IETF Logo Mail Archive

Re: [Acme] Practical concerns of draft-ietf-acme-ari

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 29 July 2023 19:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A142DC15155E for <acme@ietfa.amsl.com>; Sat, 29 Jul 2023 12:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgtuKiklG0CN for <acme@ietfa.amsl.com>; Sat, 29 Jul 2023 12:58:17 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2730C14CEFD for <acme@ietf.org>; Sat, 29 Jul 2023 12:58:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id BBAAE3899B for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:14 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WpI3L9fXzc5y for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:13 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 13A813899A for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1690660693; bh=PqEiH1qqXpLfFKJDIFJbuLY+ZAR/stCGO3276cFM6BM=; h=From:To:Subject:In-Reply-To:References:Date:From; b=VFLr0NyUA4Fy2FS7SjytbAkI61u1lP/FeK75I5WCsOW/SlSft77kBFTnUK/L1xylz t9RWhK5+KIJHtx+5/o5ijIMV84LnW9vvCsBZTfWi+Stlskb9QZYDkY43foapaqIJWa ToHNdM2DMTp+VzlrOivx+E15iDGS0Mrb03SdgwJMgXmnJemp3JEEAKu7lZQO0p3sk9 UY8miTnSYIkIuVi0CgNvmix6+Ib4aOwfBM0zFDniEpM3Z2Rbxf2vN8LPi+JWjRvIwK IidHDU/Yw6hVr2yR4rpBEmxHdoC/6m1XIKxnY8CF/1BKlem2mG2uXOirP8y/+WzdT4 cW/tVNlxgRuUA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6A34B143A for <acme@ietf.org>; Sat, 29 Jul 2023 13:32:41 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "acme@ietf.org" <acme@ietf.org>
In-Reply-To: <MW4PR17MB472910A4D0B37F0F4681A32AAA06A@MW4PR17MB4729.namprd17.prod.outlook.com>
References: <CAMML1Ajb8CHbPNqWK+afF0hJADxfxLXMG5Xoc9WL5tEUtwX+Xw@mail.gmail.com> <SN7PR14MB64921275EDE8DA4533381DCA832FA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAEmnErdnGB3Jd-_GjsU0CpWOckwSHVVAyjzoxuFUp931+7pPVg@mail.gmail.com> <ZLjRGQaK8JS3kihW@LK-Perkele-VII2.locald> <CAGgd1OdbympHkmJkGBPvm2y+rGjNATPJoSrdG6MmxRQwXa8bUw@mail.gmail.com> <ZLlAKmRZdb8f8vdI@LK-Perkele-VII2.locald> <CAEmnErfJnmTvJX4M_Osji8LpSeD7jF6qMx29peMN6K0gN7WBUA@mail.gmail.com> <MW4PR17MB4729497927B40D3B9295A849AA00A@MW4PR17MB4729.namprd17.prod.outlook.com> <ZMFx4DmNpctPjoDZ@LK-Perkele-VII2.locald> <MW4PR17MB472910A4D0B37F0F4681A32AAA06A@MW4PR17MB4729.namprd17.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 29 Jul 2023 13:32:41 -0400
Message-ID: <3299.1690651961@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/gbGc9TGn-LzMEyJA-BwZe7zvrvY>
Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 19:58:22 -0000

Rob Stradling <rob=40sectigo.com@dmarc.ietf.org> wrote:
    >> > Is it required that a CA's Subject DN must be globally unique?  No.
    >> 
    >> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for
    >> each certificate issued by a given CA (i.e., the issuer name and
    >> serial number identify a unique certificate)."

    > Ah, so a CA's Subject DN does have to be globally unique then!  So if

No, it does not. It does not even need to be unique within the CA.
And if you think about it, if someone wants a new certificate before the old
one expires, one needs exactly that.  IssuerDN+(certificate)SerialNumber is
unique, nothing else.

This is why have have the certificate transparency situation, and

https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html
https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/
And why we now have the CAA RR in DNS.


-- 
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email