Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Russ Housley <housley@vigilsec.com> Sat, 14 August 2021 21:10 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4B93A2927 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 14:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dufWYjGxjnJN for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 14:09:59 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D2303A2922 for <acme@ietf.org>; Sat, 14 Aug 2021 14:09:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DE7FE300C19 for <acme@ietf.org>; Sat, 14 Aug 2021 17:09:58 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MFWFcmTwpVfJ for <acme@ietf.org>; Sat, 14 Aug 2021 17:09:55 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id AFEEC300AEC; Sat, 14 Aug 2021 17:09:54 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <F8252344-FA03-496B-AC88-8335391AB176@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5C68C91-ADFC-45D4-8E95-36421BC5B984"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Sat, 14 Aug 2021 17:09:53 -0400
In-Reply-To: <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, IETF ACME <acme@ietf.org>
To: "Roman D. Danyliw" <rdd@cert.org>
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TjaCOQOYyXh3kJ1oaBcDpAsCeWc>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Aug 2021 21:10:06 -0000
Roman: I think that DTN would conform with RFC 5280 and with RFC 3986 if it used one slash instead of two slashes. Is that a smaller revision than other that have been discussed? Russ > On Aug 13, 2021, at 6:59 PM, Roman Danyliw <rdd@cert.org> wrote: > > Hi Ryan! > > > From: Ryan Sleevi <ryan-ietf@sleevi.com <mailto:ryan-ietf@sleevi.com>> > Sent: Friday, August 13, 2021 4:26 PM > To: Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> > Cc: Brian Sipos <BSipos@rkf-eng.com <mailto:BSipos@rkf-eng.com>>; acme@ietf.org <mailto:acme@ietf.org> > Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 > > > > On Fri, Aug 13, 2021 at 4:04 PM Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> wrote: > I think the current options might be: > > (1) Roughly what you said above + Make it clear that this document is NOT using the RFC5280 profile and simply reusing the data structures (but not the validation logic). Related to this, and excuse my ignorance about DTN, would it be possible to constrain these non-RFC5280-conforming certificates from appear on the internet with some normative phrasing. Technically, RFC5280 is the _Internet_ PKIX profile. This document goes to great pains to separate the internet portion of the ACME protocol exchange and the validation happening over DTN (which might be considered a "limited domain" as framed by RFC8799). > > (2) Revise RFC5280. I'm loath to pursue this path unless we really need to. > > I suspect that either of these options would be a quick way to doom interoperability. That is, for better or worse, RFC 5280 is _the_ profile of X.509 that is commonly targeted by libraries and implementations. Attempting to diverge here, or special-case exceptions, generally means that implementing an interoperable and spec-compliant implementation are increasingly unlikely, given the extant complexity inherent in X.509 and RFC 5280 to begin with (e.g. as so many implementations overlook RFC 4158 to their own peril - and to the harm of interop) > > To that end, is > > (3) Express the DTN ID as an otherName within the SAN, rather than a (non-conforming) URI > > Not an option? The downside here is the obvious loss of nameConstraints processing (RFC 5280 does not define even a processing algorithm for otherName nameConstraints, which makes sense, given the complexities there vis-a-vis multiple distinct otherNames vs multiple otherNames that make up a single logical name), but if that's an acceptable trade-off, that likely represents the most interoperable path forward. > > That's not to say otherName is readily supported "out of the box", although it is in some (e.g. most famously, Active Directory's use of the otherName for the userPrincipalName), but it fits within the "no special cases" goal of promoting interoperability, and lets one build/extend existing RFC 5280 implementations. Here, the lack of nameConstraints processing is a benefit, rather than a limitation - it makes processing and extracting such fields something relatively simple you can build on post-validation, if your library is not extensible or not receptive towards exposing library-level API support specific for DTN node IDs. > > [Roman] Thanks for proposing another option. I’d be interested to hear if this would be viable. If I’m not mistaken, in addition to changing to otherName here, Section 4.4.1 of draft-ietf-dtn-tcpclv4 would also require revision. > > Regards, > Roman > _______________________________________________ > Acme mailing list > Acme@ietf.org <mailto:Acme@ietf.org> > https://www.ietf.org/mailman/listinfo/acme <https://www.ietf.org/mailman/listinfo/acme>
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw