Upload
patrick-shelton
View
213
Download
0
Embed Size (px)
Citation preview
Warranty Certificate Extension
draft-ietf-pkix-warranty-extn-01
55th IETF Meeting
November 2002
2
Purpose and use• Warranty certificate extension is non-critical • Warranty extension explicitly offers immediate
evidence of CA warranty, thereby – Enhances confidence to encourage use of certificates– Automates this aspect of risk management for RP
• Provides information on the warranty provided: – Offers either:
• Base warranty, or • Explicit statement that there is no warranty (NULL),
– Optionally offers extended warranty
3
Format & Syntax
• ASN.1 id-pe-warrantyData with OID• Choice: NULL or information on base warranty • Non-null warranty MUST include base warranty
information• Non-null warranty may include extended warranty • Warranty period – before/after parameters• Warranty value – using ISO 4217 currency
identifiers– amount / (10 ** amtExp10)
4
Warranty Type
• Aggregated (0): claims are fulfilled until a ceiling value is reached; after that, no further claims are fulfilled.
• Per-transaction (1): a ceiling value is imposed on each claim, but each transaction is considered independently.
5
Optional qualifiers• WarrantyData
– Extended WarrantyInfo OPTIONAL:– Extended warranty information, with period, value and type
• WarrantyData– tcURL TermsAndConditionsURL OPTIONAL– Terms and conditions pointer – to CP or specific T&C about
warranty• The pointer is always a URL• URL MUST be a non-relative URL • MUST follow the URL syntax and encoding rules specified in RFC
1738
6
Benefits• Relying Party:
– Evidence of a warranty will give the relying party confidence that compensation is possible
– Risk may be reduced by the presence of a warranty extension with an explicit warranty stated
– Risk may be reduced by the presence of a warranty extension with NULL– Supports automated risk decisions– Explicit warranty if harmed by incorrect certificate:
• Specified maximum • Specified validity period
• Subscriber: – Potential for greater acceptance of certificate
• CA: – Potential to increase certificate acceptance in ecommerce-related
applications
7
Issues
• Should the extension be called a “disclaimer of liability” instead of a “warranty”, since the CA is providing warranty only up to a certain point, above which it does not offer a warranty – Is this a disclaimer of liability? (half-full vs. half-empty)
• Should tcURL be mandatory? If absent in the extension, then this could imply trust in the CA: The RP trusts the CA - and then, may not need a warranty. If the RP does not trust the CA, then the RP needs to know the T&C - therefore tcURL must be present. OTOH if tcURL is optional, then trust in the extension itself is implied – This may be sufficient for the RP, or the RP may go to the T&C.
8
Path forward
• Revise –01 and issue –02, addressing comments received– E.g., clarify text re warranty vs. liability
• Issues arising to be resolved via pkix list