Dear WG,
RFC6486 has this to say about the validity times of EE certificates in
manifests:
http://tools.ietf.org/html/rfc6486#section-5.1
In the case of a "one-time-use" EE certificate, the validity
times of the EE certificate MUST exactly match the thisUpdate
and nextUpdate times of the manifest.
In the case of a "sequential-use" EE certificate, the validity
times of the EE certificate MUST encompass the time interval
from thisUpdate to nextUpdate.
This causes some issues for our RP software, and I believe it would be better
to remove the difference between one-time-use and sequential-use here, and go
with something like this instead:
The validity times of the EE certificate MUST encompass the time
interval from thisUpdate to nextUpdate.
Reasons:
1) RP can not distinguish between one-time-use and sequential-use
RPs don't know which case they are dealing with, and guessing is error-prone.
So, in our case we are checking for a condition we don't know how to handle,
and in the end we just warn about it.. I am happy to remove this confusing
warning, but then what's the point of limiting this in the RFC?
2) Stale vs expired manifests
See sections 6.3 and 6.4.
If a manifest EE certificate is expired, then the manifest is invalid. However,
if the EE certificate is still valid, but it's past the "nextUpdate" time, then
it should be considered "stale". The restriction in 5.1 prevents that manifests
with one-time-use EE certificates can have this stale state. Yet, this is
something a CA may well want to use, e.g.:
- issue EE certificate validity time of 1 week
- nextUpdate time 1 day
The idea being that under normal circumstances a new manifest would be issued
within 24 hours (or less), and RPs should use the *latest* manifest available
to them, but… in case the RP can't reach the repository, or there is an outage,
stale manifests could be used for some time (per local policy of RPs).
We currently allow users to accept stale manifest for X days (default = 0
days). To circumvent the issue that one-time-use EE certs would be invalid as
soon as they go stale we also accept expired manifest for the same time.. I
think this is wrong (e.g. CAs will no longer mention the EE cert on the CRL if
it's expired), and again I am more than happy to remove this hack..
In short: I think CAs should have the freedom to choose longer validity times
for one-time-use EE certificates. As far as I know *all* implementations use
one-time-use anyway, so if this is not permitted, then the difference between
6.3 and 6.4 becomes moot in practice.
Cheers
Tim_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
