Re: [Acme] Practical concerns of draft-ietf-acme-ari
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 29 July 2023 19:58 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A142DC15155E for <acme@ietfa.amsl.com>; Sat, 29 Jul 2023 12:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgtuKiklG0CN for <acme@ietfa.amsl.com>; Sat, 29 Jul 2023 12:58:17 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2730C14CEFD for <acme@ietf.org>; Sat, 29 Jul 2023 12:58:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id BBAAE3899B for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:14 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WpI3L9fXzc5y for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:13 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 13A813899A for <acme@ietf.org>; Sat, 29 Jul 2023 15:58:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1690660693; bh=PqEiH1qqXpLfFKJDIFJbuLY+ZAR/stCGO3276cFM6BM=; h=From:To:Subject:In-Reply-To:References:Date:From; b=VFLr0NyUA4Fy2FS7SjytbAkI61u1lP/FeK75I5WCsOW/SlSft77kBFTnUK/L1xylz t9RWhK5+KIJHtx+5/o5ijIMV84LnW9vvCsBZTfWi+Stlskb9QZYDkY43foapaqIJWa ToHNdM2DMTp+VzlrOivx+E15iDGS0Mrb03SdgwJMgXmnJemp3JEEAKu7lZQO0p3sk9 UY8miTnSYIkIuVi0CgNvmix6+Ib4aOwfBM0zFDniEpM3Z2Rbxf2vN8LPi+JWjRvIwK IidHDU/Yw6hVr2yR4rpBEmxHdoC/6m1XIKxnY8CF/1BKlem2mG2uXOirP8y/+WzdT4 cW/tVNlxgRuUA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6A34B143A for <acme@ietf.org>; Sat, 29 Jul 2023 13:32:41 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "acme@ietf.org" <acme@ietf.org>
In-Reply-To: <MW4PR17MB472910A4D0B37F0F4681A32AAA06A@MW4PR17MB4729.namprd17.prod.outlook.com>
References: <CAMML1Ajb8CHbPNqWK+afF0hJADxfxLXMG5Xoc9WL5tEUtwX+Xw@mail.gmail.com> <SN7PR14MB64921275EDE8DA4533381DCA832FA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAEmnErdnGB3Jd-_GjsU0CpWOckwSHVVAyjzoxuFUp931+7pPVg@mail.gmail.com> <ZLjRGQaK8JS3kihW@LK-Perkele-VII2.locald> <CAGgd1OdbympHkmJkGBPvm2y+rGjNATPJoSrdG6MmxRQwXa8bUw@mail.gmail.com> <ZLlAKmRZdb8f8vdI@LK-Perkele-VII2.locald> <CAEmnErfJnmTvJX4M_Osji8LpSeD7jF6qMx29peMN6K0gN7WBUA@mail.gmail.com> <MW4PR17MB4729497927B40D3B9295A849AA00A@MW4PR17MB4729.namprd17.prod.outlook.com> <ZMFx4DmNpctPjoDZ@LK-Perkele-VII2.locald> <MW4PR17MB472910A4D0B37F0F4681A32AAA06A@MW4PR17MB4729.namprd17.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 29 Jul 2023 13:32:41 -0400
Message-ID: <3299.1690651961@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/gbGc9TGn-LzMEyJA-BwZe7zvrvY>
Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 19:58:22 -0000
Rob Stradling <rob=40sectigo.com@dmarc.ietf.org> wrote: >> > Is it required that a CA's Subject DN must be globally unique? No. >> >> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for >> each certificate issued by a given CA (i.e., the issuer name and >> serial number identify a unique certificate)." > Ah, so a CA's Subject DN does have to be globally unique then! So if No, it does not. It does not even need to be unique within the CA. And if you think about it, if someone wants a new certificate before the old one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is unique, nothing else. This is why have have the certificate transparency situation, and https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/ And why we now have the CAA RR in DNS. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] Practical concerns of draft-ietf-acme-ari Matthew Holt
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Sweet
- Re: [Acme] Practical concerns of draft-ietf-acme-… Deb Cooley
- Re: [Acme] Practical concerns of draft-ietf-acme-… Tim Hollebeek
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Sweet
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Deb Cooley
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Tim Hollebeek
- Re: [Acme] Practical concerns of draft-ietf-acme-… Matthew Holt
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Corey Bonnell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Richardson
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Richardson