Re: [Acme] Practical concerns of draft-ietf-acme-ari
Rob Stradling <rob@sectigo.com> Mon, 31 July 2023 09:53 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E336C151983 for <acme@ietfa.amsl.com>; Mon, 31 Jul 2023 02:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.008
X-Spam-Level:
X-Spam-Status: No, score=-7.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sectigo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzOx_SUultS4 for <acme@ietfa.amsl.com>; Mon, 31 Jul 2023 02:53:44 -0700 (PDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2059.outbound.protection.outlook.com [40.107.95.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A4ECC14CE38 for <acme@ietf.org>; Mon, 31 Jul 2023 02:53:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lmF9xodgO89PgwCjK9wxli5/DO5SnMTLTo58JKcBaEkTFjFNd4jYiQco62uJ6Q0jptlfdQUbDvmYQSNCZbpYig6+1eUYYhFoRHbEhgyBmKejTrPV58jrYuBoFaniK9HCJ83tyQE+BDmhK6JxOEw1+EWaZ6QAjOyUxdXXvb/adPuytu/JEbEMs4JL/cDhQQASnMg+o9PGUTU3kQPt96VCfjmJfoNZsyT6PJLwOqAnWAAdkJ2DrpJkmIxveNm8VNQg64OI8ZmZkf98FAONLltcN7HSPf2hjm3gaDkGMxot+8fTsegTdRsfG4+hFDGn4+DtPxk9B+lwpaFu2BEmVkAWjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kA02mzIRHrJ5Z76yMe6b8QHZVC+k+GNQ9cQlWNHWjC8=; b=X4PNBjUKbDAV9eL+SM/uZ/B9WI+uvKBxjqEanSARZSwB9c07NXrmn59iGUX5bzWVNqsNt3Gk/buc9lGrFJU5E0KWD3HE8gP6twimLjz22XPf5pRHm1HCemQjriKEHGEbLlwNCElsAWtV/VaXYOM+H+60lZbFXglLxdx0OphglikdOzpCZEkCpdWLyhHHmFu+UJJcaGYsptTYbXCWqBTxX9U07g8iLzMN4vOK6f5C8kGJ0e54YilEOanWYIZtoNOKVkingGcWM+m7JJogcoMmXNJyOSSscWnqa6iBWcxL5P9wDLkBtxEuX9gNgjOJN91MFF5iKNBbXCrSMxm9Bw2T9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sectigo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kA02mzIRHrJ5Z76yMe6b8QHZVC+k+GNQ9cQlWNHWjC8=; b=lCkpEs/oR9Ris+m8JTWPTYiCUNI9Yb746VHGZidiTACrb8H3jIuZnKK4WRN4nOX0YWD9dZbeUcZbbMtX1OLu5NN8Ppi/OtRqda8ArszmByVyWMJdHL8cL8evjl952Z5vWhk4KWKpuX4C3c5CqW2Wl9PsDrgogJEfu4lcxyEgOjU=
Received: from MW4PR17MB4729.namprd17.prod.outlook.com (2603:10b6:303:106::18) by DS0PR17MB6200.namprd17.prod.outlook.com (2603:10b6:8:d0::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.42; Mon, 31 Jul 2023 09:53:40 +0000
Received: from MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::7c9e:4aa2:a1bb:526]) by MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::7c9e:4aa2:a1bb:526%6]) with mapi id 15.20.6631.039; Mon, 31 Jul 2023 09:53:40 +0000
From: Rob Stradling <rob@sectigo.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Practical concerns of draft-ietf-acme-ari
Thread-Index: AQHZpe7WmdkZw0IL1EGdJOScH/LOca+rVGwAgBZ6EwCAAIjpgIAAR1EAgAA9FgCAABjCgIAJP7FwgABsNwCAAnNjZYACJaCAgAKjs2I=
Date: Mon, 31 Jul 2023 09:53:40 +0000
Message-ID: <MW4PR17MB47297B3CD36DBA25DA1DE9C6AA05A@MW4PR17MB4729.namprd17.prod.outlook.com>
References: <CAMML1Ajb8CHbPNqWK+afF0hJADxfxLXMG5Xoc9WL5tEUtwX+Xw@mail.gmail.com> <SN7PR14MB64921275EDE8DA4533381DCA832FA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAEmnErdnGB3Jd-_GjsU0CpWOckwSHVVAyjzoxuFUp931+7pPVg@mail.gmail.com> <ZLjRGQaK8JS3kihW@LK-Perkele-VII2.locald> <CAGgd1OdbympHkmJkGBPvm2y+rGjNATPJoSrdG6MmxRQwXa8bUw@mail.gmail.com> <ZLlAKmRZdb8f8vdI@LK-Perkele-VII2.locald> <CAEmnErfJnmTvJX4M_Osji8LpSeD7jF6qMx29peMN6K0gN7WBUA@mail.gmail.com> <MW4PR17MB4729497927B40D3B9295A849AA00A@MW4PR17MB4729.namprd17.prod.outlook.com> <ZMFx4DmNpctPjoDZ@LK-Perkele-VII2.locald> <MW4PR17MB472910A4D0B37F0F4681A32AAA06A@MW4PR17MB4729.namprd17.prod.outlook.com> <3299.1690651961@localhost>
In-Reply-To: <3299.1690651961@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sectigo.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR17MB4729:EE_|DS0PR17MB6200:EE_
x-ms-office365-filtering-correlation-id: 06cea3a5-e1d4-43b9-7b83-08db91ac04c6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BtJkCpQVCqcBjbanNOh0djtoKSNdao1hcYwPG+qjd7IE41xAWaqZI/gF72NPGhaRNC2B03VzNkZO7lMuIYbBx05jwgPQJi8+bBcL63BX6QoHsGoyFZ7X6hFXtLb8hJnRDcsT/hD15VD3XSk33b9UZGb7nJ72DDYxOh2y7o1bZC6FOWHrDsoFlBK8rGoe0Ni3/9RyjBXCMwZ/mORT8VolYHuhbKgSYBQtzlKSo54IwttDhAnFd8fTnIr41u+AGKTKG3w6dQxKmSzmLfmZXZVLr7HQtUIjMPFgq7HfJ99M28EBZ2vGM+//7wPJroyOAnq5QbTY8Dy7qYrkk+5D7orAqrKPC43cRkSMHEAPCtqcR7by1CO4hnmN8kS1tyKDxmkxJPCNz0ok4uvlFi3qxLm6t8gbSesQMqAYXvoVESQmivfA93FpuPRLpCyvq/CElPjD7+5tIauwjWY5aIg9r9JBFFIsp8Elwy/DGg08wyj41mPl7Hk33jBFU23vdjwjUiPHYpXLdUXDWPlXK9EZ3nPqR7og5WTT7Ew2I4CCPD6RPTxoIw6T1c/iqYz9kDcpjEVug7wl4Gmt+8ZgQ8EM1wrie1SQlpNrJr5qqe0eRdGap3c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR17MB4729.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(346002)(366004)(39860400002)(396003)(451199021)(166002)(38100700002)(122000001)(55016003)(86362001)(38070700005)(33656002)(9686003)(966005)(478600001)(45080400002)(71200400001)(7696005)(53546011)(186003)(26005)(8676002)(8936002)(6506007)(52536014)(5660300002)(76116006)(91956017)(64756008)(66446008)(66476007)(66556008)(66946007)(2906002)(110136005)(19627405001)(41300700001)(316002)(66574015)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FVFC6CfRaZQX7/tam3OxCsSYJ5HdWnc1YptJ/gojfwBhFPxa/kbU208jOhs0Ho7YqnjWT1Kv/W92hCtjhCi7jd1tktC8+jtCzAtT+yoIAoxzP6L0uhZZEXmoGBDmDopRJJXSQik9XQxRV8tXUsml8pZqaK2OdhzIy0sbrtDIJmVogMWu59smwSnnJzvwj71SjlsDokDm63wDkLhKqeJb85cgkBNQj92hTwQGQq5hl8b+uOOUYBX+/QCsNaVTTPo3s6jvFN5WNv4CbiLgnVOnRonsdepnoEPAj/THvD2zBKPGZmglum+VTCDzaF2MWn1lclWgbxU8y+9OpzojZWlAANfsQ4VYNjp9klBckoEw2tU0yI476MigsS6kFDldgMriSQ7WTrZt+60CEd8pMNzCDKRp9kfpiaNkwANBJUZa7BpnS8M1r3E+x3f1UTUrjTUIcyhhtG4EGPJP941QZs85jOOwVxTmDIAgM73WN9CzKf02Q+yiKbLFSLaYwZlir7cd1KY6Y84qc8btZ8Jw3649GaNrnHPRLTmvlmWN7OhWmm5r1fMdxWoCYykLMrfLrrlF7jYwuP9+gzv6vSXy9Wcm6jgdej3rioH+bvk2VrVu7OW/RE7AUPrNAY+RAHFxbQoD+pMj7/pzoIhq8A66pdXzUwTH5c5lDhJw7XEZkVmtb2oreIhvzIRqCBvGtBpl9rGulL2i6+PI9ZVTnRkQEBrLTn3vViLClHg0YlfVjRsjEWznApQVHEdF/iRXBV9eSVfEH+yHATyej31V5T/Xsero/2PG0fcqmVGuKVWPTvn2aRKuHxOQMaSdTn9z4Nn22Gn5SNXC7r8Jd4+0NUWGoKzyoHc5LPS+gXSJMpWSL9n19wMRdFtXwZgjmBYGUa8xwK/w5sAY0ZZwky0Jqjwh1aqcV4TrJzQ62udFiyGWYrWydyRyWA0a7THdlkPDExb/jgzuGZP0mjbbQ+K4zVHnzbsIjJ5DnT5gZpfSvXUL9OrYmcx3byvVk/vwkYNJPtnANaSf86tco6OWg1v7u3rnggMnLmiEo8aA1vgtE4+cIJnf+Lqa5Jd3Yp4mkqKAl/7GxhbbPlTUTjnxE5rgX74ypm7XiZYPZ5ZnXzDNdYDYLyKlyHWB8YkWH0PKRqBkZ55pYOs3Twmm1yXYRdWXentKrRBn3VBsP2DLR4cZlsn7Rd7x/+pWlpb4KJFJQx0rPHD4A9A7WbpznayqfU7S5zY92Qdtmu5cyewSo7IzMPy9ej22KNoNBSboEjVdRwoH+ZDY/30obRXsKQykPeCe0iiBKoOlWYHk/PTjcOGxOVgfHZ2p5B/Mk9+36mXKh2tBbLWbIg78SMWJJ0owzT03By8Q3hkpi/Ep11BG15SM6LtojRSCep0Ca2ei1ulcZCzMluNadXzFwZnrBvG1L2XqFgMN0MXCmgC0Ul7/weB+QcuB6pehinJh31Neq8oWUsaWtpHCToIqEaDIt3JCq15lGz+Xju7EZj0wwpxpdadMyhY2Z0QbSMgtdEVKsM4MFxY1+Kgr4hMk8XiM9OID4ZPTIPr/QgZXM3DpiS6uQk1fe2s6mcTrdz0=
Content-Type: multipart/alternative; boundary="_000_MW4PR17MB47297B3CD36DBA25DA1DE9C6AA05AMW4PR17MB4729namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR17MB4729.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 06cea3a5-e1d4-43b9-7b83-08db91ac04c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2023 09:53:40.3147 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZC0H2MPIWdEVRIcS7g1L8wySCd6CSfow/Svk7ommXm67h0q5yLR5nKc492cPYMarrmjTNmCzQjUy6RUg1VnRJQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR17MB6200
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/xpQblVqrpXyw1PP6RFfpjgiMrzw>
Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2023 09:53:48 -0000
> > Ah, so a CA's Subject DN does have to be globally unique then! So if > > No, it does not. It does not even need to be unique within the CA. > And if you think about it, if someone wants a new certificate before the old > one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is > unique, nothing else. I think we're in violent agreement. The CA's Subject DN is the IssuerDN in the certs issued by that CA. ________________________________ From: Acme <acme-bounces@ietf.org> on behalf of Michael Richardson <mcr+ietf@sandelman.ca> Sent: 29 July 2023 18:32 To: acme@ietf.org <acme@ietf.org> Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Rob Stradling <rob=40sectigo.com@dmarc.ietf.org> wrote: >> > Is it required that a CA's Subject DN must be globally unique? No. >> >> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for >> each certificate issued by a given CA (i.e., the issuer name and >> serial number identify a unique certificate)." > Ah, so a CA's Subject DN does have to be globally unique then! So if No, it does not. It does not even need to be unique within the CA. And if you think about it, if someone wants a new certificate before the old one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is unique, nothing else. This is why have have the certificate transparency situation, and https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.csoonline.com%2Farticle%2F548734%2Fhacking-the-real-security-issue-behind-the-comodo-hack.html&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pdgVMNX97iq7KUKrMJSK1orK6uFTi8aIJruPzQsTj%2FI%3D&reserved=0<https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2011%2F03%2F24%2Ffraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust%2F&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r8oTK9kPM7%2B0%2Fq5uOnref%2B2sQFIlPuxXend18HmqMrU%3D&reserved=0<https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/> And why we now have the CAA RR in DNS. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] Practical concerns of draft-ietf-acme-ari Matthew Holt
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Sweet
- Re: [Acme] Practical concerns of draft-ietf-acme-… Deb Cooley
- Re: [Acme] Practical concerns of draft-ietf-acme-… Tim Hollebeek
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Sweet
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Deb Cooley
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Tim Hollebeek
- Re: [Acme] Practical concerns of draft-ietf-acme-… Matthew Holt
- Re: [Acme] Practical concerns of draft-ietf-acme-… Aaron Gable
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Q Misell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Corey Bonnell
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Ilari Liusvaara
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Richardson
- Re: [Acme] Practical concerns of draft-ietf-acme-… Rob Stradling
- Re: [Acme] Practical concerns of draft-ietf-acme-… Michael Richardson