Hi Phill. I just re-read and enjoyed your ...
draft-hallambaker-pkixstatus-00
It contains many hints at problems in the existing revocation regime.
Here's a suggestion for structuring the next draft in order to bring it more
closely in line with the charter.
Use the Security Considerations section to describe the failure modes of the
current system; such things as (from your draft) ...
Revocation codes not congruent with operational lifecycle states;
No defined precedence in status results;
No defined order of severity in status values;
No defined user behavior for status values;
No status value corresponding to the "non-existent" operational state;
Clients "soft fail";
Hardcoded/Indirect mechanisms don't support the "payment declined" reason
(maybe that's not a security issue);
Tempting though it is, we don't need to propose solutions to these problems.
Rather, once we have agreement, we could send a liaison statement to whoever is
responsible for maintaining the PKIX documents, asking them to consider the
issues.
The body of the document should record how today's browsers/OSs actually
behave. I realize that that could be a daunting task. But, maybe you and the
other authors could record what you believe happens on each platform in respect
of each of the security considerations, and send the description to
representatives for each platform asking for confirmation/correction.
What do you think?
Thanks a lot. All the best. Tim.
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
