Reminding the WG of an old issue I raised years ago for validation reconsidered which, as far as I know, has not yet been addressed.
If we change the validation algorithm, we really should also change the object identifiers used in the X.509v3 extensions used to convey the resources. The reason for this is simple: the RFC 3779 validation algorithm has shipped, long since. My implementation has been part of OpenSSL for the last decade, and while it's not enabled by default on all platforms, it is on some, and is available as a configuration option on others. It is far too late to change this, that ship has sailed. So if we're talking about changing the validation algorithm now, we need to label the algorithm we're using, so that validation code knows which algorithm it's supposed to follow. Otherwise, we'll get different validation results at different sites depending on which algorithm they're using this week, different routing decisions as a consequence, dogs and cats living together, mass hysteria. The solution to this is simple: change the extension OIDs. X.509's "critical extension" mechanism will take care of the rest. This will require some kind of phase-in/phase-out process during which the new OIDs appear and the old OIDs vanish, and will require RP code to implement the new OIDs, but these are trivial issues given that the RP behavior has to change in any case, that being the point of the entire validation reconsidered exercise. Yes, this will be a bit painful, but I view it as in essence exposing a problem that already exists, rather than sweeping it under the rug. Sorry for reminding the WG of this yet again at what some may consider a late date, but I have raised this issue before, I just haven't (re)raised it in the last few months. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
