Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Brian Sipos <brian.sipos+ietf@gmail.com> Fri, 20 August 2021 19:11 UTC
Return-Path: <brian.sipos@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5AA3A2390 for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQrvh6UNM3TB for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:11:01 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D7983A238C for <acme@ietf.org>; Fri, 20 Aug 2021 12:11:01 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id i7so13599823iow.1 for <acme@ietf.org>; Fri, 20 Aug 2021 12:11:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=URS8jfRqfZvm64p7TkPia7p10tYF5Y5oy1yVidiJrqU=; b=NK+5B8uYd2o1URqcJWeYxG10HXMPf07eCAU95D3a5b9k5OH6+tC0eUpDT9WZsXMtdR 50CGk3gyeK9hVdHw4/MFtf8RF1RCSrAJ0hsE0M9JR1nPUUaCJWJOf/BKwTbvLLlsTjc+ INIUOV7Loaiu8U7rpor99yawQ+dWvHyipx/LRLc6dNm1HStUkaNTLTMzhdLB5nzoVdPS k6aMk00mNvvS5hHe94YGmnK213RAsi2lbldXjT8kIUlT42zL51B26rGxYbUp7A/0+zoZ FDfcxTVY1aVzjLbcFZCDw3LqPUSFHQmSiIWwueAzIHB9aYyNZngad0pQP/cQkhFm/hCJ 0m1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=URS8jfRqfZvm64p7TkPia7p10tYF5Y5oy1yVidiJrqU=; b=VGrVeg3wvBk9XGmc0TnFad0cRLsIQIe/Haf/rrb+SgMHuWD2lnXJ13GRrlglRsVQeM jXsw38SwA0hOpwGtVfX1JD9qGOuXwDvTgxrNG8io3ATqytKdxtMM5Sq/5//egZ/U1M1v HlEYTUJOCIXfVFHeh0BKadiB03RhLq/tKfQ61a1eaFIA1coGwUyWliGfYbVyhr9A10m4 9XFoJwdVsLszxxfJV9LSS3BcCDayhTZPsEJ0zYRWcWZAduA3LhMpSGYYjiNFBE6/XaGK bdBs24N+1RweI3HYL+PENaOLlcIzVo1oljQ5zesrw8EI9IQHNyjVukzv53kEgo6HIrBa NHtg==
X-Gm-Message-State: AOAM532P4G9k8Ew0nW2Q2DCv22962WJd7I9Ns/GsEYKqzaS5zfBMhzij BMLSY9xXbr89T/yfRA1prqw8K0VAkHu5luPGln2uQKT1hKI=
X-Google-Smtp-Source: ABdhPJwBah/ICVTxDfj6o5TgBEXAiAO5OSnpH3rbPbKlZbHYiyhWCA41Co7vvJXOFGPAmuld6H5V9Fi5Xtx9sD6wqRc=
X-Received: by 2002:a02:6a24:: with SMTP id l36mr19068194jac.4.1629486659451; Fri, 20 Aug 2021 12:10:59 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com> <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com> <B2058833-D904-4436-962B-A8ECB4A8BD42@akamai.com>
In-Reply-To: <B2058833-D904-4436-962B-A8ECB4A8BD42@akamai.com>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Fri, 20 Aug 2021 15:10:48 -0400
Message-ID: <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Roman Danyliw <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080bf2d05ca026d4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/1hXczkjt_DFCYcqrTUqo91EK7WA>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 19:11:07 -0000
Rich, I see your point. I had made my own assumptions that tools would validate that the SAN URI contained a valid URI and nothing more. But because the RFC 5280 requires more about the authority part some tools/libraries are free to throw out URIs that have some other (RFC-invalid) authority part. Unfortunately, the document this most affects is already in the editor queue. But I think the new otherName type-id OID will be needed to avoid potential tooling compatibility issues. My plan is to propose adding a new otherName OID for any DTN Endpoint ID (as a URI) and then use that for DTN Node IDs as a subset of EIDs. The logic is almost identical to current SAN URI except for those DNS/IP related restrictions on SAN URI content being replaced by DTN scheme restrictions. On Sun, Aug 15, 2021 at 11:11 AM Salz, Rich <rsalz@akamai.com> wrote: > > - Does it seems like it's at all reasonable, from the perspective of > the security area and focus on PKIX (documents and tools), for an > application profile like this to say to conform to "... RFC 5280 with the > exception of the FQDN/IP-address restriction on URI authority part". It's > not exactly an update to RFC 5280 but I don't know how valid or typical it > is for one RFC to relax requirements from a normative reference. > > > > How would that work? Let’s take an application using OpenSSL. It > currently calls d2i_X509() to parse the DER into internal format. It does > various cert checks along the way. Would you add a new API (because you > can’t change the calling sequence it breaks all existing applications), and > then pass that flag down through all the call stack? > > >
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw