Warranty%20Certificate%20Extension%20draft-ietf-pkix-warranty-extn-01

1
Warranty Certificate Extensiondraft-ietf-pkix-wa
rranty-extn-01

• 55th IETF Meeting
• November 2002

2
Purpose and use

• Warranty certificate extension is non-critical
• Warranty extension explicitly offers immediate
  evidence of CA warranty, thereby
• Enhances confidence to encourage use of
  certificates
• Automates this aspect of risk management for RP
• Provides information on the warranty provided
• Offers either
• Base warranty, or
• Explicit statement that there is no warranty
  (NULL),
• Optionally offers extended warranty

3
Format Syntax

• ASN.1 id-pe-warrantyData with OID
• Choice NULL or information on base warranty
• Non-null warranty MUST include base warranty
  information
• Non-null warranty may include extended warranty
• Warranty period before/after parameters
• Warranty value using ISO 4217 currency
  identifiers
• amount / (10 amtExp10)

4
Warranty Type

• Aggregated (0) claims are fulfilled until a
  ceiling value is reached after that, no further
  claims are fulfilled.
• Per-transaction (1) a ceiling value is imposed
  on each claim, but each transaction is considered
  independently.

5
Optional qualifiers

• WarrantyData
• Extended WarrantyInfo OPTIONAL
• Extended warranty information, with period, value
  and type
• WarrantyData
• tcURL TermsAndConditionsURL OPTIONAL
• Terms and conditions pointer to CP or specific
  TC about warranty
• The pointer is always a URL
• URL MUST be a non-relative URL
• MUST follow the URL syntax and encoding rules
  specified in RFC 1738

6
Benefits

• Relying Party
• Evidence of a warranty will give the relying
  party confidence that compensation is possible
• Risk may be reduced by the presence of a warranty
  extension with an explicit warranty stated
• Risk may be reduced by the presence of a warranty
  extension with NULL
• Supports automated risk decisions
• Explicit warranty if harmed by incorrect
  certificate
• Specified maximum
• Specified validity period
• Subscriber
• Potential for greater acceptance of certificate
• CA
• Potential to increase certificate acceptance in
  ecommerce-related applications

7
Issues

• Should the extension be called a disclaimer of
  liability instead of a warranty, since the CA
  is providing warranty only up to a certain point,
  above which it does not offer a warranty Is
  this a disclaimer of liability? (half-full vs.
  half-empty)
• Should tcURL be mandatory? If absent in the
  extension, then this could imply trust in the CA
  The RP trusts the CA - and then, may not need a
  warranty. If the RP does not trust the CA, then
  the RP needs to know the TC - therefore tcURL
  must be present. OTOH if tcURL is optional, then
  trust in the extension itself is implied This
  may be sufficient for the RP, or the RP may go to
  the TC.

8
Path forward

• Revise 01 and issue 02, addressing comments
  received
• E.g., clarify text re warranty vs. liability
• Issues arising to be resolved via pkix list