IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Russ Housley <housley@vigilsec.com> Fri, 20 August 2021 19:44 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D64B3A2918 for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4zEEqOfkSpI for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 12:44:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43E7C3A290D for <acme@ietf.org>; Fri, 20 Aug 2021 12:44:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B98B5300C73 for <acme@ietf.org>; Fri, 20 Aug 2021 15:44:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SZ0yh2GlpHMk for <acme@ietf.org>; Fri, 20 Aug 2021 15:44:44 -0400 (EDT)
Received: from [172.20.3.158] (unknown [96.75.198.17]) by mail.smeinc.net (Postfix) with ESMTPSA id BC27D300AF8; Fri, 20 Aug 2021 15:44:43 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <122E89B1-9746-4909-B1BA-C0C92AD852D0@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0F6DA8CA-ADC1-4C9C-A752-83FACDEC1D66"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Fri, 20 Aug 2021 15:44:42 -0400
In-Reply-To: <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com>
Cc: Rich Salz <rsalz@akamai.com>, "Roman D. Danyliw" <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, IETF ACME <acme@ietf.org>
To: Brian Sipos <brian.sipos+ietf@gmail.com>, Brian Sipos <BSipos@rkf-eng.com>
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com> <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com> <B2058833-D904-4436-962B-A8ECB4A8BD42@akamai.com> <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QPcyKrUQwCpTVQhum9Fb06wRUhE>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 19:44:54 -0000

Brian:

Is the AD that sponsored that document part of this discussion?  If not, I suggest that we loop them in.

Russ

> On Aug 20, 2021, at 3:10 PM, Brian Sipos <brian.sipos+ietf@gmail.com> wrote:
> 
> Rich, I see your point. I had made my own assumptions that tools would validate that the SAN URI contained a valid URI and nothing more. But because the RFC 5280 requires more about the authority part some tools/libraries are free to throw out URIs that have some other (RFC-invalid) authority part.
> 
> Unfortunately, the document this most affects is already in the editor queue. But I think the new otherName type-id OID will be needed to avoid potential tooling compatibility issues. My plan is to propose adding a new otherName OID for any DTN Endpoint ID (as a URI) and then use that for DTN Node IDs as a subset of EIDs. The logic is almost identical to current SAN URI except for those DNS/IP related restrictions on SAN URI content being replaced by DTN scheme restrictions.
> 
> On Sun, Aug 15, 2021 at 11:11 AM Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com>> wrote:
> Does it seems like it's at all reasonable, from the perspective of the security area and focus on PKIX (documents and tools), for an application profile like this to say to conform to "... RFC 5280 with the exception of the FQDN/IP-address restriction on URI authority part". It's not exactly an update to RFC 5280 but I don't know how valid or typical it is for one RFC to relax requirements from a normative reference.
>  
> 
> How would that work?  Let’s take an application using OpenSSL.  It currently calls d2i_X509() to parse the DER into internal format. It does various cert checks along the way. Would you add a new API (because you can’t change the calling sequence it breaks all existing applications), and then pass that flag down through all the call stack?
> 
>

v2.23.0 | Report a Bug | By Email