IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Brian Sipos <brian.sipos+ietf@gmail.com> Fri, 20 August 2021 21:08 UTC

Return-Path: <brian.sipos@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD9D3A0C92 for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 14:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7njvzwmi1hRT for <acme@ietfa.amsl.com>; Fri, 20 Aug 2021 14:08:00 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE6D3A0C7F for <acme@ietf.org>; Fri, 20 Aug 2021 14:08:00 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id f15so10807068ilk.4 for <acme@ietf.org>; Fri, 20 Aug 2021 14:07:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0FpsZmSz9trRz2g+oz3ZzZVl+pjBs+vozCln0VMTCxY=; b=EkrjGud3bABJ/4i/sJPHzSKsSebLi2xaEefH+fuegrKe1FFsSVT7qNqJV2pOJ7+tWI FVmnvMkr7Kg7zw/SIGjhmcNmNz3GDF+1HJmCNbbaQaqRtPm/iTqG6aHN3Um+HCb0rYrv THAt6e8NPirizFO2SwFGJnrukGPZXdgLRgngfNdd+gHE8xjegDIh4wb6QQy79eVcs1tc SH5VLMV43GLlBgTzhDESP1NOPT9vkTKdqTqZwOylg5DxLodP3qRUdxaEbUe2EgScfMBW swxuWUp5eB3YuAp9HjaejwPvavhERPjUHJqGS5uUhrifG5rtJrfuPq3OSvmp6EIYOrSI 7Vyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0FpsZmSz9trRz2g+oz3ZzZVl+pjBs+vozCln0VMTCxY=; b=QYmRGRvv87TFNzoT+767CHPgGRunW5kSwV+fVTTquN2y3jXCQi9VM6QNLYjtOV2rSC jCWcYcP/s8lBpP96XwSBCXE16sQ6qVhSZcRM/vfJ8M+RVawZCsAkkUNDlSxC3ON7846U hpZqxzGcj2Jw7EWaC0XTnrIwKe/6g7WA3+1dAU5leYM9tl9NZTnUprS0MVigjTfmDE6c WtdjMqCIlBrZuF7t3uGMmeuNThiYLlyTxM4w3lwDbSt0D37oPwFkzusr3eN6g4/ghQLI vFF0YHQTil52vCOkfP/IgCR0LxHidtq72eMXnD/oiIUsEDWiePNuI+E7AbSnhGchdo3L kLmw==
X-Gm-Message-State: AOAM531lLp7EdaB5JhzmcncbVbfKUCjOn5JqswnMRB8I7GsoxHcqPa/e MFzgXGXPx3bEzUBrAo7l8qb8MnDQtXxUKJFYGQM=
X-Google-Smtp-Source: ABdhPJx4Mh4ZlAndSRAlVZBRsgw/EenJw1qHJgR9kpHfgiFi4ztekTl6d+A0u8hBKg6yNzmY0hYCtiAEYblVoQCgnbw=
X-Received: by 2002:a92:c90a:: with SMTP id t10mr15755458ilp.188.1629493677855; Fri, 20 Aug 2021 14:07:57 -0700 (PDT)
MIME-Version: 1.0
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com> <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM> <CAErg=HE4VN9kbhO_Ez06GGtF7QEXe1zDSM=75n8YnK4aKKPz5g@mail.gmail.com> <BN1P110MB09390636D5A3778ED836CF1FDCFA9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CC82C5CA-96A5-48AD-957F-7F13C4E2DCFD@akamai.com> <CAM1+-giYmrscQW28uHH5Oqv6AiUmO-qW+uOtm9Se8g5OofA6Rw@mail.gmail.com> <B2058833-D904-4436-962B-A8ECB4A8BD42@akamai.com> <CAM1+-ggHiwhPKn0J1o2fmAwzPKHVdd3T_An-g0HxbL9rGNCFiA@mail.gmail.com> <122E89B1-9746-4909-B1BA-C0C92AD852D0@vigilsec.com>
In-Reply-To: <122E89B1-9746-4909-B1BA-C0C92AD852D0@vigilsec.com>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Fri, 20 Aug 2021 17:07:44 -0400
Message-ID: <CAM1+-ggH4ddz9sKmZmxtMb7hHuKB_-x14Tp2Onx1PxkEaX4U+Q@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>
Cc: Brian Sipos <BSipos@rkf-eng.com>, Rich Salz <rsalz@akamai.com>, "Roman D. Danyliw" <rdd@cert.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d5184f05ca040f89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/fNl85dK_o6qt2owcqBg3a7TCwzs>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 21:08:05 -0000

Not yet. The document's original AD was Magnus Westerlund, but the new DTN
documents were handed off to new AD Zaheduzzaman Sarker (included on this
message) earlier this year.
My feeling of the DTN WG perspective regarding the PKIX details is: "figure
out the right way to do it," because there is no well established PKI in
that domain that would need to retain compatibility.

For Zahed, the original ACME review which drove this discussion was <
https://mailarchive.ietf.org/arch/msg/acme/7HaJSiLnZ21zppL8p6MMIr6JEaI/>. I
have been posting summaries of this discussion in the DTN mailing list
also, starting at <
https://mailarchive.ietf.org/arch/msg/dtn/xNp_9mFjTadDivhoKZA35B5MNUk/>.

On Fri, Aug 20, 2021 at 3:44 PM Russ Housley <housley@vigilsec.com> wrote:

> Brian:
>
> Is the AD that sponsored that document part of this discussion?  If not, I
> suggest that we loop them in.
>
> Russ
>
> On Aug 20, 2021, at 3:10 PM, Brian Sipos <brian.sipos+ietf@gmail.com>
> wrote:
>
> Rich, I see your point. I had made my own assumptions that tools would
> validate that the SAN URI contained a valid URI and nothing more. But
> because the RFC 5280 requires more about the authority part some
> tools/libraries are free to throw out URIs that have some other
> (RFC-invalid) authority part.
>
> Unfortunately, the document this most affects is already in the editor
> queue. But I think the new otherName type-id OID will be needed to avoid
> potential tooling compatibility issues. My plan is to propose adding a new
> otherName OID for any DTN Endpoint ID (as a URI) and then use that for DTN
> Node IDs as a subset of EIDs. The logic is almost identical to current SAN
> URI except for those DNS/IP related restrictions on SAN URI content being
> replaced by DTN scheme restrictions.
>
> On Sun, Aug 15, 2021 at 11:11 AM Salz, Rich <rsalz@akamai.com> wrote:
>
>>
>>    - Does it seems like it's at all reasonable, from the perspective of
>>    the security area and focus on PKIX (documents and tools), for an
>>    application profile like this to say to conform to "... RFC 5280 with the
>>    exception of the FQDN/IP-address restriction on URI authority part". It's
>>    not exactly an update to RFC 5280 but I don't know how valid or typical it
>>    is for one RFC to relax requirements from a normative reference.
>>
>>
>>
>> How would that work?  Let’s take an application using OpenSSL.  It
>> currently calls d2i_X509() to parse the DER into internal format. It does
>> various cert checks along the way. Would you add a new API (because you
>> can’t change the calling sequence it breaks all existing applications), and
>> then pass that flag down through all the call stack?
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email