IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Roman Danyliw <rdd@cert.org> Fri, 13 August 2021 22:59 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47763A29A8 for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 15:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vp2oAepu5p74 for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 15:59:25 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0129.outbound.protection.office365.us [23.103.208.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 792C73A29A6 for <acme@ietf.org>; Fri, 13 Aug 2021 15:59:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=jiPJvQLUqNozCNfqL9v1AY9sHVo1ZMe2opsdglJk/P24GVCH+LcjpVuRLGQ6Crr47mkhgvLcHqSdT4D4qw43jlOhlqmlIDS6UNmVgkGtN43GSU78fns5RO3MnTKZfpFuk/OkbjfL4JWFdWhSvir93iBVHVpputZ9izfOKrPxQ768JLOwYB2SZl0TZbqDhu4JuyeRLCHpU0HaIHQ6MwPOGfyW+hhKreiWZdrBZDYY5wSOts8pGzG82xxnKn8GfZWInhdKfbHoC3LdWm7LEY3EKGQ3xypTsxFSB81MohnazJPj1WuqUByPlSvy8b8eM3zABgkj2OSvzrlnQTNqGbdNHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2U6djxba2QhrYSpOUl8w+446ad0yVwu17Quwfz8sp70=; b=qnxFpBUiv9r3Jr5VhymfTmGOuwgBimVXK2uyl/eYnNbkfANz5ZzYlPbsvfAIJbYI8ZTg6E+zUKoEkPr4YvnYiVo731aWELH99YMXav/E0BwV0vn2KSnRj0MHG44o/BBq68b1tl+dyLeiHsOruq32ChrRLyzCgtlyuduTkZPuOC2hOtjMkiWYTZHSXKg3kHGpEkBZS9jOInLEn+FcwCcsa6GC72a2ghXHyuolO8epcsIqyQMBNQ7s6dp8VBDejsC2seB5UmCiqkTv5uLNjxJNuzkGruNIifctosLtbmRLbwunS0CyJcy7RjYaYwdapMuw3u5D2VczbWkOwlUsTOjvEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2U6djxba2QhrYSpOUl8w+446ad0yVwu17Quwfz8sp70=; b=W2XKzphwQsNispeNS4WOdhO5a3wL5zKuRRBAdPe/Hyvy2VUprXHe1RFtlNLnEavmYByTiP3iXBNMCX+9szTkTdAYcZee0he9ifIScaTKJF00AlcgU8QKs5e3GnioGkNXJMcceRN/mm49ny2+74H6sdotOebzZy7ha+CnwwiEQh0=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0705.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Fri, 13 Aug 2021 22:59:20 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::93b:40b5:d4b6:9650%5]) with mapi id 15.20.4415.019; Fri, 13 Aug 2021 22:59:20 +0000
From: Roman Danyliw <rdd@cert.org>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: AQHXgywiHJXaHUJs5USqsUtyrE1MwatajavAgBdutYCAACmeYA==
Date: Fri, 13 Aug 2021 22:59:20 +0000
Message-ID: <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com>
In-Reply-To: <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sleevi.com; dkim=none (message not signed) header.d=none;sleevi.com; dmarc=none action=none header.from=cert.org;
x-originating-ip: [128.237.16.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eb904315-0137-4614-165b-08d95eadfc54
x-ms-traffictypediagnostic: BN1P110MB0705:
x-microsoft-antispam-prvs: <BN1P110MB07059D34B69E02D2995747FADCFA9@BN1P110MB0705.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vmWKxil5f1SnuV7RrYde88f8G0cETvFgVuUkCYxJnFQEtiW+1f807fLBlIG2VSMmNu0RY//EgGbfvOF5PjK3Y+Ko/yc1vksGv7rFmrv/Kmv8puoUBGpDjd3HGGciWBXOR2lZsuCJKPMwAmzle80fsblEvCZ6v0qBSrDowJed3lKKmYS8hSnHC8RaKDaBVHC1I6wd8qR3PMHVIKacZAQb8VLvuVodgFy9KSlngFZ68sATs+7pnOZb+DT6Aak+VM/XlpLH/B3AYCG/xlWRk2HnRX0wQDJUfNSc4ePUU4IOwrUDQjRHCiPSyfjo0BH1JyGdbP3clOfQKf7iRU4NITJhSGaymBcgfBZJF8ZMAdq1BDoUn17HbKMpdh+p6XSc1sRvSQJNtjU3MuI9vSbVdWh+476ZFiq3NqzFsC/ffH5LueizcMmkLHVTkNNlbNflkz7LQ2It6yk2MNzeDWAD2xbRNZ8/FeF0I500dIOUm5LiEZk0BBsAbu1ud+fO9UBZGPRAw6o20lChANNfARqLqdpOGliZnOezD3T7pL8yIL5hVCpqwZV7ZZkdYylvnZY1vR1YPkzGxjPHfat0GJhEUu5Ub9La4Rs2mbQyswJk1M0dxdShW1dJYmBVDw1CgInAl7t0YgV5ADLwKXpDezyE8ilj9w+fUs1GAopOAvIStkH3Y+B4oIhO1Qk5E8dsaeBAyxXTuExlqGyjq8KJa/BIRHXmaw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(366004)(2906002)(55016002)(9686003)(8676002)(4326008)(8936002)(186003)(53546011)(26005)(6506007)(6916009)(64756008)(66476007)(66556008)(66446008)(52536014)(5660300002)(7696005)(508600001)(86362001)(38100700002)(122000001)(66946007)(71200400001)(83380400001)(76116006)(33656002)(38070700005)(54906003)(66574015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RiQHNK5MQ20h7BST+NqxfOSetiS1EEndaYO19KUJduUdP4BdFKROYjezNRJgGrNZZrR4/RpOSfn3RqMJSuE9VjKVmb7jZP5eUJASXAVJA3x9Fbvsb1w5pMkTPlj5zvdABFxyeLG6tVi75uY96BYaPM6aEUQG08DicA67ZxXue968BaHRxgRVG9gR9UxkM6YAJvFIXqulSMIKlWG0B+mzxLMqXMY8nsvheUa5CCjZNxHXhH3PJKRrj5Wp9MVHRQp+5XhmkdFFRnHikyk2W2/HOJsM1TsxNBJXwqP50/EGeN8vBqs0nAqpnBe1MH75AKjgZtoPray7XDNP3zHFkAvGkza9B53OtsnjnKRF1YPwGWZa92NYP7zEjJkaI7JGqJ4MhtHW3Zzu+2cohCvU5cqcU92R3aXud0QPnqZu9Pzg9Og1ZpN/8oTFjaMuoH1OUh4x/F7AzsoNT0DpdDLIuR8QC5gmppLkDUIDdl9QvsIplfvRfQGHZgImycQ9qy9Jkd3mJyLNJWoZQ+M4V8+OLLQcXiKHT1ytiaFBZwDHREgBk53iP5RJHlVwi7n4vhSO0SohuSn7Vmq/2EA/cOyLC+zcIprZSHZ54oeegByXeQl1IWH2m6d4/vyeXsuO4rUbB9prVPfm9+g8Qx/062ubrpnbUj5yA87D+oPYbJ9UXD4TepYidqb8tk6PMFXgGOjFm0x3Lk97Ju1DmvoehNeNH6dGXMv8lz0zCP2QyZ2neRojWAZhrH8TrrVPRhi4cP0bqX6JrL9cfTXslUHk5j0VOBto60HefbzmSaYu4FlR6Qs5d43QsTkrt5IoEb1acxvryL4yMhMRMBWcoVYVDzvCnoB5hBj7uF44pjTRHm9TlqUjtF2s0xpOxsgtvnywUoQEZYC0HLrx+BCdJFEd+7s2q5dfOM3MFAdk88wqgUIDrksEVpKpylu6YY4clUAWE0D1UMDZgNaen5RocyKmHnQWQqE436ELmqDC5nGMk0jELRtclpO2UtODO8yIMRX7T3BKVfUl+iiJTZlqgsp9U3lKK4cYalFfP8mWfS7KiucY5H2Hc1e+P+/2reR6ufMMEdsgWPuSABNeofSPAVrHj4X60ZZG/GQZj+w5TYf7leAk8y4Erfo9mhKAXLrA8k0oKHV1AG2mQrz/EFoTIq6fSILnxAYCYOPLKYI08RfX0QOcTkSZ9yFnzSoY7KZ5YRXBvbhWMl1imXwKCmCDegCh03Ba3vuf1mM4vsgNrS3dHY57ScnEB14=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN1P110MB09390636D5A3778ED836CF1FDCFA9BN1P110MB0939NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: eb904315-0137-4614-165b-08d95eadfc54
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2021 22:59:20.5118 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0705
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/LheKT20dkvBtMbq6OhXzxYAcznM>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2021 22:59:32 -0000

Hi Ryan!


From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: Friday, August 13, 2021 4:26 PM
To: Roman Danyliw <rdd@cert.org>
Cc: Brian Sipos <BSipos@rkf-eng.com>; acme@ietf.org
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04



On Fri, Aug 13, 2021 at 4:04 PM Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>> wrote:
I think the current options might be:

(1) Roughly what you said above + Make it clear that this document is NOT using the RFC5280 profile and simply reusing the data structures (but not the validation logic).  Related to this, and excuse my ignorance about DTN, would it be possible to constrain these non-RFC5280-conforming certificates from appear on the internet with some normative phrasing.  Technically, RFC5280 is the _Internet_ PKIX profile.  This document goes to great pains to separate the internet portion of the ACME protocol exchange and the validation happening over DTN (which might be considered a "limited domain" as framed by RFC8799).

(2) Revise RFC5280.  I'm loath to pursue this path unless we really need to.

I suspect that either of these options would be a quick way to doom interoperability. That is, for better or worse, RFC 5280 is _the_ profile of X.509 that is commonly targeted by libraries and implementations. Attempting to diverge here, or special-case exceptions, generally means that implementing an interoperable and spec-compliant implementation are increasingly unlikely, given the extant complexity inherent in X.509 and RFC 5280 to begin with (e.g. as so many implementations overlook RFC 4158 to their own peril - and to the harm of interop)

To that end, is

(3) Express the DTN ID as an otherName within the SAN, rather than a (non-conforming) URI

Not an option? The downside here is the obvious loss of nameConstraints processing (RFC 5280 does not define even a processing algorithm for otherName nameConstraints, which makes sense, given the complexities there vis-a-vis multiple distinct otherNames vs multiple otherNames that make up a single logical name), but if that's an acceptable trade-off, that likely represents the most interoperable path forward.

That's not to say otherName is readily supported "out of the box", although it is in some (e.g. most famously, Active Directory's use of the otherName for the userPrincipalName), but it fits within the "no special cases" goal of promoting interoperability, and lets one build/extend existing RFC 5280 implementations. Here, the lack of nameConstraints processing is a benefit, rather than a limitation - it makes processing and extracting such fields something relatively simple you can build on post-validation, if your library is not extensible or not receptive towards exposing library-level API support specific for DTN node IDs.

[Roman] Thanks for proposing another option.  I’d be interested to hear if this would be viable.  If I’m not mistaken, in addition to changing to otherName here, Section 4.4.1 of draft-ietf-dtn-tcpclv4 would also require revision.

Regards,
Roman

v2.23.0 | Report a Bug | By Email