ladd wrote:
On Wed, Mar 30, 20
.
On 03/30/2016 01:15 PM, Ben Laurie wrote:
On 30 March 2016 at 17:02, David A. Cooper <david.coo...@nist.gov>
wrote:
So, your contention is that PKIX diverged from
On 03/24/2016 11:09 AM, Stephen Kent
wrote:
David,
No text in 5280 requires name uniqueness across all CAs.
Untrue, as I'll demonstrate below.
It does
require uniqueness
on a per-CA basis (Section 4.1.2.6 of 5280).
So, your contention is that PKIX
diverged from X.509 by removing the requirement for names to be
unambiguous, and did nothing to address the vulnerability created
by this divergence other than noting the vulnerability in the
Security Considerations sections of
On 03/31/2016 11:30 AM, Ben Laurie
wrote:
On 31 March 2016 at 16:15, David A.
Cooper <david.coo...@nist.gov>
wrote:
I also disagree that you've pointed out &qu
Is it necessary for me to point out
that this draft has not fixed the problems from the previous
drafts? Isn't this supposed to be a working
group document? Why does the document still talk about two
different CAs that have the same name and same key, and that
to refer to the attack as involving two
CAs with the same name and key.
On May 19, Bryan Ford sent a message saying:
I agree with David Cooper that describing this as “two CAs”
is rather strange given the assumption that they have “the
same Subject
The editor of this document is again
making it clear that he intends to ignore input from the working
group if what the working group wants for the document is
different from what he wants.
The so-called analogies below have nothing at all to do with the
Section 3.4 of draft-ietf-trans-threat-analysis is supposed to
describe the attack presented by DKG in
https://www.ietf.org/mail-archive/web/trans/current/msg01984.html.
However, the text that is currently in the document does not
accurately describe the attack, contains
On 04/16/2018 05:01 PM, Paul Wouters
wrote:
Hi,
This starts a 3 week WGLC for draft-ietf-trans-threat-analysis
Previously, there were some contentious issues regarding the dual
CA
attack that dkg came up with. The current
k all certificates for syntactic
errors, regardless of how they came into its possession, even
certificates that are received from the Subject in a secure manner for
the purpose of creating a reference list of non-bogus certificates.
On 05/07/2018 03:56 PM, Andrew Ayer wrote:
On Fri, 4 May 2018 14:
Subject:
Re: [Trans] WGLC started for
draft-ietf-trans-threat-analysis
Date:
Mon, 7 May 2018 16:48:44 -0400
From:
David A.
I have been unable to find anywhere in
my comments where I suggested that syntactic mis-issuance should
not be discussed in the document. The "responses" you provided
have nothing to do with my comments.
On 05/09/2018 08:49 AM, Stephen Kent wrote:
I can't speak for Steve, but I can
provide an example of a syntax error I encountered as a result of
"quirks of CA certificate-issuing software."
Many years ago when I was tasked to check whether certificates
being issued by a CA were being issued in
On 08/04/2018 01:28 PM, Salz, Rich wrote:
You don't get an infinite number of chances to object. You get the WGLC time
period.
There was one open issue, it seems to have been addressed. You don't get to
come back with more issues.
Please see the message below from the WG chairs.
On
On 08/03/2018 09:40 PM, Paul Wouters
wrote:
The
issues that seem to need consensus can be seen in thie message:
https://www.ietf.org/mail-archive/web/trans/current/msg03163.html
David, can you tell us which issues you raised in your
r, I just wanted to
raise a potential issue with limiting Certificate Transparency to only
using signature schemes approved for use with TLS.
Thanks,
David Cooper
___
Trans mailing list
Trans@ietf.org
https://www.ietf.org/mailman/listinfo/trans
22 matches
Mail list logo