Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 13 August 2021 20:25 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4963A253E for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 13:25:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O90zSqu_vvei for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 13:25:43 -0700 (PDT)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37053A253D for <acme@ietf.org>; Fri, 13 Aug 2021 13:25:43 -0700 (PDT)
Received: by mail-pj1-f42.google.com with SMTP id j12-20020a17090aeb0c00b00179530520b3so1914003pjz.0 for <acme@ietf.org>; Fri, 13 Aug 2021 13:25:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N7gXKJw/q5q59Bdt8uFPXqKEeWvavN/Xc3luncGMjro=; b=iMwTHmVpzK/fm3PdG4Ypgr7f+RxEwjYBhuIuPJJmrHMdb6nIa5kBrfBxBSP4VaA2PI Nux9GdTn37ltvTABpaZX2m06Ui1/EJTmcLO4kRG/Ayi+OYzPBEfFgpEm8X8EJLDOf4pN XBHmST91uu5YpHpjSBpIyeL6Y/dbGJ+QJ13cX24jw2zdPKsbrjEkXqqyFj8duvs7c3Pb 8a8242stXQOCb+cpi6gXKo+OxqXHno8Ph7yTARwXxUcSG5VvbJ3rzsrMec3/tQs8enG1 yTNpkyn35BEHRyFzp7LD/Dg/a6Cnq0Eb+Si9u9EwLlWgOgPd5PmBW4yAsF2uOkNV+Xpe u3ww==
X-Gm-Message-State: AOAM531GtIsqOsoz9SR7xmi4dk+OapjoxvgRDRVpzNAaOND2CAKm7gnT wbPGXdesxabAXm78JGufv0e0oXPZvRQ=
X-Google-Smtp-Source: ABdhPJzQ07PBlhvZs9HDB3PGszzMGyALLm6020d91lkfG0HD00Gy818SA6BfVaAWYyhqoX/mE+as7w==
X-Received: by 2002:a17:902:eb46:b029:12d:1a3b:5721 with SMTP id i6-20020a170902eb46b029012d1a3b5721mr3347944pli.82.1628886342753; Fri, 13 Aug 2021 13:25:42 -0700 (PDT)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com. [209.85.214.176]) by smtp.gmail.com with ESMTPSA id s36sm4034055pgk.64.2021.08.13.13.25.42 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Aug 2021 13:25:42 -0700 (PDT)
Received: by mail-pl1-f176.google.com with SMTP id n12so12843777plf.4 for <acme@ietf.org>; Fri, 13 Aug 2021 13:25:42 -0700 (PDT)
X-Received: by 2002:a63:cd4d:: with SMTP id a13mr3847106pgj.364.1628886342338; Fri, 13 Aug 2021 13:25:42 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 13 Aug 2021 16:25:31 -0400
X-Gmail-Original-Message-ID: <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com>
Message-ID: <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d0910105c976a7fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Iwye0a81hSGAnijwkP2mQ3-Tbmw>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2021 20:25:49 -0000
On Fri, Aug 13, 2021 at 4:04 PM Roman Danyliw <rdd@cert.org> wrote: > I think the current options might be: > > (1) Roughly what you said above + Make it clear that this document is NOT > using the RFC5280 profile and simply reusing the data structures (but not > the validation logic). Related to this, and excuse my ignorance about DTN, > would it be possible to constrain these non-RFC5280-conforming certificates > from appear on the internet with some normative phrasing. Technically, > RFC5280 is the _Internet_ PKIX profile. This document goes to great pains > to separate the internet portion of the ACME protocol exchange and the > validation happening over DTN (which might be considered a "limited domain" > as framed by RFC8799). > > (2) Revise RFC5280. I'm loath to pursue this path unless we really need > to. > I suspect that either of these options would be a quick way to doom interoperability. That is, for better or worse, RFC 5280 is _the_ profile of X.509 that is commonly targeted by libraries and implementations. Attempting to diverge here, or special-case exceptions, generally means that implementing an interoperable and spec-compliant implementation are increasingly unlikely, given the extant complexity inherent in X.509 and RFC 5280 to begin with (e.g. as so many implementations overlook RFC 4158 to their own peril - and to the harm of interop) To that end, is (3) Express the DTN ID as an otherName within the SAN, rather than a (non-conforming) URI Not an option? The downside here is the obvious loss of nameConstraints processing (RFC 5280 does not define even a processing algorithm for otherName nameConstraints, which makes sense, given the complexities there vis-a-vis multiple distinct otherNames vs multiple otherNames that make up a single logical name), but if that's an acceptable trade-off, that likely represents the most interoperable path forward. That's not to say otherName is readily supported "out of the box", although it is in some (e.g. most famously, Active Directory's use of the otherName for the userPrincipalName), but it fits within the "no special cases" goal of promoting interoperability, and lets one build/extend existing RFC 5280 implementations. Here, the lack of nameConstraints processing is a benefit, rather than a limitation - it makes processing and extracting such fields something relatively simple you can build on post-validation, if your library is not extensible or not receptive towards exposing library-level API support specific for DTN node IDs.
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw