Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 15 August 2021 03:45 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB3823A0A73 for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 20:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qicHsKJlZDt for <acme@ietfa.amsl.com>; Sat, 14 Aug 2021 20:45:54 -0700 (PDT)
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 833453A0A70 for <acme@ietf.org>; Sat, 14 Aug 2021 20:45:54 -0700 (PDT)
Received: by mail-pj1-f43.google.com with SMTP id qe12-20020a17090b4f8c00b00179321cbae7so11455863pjb.2 for <acme@ietf.org>; Sat, 14 Aug 2021 20:45:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Grx8MWgo5CpPlyP3Y0Lw8+Dpc9ZBQOTFFXbH/NG1wyc=; b=my3iDzhBjbV0whxtllGodHMyNTelRiQa2kurUrz4M9f9RFpSwvIduH7SodiS3zezPz kr65MhRDpLPR8unJuAPz6XvnhNHuY61FcZWfML87ssXbpJ4ZptjmgNORSu279WsJLn/U aTwVG1oqy8evrS82iv0niYNfBOsJe/Wip7KhpIMyRNdusGZUIBeuproRKov5ZhitzTNA uK8GbLp4K/Yg2DdBftkJ6iwU7rZELZI0fcyc/WI061PdtwI03gyQNXRv+aAaURq8Qcze nVqaXV4cZ/3J5TlCKXHufxeaGrGLGjPiNcLSYE7317f1WSyAbhxBtg8rqXd5+jOZhqtX SH6g==
X-Gm-Message-State: AOAM532qfF6rrlBaXN5YztkqHmoJRquEZmeLNdypSMeL6VAH2nXLlbsz Qj4OK9CSKAFqozXyWNiQH0gFK7Udtl0=
X-Google-Smtp-Source: ABdhPJzkX5dAvQiczGYzwj/Wqsf4W/Imfz6LUhSofTrD0S3hL/ntmwzyNvj0qsbxCUGkfXDKCotZUA==
X-Received: by 2002:aa7:838a:0:b029:3b7:31a5:649c with SMTP id u10-20020aa7838a0000b02903b731a5649cmr9596731pfm.44.1628999153766; Sat, 14 Aug 2021 20:45:53 -0700 (PDT)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com. [209.85.214.175]) by smtp.gmail.com with ESMTPSA id 141sm7013422pfv.15.2021.08.14.20.45.53 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 14 Aug 2021 20:45:53 -0700 (PDT)
Received: by mail-pl1-f175.google.com with SMTP id c17so11606991plz.2 for <acme@ietf.org>; Sat, 14 Aug 2021 20:45:53 -0700 (PDT)
X-Received: by 2002:a17:90a:9205:: with SMTP id m5mr10223606pjo.172.1628999153005; Sat, 14 Aug 2021 20:45:53 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com> <CAM1+-ghAC4WGqN5hyneZgXpbNNy9uWU1vkN+X-YAqY5+ZAEf7w@mail.gmail.com>
In-Reply-To: <CAM1+-ghAC4WGqN5hyneZgXpbNNy9uWU1vkN+X-YAqY5+ZAEf7w@mail.gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sat, 14 Aug 2021 23:45:42 -0400
X-Gmail-Original-Message-ID: <CAErg=HE53J1WhnO8m8s4M8ei4KcdQqD7b_9CC_TM8Us=OORoBw@mail.gmail.com>
Message-ID: <CAErg=HE53J1WhnO8m8s4M8ei4KcdQqD7b_9CC_TM8Us=OORoBw@mail.gmail.com>
To: Brian Sipos <brian.sipos@gmail.com>
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Roman Danyliw <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Brian Sipos <BSipos@rkf-eng.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dab98c05c990ebd9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/eNlorrzTO_Xmg7eyC83-fZv_TFk>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2021 03:46:00 -0000
On Sat, Aug 14, 2021 at 6:18 PM Brian Sipos <brian.sipos@gmail.com> wrote: > Does it seems like it's at all reasonable, from the perspective of the > security area and focus on PKIX (documents and tools), for an application > profile like this to say to conform to "... RFC 5280 with the exception of > the FQDN/IP-address restriction on URI authority part". It's not exactly an > update to RFC 5280 but I don't know how valid or typical it is for one RFC > to relax requirements from a normative reference. > I think that would be specifically ill-advised, and most likely harm interoperability. The reality is implementations by and large don't offer the flexibility being described here, and would see it as a security issue to do so (given how constraints work with URIs), so the net effect is to encourage implementers of this spec to "fork" RFC 5280, and, by nature, fork the libraries or implementations due to a respectable unwillingness of upstream to accept such relaxations. So no, it's atypical, and not at all recommended. Given that URI SANs / nameConstraints are already a security and interoperability disaster [1] [2], avoiding building on them is absolutely the way to go, even if the URI itself was conforming. [1] https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf [2] https://datatracker.ietf.org/doc/html/draft-ruby-url-problem-01 > On the other hand, I see no reason why a new otherName OID allocation > under the "SMI Security for PKIX Other Name Forms" IANA sub-registry [2] > could not be used with the same value (a Node ID URI) and value encoding > (IA5String). The PKIX profile for DTN is new and I doubt it has much > deployment yet within DTNs. But now's the time to settle this out; the > TCPCLv4 doc defining the profile is still in the RFC editor's queue. > Yes. This is a 'happy path' that supports interop with a number of existing libraries and tools.
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw