Hi Rob, WG, I can see how this can help to make the behaviour of RPs consistent. If this is left as local policy then differences can occur w.r.t. RPs using reconsidered, or not and it's unpredictable for CAs to understand how RPs would behave.
I am not sure that I got your and Russ's point entirely correct, but are you suggesting that we update section 4.8.10 (IP resources extension) in RFC6487 (Resource Certificate Profile) so that it doesn't use the normal RFC3779 critical extension with its corresponding OID, but uses essentially the same resource extension with a different OID to indicate that validation should be done differently? If this is not what you meant some more precise pointers to which OID in which RFC and section need updating would be appreciated :) Other than that I can prepare some text and slide ware to discuss this further, here and Thursday morning. Thanks, Tim > On 19 Jul 2016, at 13:18, Rob Austein <[email protected]> wrote: > > Reminding the WG of an old issue I raised years ago for validation > reconsidered which, as far as I know, has not yet been addressed. > > If we change the validation algorithm, we really should also change > the object identifiers used in the X.509v3 extensions used to convey > the resources. > > The reason for this is simple: the RFC 3779 validation algorithm has > shipped, long since. My implementation has been part of OpenSSL for > the last decade, and while it's not enabled by default on all > platforms, it is on some, and is available as a configuration option > on others. It is far too late to change this, that ship has sailed. > > So if we're talking about changing the validation algorithm now, we > need to label the algorithm we're using, so that validation code knows > which algorithm it's supposed to follow. Otherwise, we'll get > different validation results at different sites depending on which > algorithm they're using this week, different routing decisions as a > consequence, dogs and cats living together, mass hysteria. > > The solution to this is simple: change the extension OIDs. X.509's > "critical extension" mechanism will take care of the rest. > > This will require some kind of phase-in/phase-out process during which > the new OIDs appear and the old OIDs vanish, and will require RP code > to implement the new OIDs, but these are trivial issues given that the > RP behavior has to change in any case, that being the point of the > entire validation reconsidered exercise. > > Yes, this will be a bit painful, but I view it as in essence exposing > a problem that already exists, rather than sweeping it under the rug. > > Sorry for reminding the WG of this yet again at what some may consider > a late date, but I have raised this issue before, I just haven't > (re)raised it in the last few months. > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
