Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Brian Sipos <brian.sipos+ietf@gmail.com> Sat, 14 August 2021 22:35 UTC
Return-Path: <brian.sipos@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0EA3A30B1 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 15:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UrQqAFwolH3 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 934B33A30A4 for <acme@ietf.org>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id y3so14688709ilm.6 for <acme@ietf.org>; Sat, 14 Aug 2021 15:35:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PCxtNPn/Nmdl4PDjzzvOwG1/q3uBJZz+VyBfEVZls0Y=; b=Y/jTul+WcuGVqgLwQBekwPrm2D/evzVYXEIqWTCzaM49h7JhXwelJ9A2jIBPmGcXSK D8z5oh0s//WruayE9A00+lAXI7KzSe6xYrjVs4I/5udTNQc+TGjYeGX1LyTilNsM+lVO uo4maXeVvzOhjIhNdx+v400hVwZKpM+nAtUWgAL/Nt609RfZvxo7YDjTC3kydfiSMBxl egrBiVvFq5FPEYLZaa4tjSzWTTKTHQnxaDWQY9koV/9tD/oEH8LR4MH/cPDYtThnNoCH 2c0c2AQa9Eo75CkTieAMaJKKmuTwqmmjiVhd3yzNRTzcqS5G/Ao9oP7ZGuzO3RlB+yIT tu8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PCxtNPn/Nmdl4PDjzzvOwG1/q3uBJZz+VyBfEVZls0Y=; b=biWS5tyq04KMJNToR4dqTZgYh5hGqZovcjnSjyXjuTe/06EGAKUuPlbMfjo0AffVjv f7GPh8tc+IELP+y/Kc+WTk0HLyzHYeZkozNmdhWnW9n8R9hy48XmwfO9ut4BEkSWI71T QH7RR57aur0yeeTtFBDWsYDWn0u74T98+VpvT3NvgfGFwJ0bGP/XgFzXVvKBwFLUkKRa QS670x8VLV30loPRLt1UU/+P5sRbR6AU+599aT2G75DT5RVCBodVbdNfgWaxprYOwYJz 8snBD+lCAJ7Ci1MB6hvu6fMTBNkfre78px2ntLHxqRmEk7XVGFSxTj37aem73lw3gnTD TEkw==
X-Gm-Message-State: AOAM532O58xbbaRqJWlIGmonUxKuwRRcCitrhqQzXaru3npUa6WSy4OR D7taROggJluVjsiIncSgXjsDhXcQ/Lmo4BJlqpM=
X-Google-Smtp-Source: ABdhPJxFrLgXgPsydFdEfoFZsViePabLMkPNgEog4cYc7Deu5y1abvl8d3EOMcOsR8dksXM/z+ce45PbnbE96QWn1mM=
X-Received: by 2002:a92:6a0f:: with SMTP id f15mr6388273ilc.195.1628980546792; Sat, 14 Aug 2021 15:35:46 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com>
In-Reply-To: <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Sat, 14 Aug 2021 18:35:36 -0400
Message-ID: <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d6721a05c98c967b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9D2Tp32Iaf6C4UIty9l6RZZm-ds>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Aug 2021 22:35:55 -0000
All, I understand more fully now that the RFC5280 definition for uniformResourceIdentifier has a more specific purpose than as a general URI container, and that existing tools likely have additional assumptions baked in about what services the URIs are to be used for. I was really hoping that the use of the SAN URI in TCPCLv4 would allow reuse of existing structure and avoid new OID allocation, but it appears that was over optimistic. Does it seems like it's at all reasonable, from the perspective of the security area and focus on PKIX (documents and tools), for an application profile like this to say to conform to "... RFC 5280 with the exception of the FQDN/IP-address restriction on URI authority part". It's not exactly an update to RFC 5280 but I don't know how valid or typical it is for one RFC to relax requirements from a normative reference. On the other hand, I see no reason why a new otherName OID allocation under the "SMI Security for PKIX Other Name Forms" IANA sub-registry [2] could not be used with the same value (a Node ID URI) and value encoding (IA5String). The PKIX profile for DTN is new and I doubt it has much deployment yet within DTNs. But now's the time to settle this out; the TCPCLv4 doc defining the profile is still in the RFC editor's queue. RE Russ' comment about "dtn" scheme-specific-part structure: unfortunately the naming portion of BPv7 is more informational than normative at this point. These URI schemes have been in use for many years across several implementations; I believe that they are in wide use in DTNs and there would be little support to change the SSP structure. The interaction of the URI structure with "other domain" tools like this just was not foreseen. [2] https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 On Sat, Aug 14, 2021 at 11:08 AM Salz, Rich <rsalz= 40akamai.com@dmarc.ietf.org> wrote: > I completely agree with Ryan. > > > > - Do not touch 5280 as there will be too many competing interests to > improve it and interop will be broken or the bis version will be ignored. > (Years ago I wanted to re-open PKIX and I learned what a bad idea that is, > and I became ACME co-chair instead.) > - There are extension points within 5280 that can be used, at the loss > of built-in nameConstraints support. That doesn’t seem like a big loss, > especially as the semantics for DTN are not clear. > - Do not use the 5280 structures without saying this is PKIX, as that > will need to great confusion among open source implementors and their users. > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw