IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Brian Sipos <brian.sipos+ietf@gmail.com> Sat, 14 August 2021 22:35 UTC

Return-Path: <brian.sipos@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0EA3A30B1 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 15:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UrQqAFwolH3 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 934B33A30A4 for <acme@ietf.org>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id y3so14688709ilm.6 for <acme@ietf.org>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PCxtNPn/Nmdl4PDjzzvOwG1/q3uBJZz+VyBfEVZls0Y=; b=Y/jTul+WcuGVqgLwQBekwPrm2D/evzVYXEIqWTCzaM49h7JhXwelJ9A2jIBPmGcXSK D8z5oh0s//WruayE9A00+lAXI7KzSe6xYrjVs4I/5udTNQc+TGjYeGX1LyTilNsM+lVO uo4maXeVvzOhjIhNdx+v400hVwZKpM+nAtUWgAL/Nt609RfZvxo7YDjTC3kydfiSMBxl egrBiVvFq5FPEYLZaa4tjSzWTTKTHQnxaDWQY9koV/9tD/oEH8LR4MH/cPDYtThnNoCH 2c0c2AQa9Eo75CkTieAMaJKKmuTwqmmjiVhd3yzNRTzcqS5G/Ao9oP7ZGuzO3RlB+yIT tu8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PCxtNPn/Nmdl4PDjzzvOwG1/q3uBJZz+VyBfEVZls0Y=; b=biWS5tyq04KMJNToR4dqTZgYh5hGqZovcjnSjyXjuTe/06EGAKUuPlbMfjo0AffVjv f7GPh8tc+IELP+y/Kc+WTk0HLyzHYeZkozNmdhWnW9n8R9hy48XmwfO9ut4BEkSWI71T QH7RR57aur0yeeTtFBDWsYDWn0u74T98+VpvT3NvgfGFwJ0bGP/XgFzXVvKBwFLUkKRa QS670x8VLV30loPRLt1UU/+P5sRbR6AU+599aT2G75DT5RVCBodVbdNfgWaxprYOwYJz 8snBD+lCAJ7Ci1MB6hvu6fMTBNkfre78px2ntLHxqRmEk7XVGFSxTj37aem73lw3gnTD TEkw==
X-Gm-Message-State: AOAM532O58xbbaRqJWlIGmonUxKuwRRcCitrhqQzXaru3npUa6WSy4OR D7taROggJluVjsiIncSgXjsDhXcQ/Lmo4BJlqpM=
X-Google-Smtp-Source: ABdhPJxFrLgXgPsydFdEfoFZsViePabLMkPNgEog4cYc7Deu5y1abvl8d3EOMcOsR8dksXM/z+ce45PbnbE96QWn1mM=
X-Received: by 2002:a92:6a0f:: with SMTP id f15mr6388273ilc.195.1628980546792; Sat, 14 Aug 2021 15:35:46 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com>
In-Reply-To: <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Sat, 14 Aug 2021 18:35:36 -0400
Message-ID: <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d6721a05c98c967b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9D2Tp32Iaf6C4UIty9l6RZZm-ds>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Aug 2021 22:35:55 -0000

All,
I understand more fully now that the RFC5280 definition for
uniformResourceIdentifier has a more specific purpose than as a general URI
container, and that existing tools likely have additional assumptions baked
in about what services the URIs are to be used for. I was really hoping
that the use of the SAN URI in TCPCLv4 would allow reuse of existing
structure and avoid new OID allocation, but it appears that was over
optimistic.

Does it seems like it's at all reasonable, from the perspective of the
security area and focus on PKIX (documents and tools), for an application
profile like this to say to conform to "... RFC 5280 with the exception of
the FQDN/IP-address restriction on URI authority part". It's not exactly an
update to RFC 5280 but I don't know how valid or typical it is for one RFC
to relax requirements from a normative reference.

On the other hand, I see no reason why a new otherName OID allocation under
the "SMI Security for PKIX Other Name Forms" IANA sub-registry [2] could
not be used with the same value (a Node ID URI) and value encoding
(IA5String). The PKIX profile for DTN is new and I doubt it has much
deployment yet within DTNs. But now's the time to settle this out; the
TCPCLv4 doc defining the profile is still in the RFC editor's queue.

RE Russ' comment about "dtn" scheme-specific-part structure: unfortunately
the naming portion of BPv7 is more informational than normative at this
point. These URI schemes have been in use for many years across several
implementations; I believe that they are in wide use in DTNs and there
would be little support to change the SSP structure. The interaction of the
URI structure with "other domain" tools like this just was not foreseen.

[2]
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8

On Sat, Aug 14, 2021 at 11:08 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> I completely agree with Ryan.
>
>
>
>    - Do not touch 5280 as there will be too many competing interests to
>    improve it and interop will be broken or the bis version will be ignored.
>    (Years ago I wanted to re-open PKIX and I learned what a bad idea that is,
>    and I became ACME co-chair instead.)
>    - There are extension points within 5280 that can be used, at the loss
>    of built-in nameConstraints support. That doesn’t seem like a big loss,
>    especially as the semantics for DTN are not clear.
>    - Do not use the 5280 structures without saying this is PKIX, as that
>    will need to great confusion among open source implementors and their users.
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email