IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Roman Danyliw <rdd@cert.org> Fri, 20 August 2021 19:22 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 778113A24ED for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9dQBjQzShLW for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:22:34 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0098.outbound.protection.office365.us [23.103.209.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727DE3A24D6 for <acme@ietf.org>; Fri, 20 Aug 2021 12:22:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=bPW4ObjkAa5sgqXU7XAod/EemkGgay8t9zyWGB1LbjrbJalr25VG2GA2ypU2fAod2l9m5EX1D68O44inZqR6lr98yMDdpfWLX30vCgHhuw6l2a2sLWplfmgXawTQONNVvj0ByynuwonK0wOAqjQRKhcq5GMHFytpZ0zauhy4rthQiE+PT2vtwLZF8rXCujAm7/Yu9EMJuULQpyRRj8L6FBY2axH2xf7UiRwUXKN/N1j1yQ2MLYoJ3NeF4o093D9VkY7nmBv8A4GALss9nkC9QrBdyT7dNmZhIuriD0g+kJ5LycGMDFEKP43863BWr3smbjaU7QwUYAgmNaiXCMB2Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OxcOKZeYxeCCsdKD66FG1ijY9lEjeqfNSj0twOZGb94=; b=fWOLZYVZkeeUgDMKz4SPXevgQgTNxCvRavYsl2AYJhSQ2Jz1GtPJbCn1bUZtUwDs41mer5XXJ1cUYpWYu44HQufXEkwTjFMDd/tZvl+mrKe4sj7g0SHlHxd2ejNSs+8jScrEh1HmqSelIT7rT8g46I4sUlCOQMO4BBgXqoUZVT06B7Cg3rDFEggCnNCCIRso31ZlBSrWjiwp4cUfwOMd/8RsZVd7yi//9C8bvqHVPAdH1vf8roKXD0AD88SOwqLhmSN6yKd8dY7Ead5/2fMnMmB2myNmIUpC8nKIwqnfZIA06KphD6WmC3gpNiA7u6fYxg+MugBBgGhRhDtaJbQiKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OxcOKZeYxeCCsdKD66FG1ijY9lEjeqfNSj0twOZGb94=; b=gRqnC+/9pU02ufYu3XUcC5KZ1E/+BJtcW1IB3vHIVUMk8PB0wtoDpLbSCuJQjctDy7++qVKY8voXYguEKU6Aq78zpGnRFgcI5feCdGwi948SXCixfVoYFtn3+q1mK7KllxRUnsp309UJel+EoOSoJ6/LXejXPAzlHxa1YyvdMvU=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (52.145.69.12) by BN1P110MB0161.NAMP110.PROD.OUTLOOK.COM (23.103.25.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.14; Fri, 20 Aug 2021 19:22:29 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650%5]) with mapi id 15.20.4436.019; Fri, 20 Aug 2021 19:22:29 +0000
From: Roman Danyliw <rdd@cert.org>
To: Brian Sipos <brian.sipos+ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
CC: Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: AQHXgywiHJXaHUJs5USqsUtyrE1MwatajavAgBdutYCAACmeYIABD/iAgAB9GACAARYdgIAIHqcAgAACRaA=
Date: Fri, 20 Aug 2021 19:22:29 +0000
Message-ID: <BN1P110MB09395222BFDE0036738C2FD6DCC19@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com> <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com> <B2058833-D904-4436-962B-A8ECB4A8BD42@akamai.com> <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com>
In-Reply-To: <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7d7d1aea-aea8-4a4a-de5c-08d9640fda05
x-ms-traffictypediagnostic: BN1P110MB0161:
x-microsoft-antispam-prvs: <BN1P110MB0161AE1F8A3BFDB19DE700D6DCC19@BN1P110MB0161.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GrsYY17MG7y+aCAs3vsijXmtBhvc9ZnE5IIw83yAu6Ykd1Fho7FfSHUigNYn5Fz55a6z++d1g1ShatW+Ijl6EOYft1PpdmwJy+jUsGvlgsX3gSHwhKhAaN/gxl3fEMdY7w3t0NBCflBKMJT4JgCi5JZgG9YUqZZSTLOm/rIfbeXuIlaoWtBKU7LSyAxHxNfKHdeJuWwMqQTIR855nVRZwpEr/jUqfrOSmTn7wWa+lKyzRZMu4IXWMK0txoyWIken8BF4lhJ4M558Dgi6yqnAIhoeAdMCfrUWLU6GkmwJUZltcxEI0UWSQVodzYo1LxX1nW6yyfNny8TzyRqhTwfz6FTQ9r3Kw8dEffsBbMM25be4tzkj5UAQBpqx3shaAllaXAvYpJ+15mmKLmF5mjNRDc65O5cv8D2tci49RmqQzysG41f1eHQE8a1chrFncij/By3BeYP/8GhZGwwcdeQU1/ciX7EUzNiHjVLLnwYzPLxmQjP/THIg5dPqL3MeP18i+j6wbTI0bPTVGfV/UNlK7j+1Se4Vy3NzQ0s52xLRwd/NivUHPT7Ck/55V4pcr8TelHdH9tjW8F2NXT2Mo+YczThwFKeHuwkNKpVNbq0BV+DaMr0SxNcyruhgLsymBlcQ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(38070700005)(53546011)(6506007)(7696005)(83380400001)(38100700002)(33656002)(8936002)(71200400001)(122000001)(9686003)(5660300002)(186003)(52536014)(110136005)(54906003)(316002)(4326008)(508600001)(66446008)(66476007)(66946007)(55016002)(64756008)(66556008)(76116006)(8676002)(86362001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D2C6QQoa20TBAR9Xy3f0i8IVDnCLLzKQhlRqUIhY21ZmwyAgAjve0oM+93SvNi9MTe6aioC7y5GTkAKxQrQvHfROCglp4M9MPQ1aYwAeaHZSE8OkRIvF3LLaFjemUm49GhVquFw4bcgc1bMCyvzpigwZqD+sDpGIUJUU5T2BPFL9qgNVjfm9DvcTfuTiBbvPpyXndDCwq6BtarYt8fR3Pw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN1P110MB09395222BFDE0036738C2FD6DCC19BN1P110MB0939NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d7d1aea-aea8-4a4a-de5c-08d9640fda05
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2021 19:22:29.4060 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0161
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/DVhKEd2kXO50tA2UZxSNafV7etw>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 19:22:46 -0000

Hi Brian!

Per the other affected document, draft-ietf-dtn-tcpclv4, while it is in the RFC editor queue, it isn’t published.  Therefore, it could be pulled back to reconcile with this new approach.

Regards,
Roman

From: Brian Sipos <brian.sipos+ietf@gmail.com>
Sent: Friday, August 20, 2021 3:11 PM
To: Salz, Rich <rsalz@akamai.com>
Cc: Roman Danyliw <rdd@cert.org>; Ryan Sleevi <ryan-ietf@sleevi.com>; Brian Sipos <BSipos@rkf-eng.com>; acme@ietf.org
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Rich, I see your point. I had made my own assumptions that tools would validate that the SAN URI contained a valid URI and nothing more. But because the RFC 5280 requires more about the authority part some tools/libraries are free to throw out URIs that have some other (RFC-invalid) authority part.

Unfortunately, the document this most affects is already in the editor queue. But I think the new otherName type-id OID will be needed to avoid potential tooling compatibility issues. My plan is to propose adding a new otherName OID for any DTN Endpoint ID (as a URI) and then use that for DTN Node IDs as a subset of EIDs. The logic is almost identical to current SAN URI except for those DNS/IP related restrictions on SAN URI content being replaced by DTN scheme restrictions.

On Sun, Aug 15, 2021 at 11:11 AM Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

  *   Does it seems like it's at all reasonable, from the perspective of the security area and focus on PKIX (documents and tools), for an application profile like this to say to conform to "... RFC 5280 with the exception of the FQDN/IP-address restriction on URI authority part". It's not exactly an update to RFC 5280 but I don't know how valid or typical it is for one RFC to relax requirements from a normative reference.

How would that work?  Let’s take an application using OpenSSL.  It currently calls d2i_X509() to parse the DER into internal format. It does various cert checks along the way. Would you add a new API (because you can’t change the calling sequence it breaks all existing applications), and then pass that flag down through all the call stack?

v2.23.0 | Report a Bug | By Email