Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document

Russ Housley <> Sun, 28 June 2020 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43B3B3A0D17 for <>; Sun, 28 Jun 2020 07:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xo4MbDRLVdY2 for <>; Sun, 28 Jun 2020 07:32:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AC9093A0D16 for <>; Sun, 28 Jun 2020 07:32:41 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 127EB300AAF for <>; Sun, 28 Jun 2020 10:32:39 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id NtDmmyyL6kra for <>; Sun, 28 Jun 2020 10:32:36 -0400 (EDT)
Received: from a860b60074bd.fios-router.home ( []) by (Postfix) with ESMTPSA id 8883D300A55; Sun, 28 Jun 2020 10:32:36 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Russ Housley <>
In-Reply-To: <>
Date: Sun, 28 Jun 2020 10:32:37 -0400
Cc: Michael Richardson <>,, Ben Kaduk <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <11428.1592266833@localhost> <> <> <> <> <9406.1592756905@localhost> <> <> <> <>
To: Toerless Eckert <>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <>
Subject: Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 28 Jun 2020 14:32:43 -0000

> On Jun 27, 2020, at 6:46 PM, Toerless Eckert <> wrote:
> On Sat, Jun 27, 2020 at 11:52:20AM -0400, Russ Housley wrote:
>> Toerless:
>> I think Brian actually made my point.  While the filed contains an email address, using it as such would result in a delivery failure.  The private key holder cannot be reached by this address.
> Russ, i said:
>> First of all, you can if you want to,
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Aka: Yes, if an ACP admin thinks ACME style challenge/reply
> email authentication mechanism is useful, then he can of course
> set up those email addresses accordingly. I did reply to that
> point exhaustively in my reply about the ACME email mechanism.
> Why do you ignore that answer ?

You and Michael have said that MX records could be set up, but Brian says that will lead to delivery failures.  And then Ben pointed out that a single mailbox rfcSELF@<domain> is used for all ACP identities in the domain.  That has not been resolved.

>> and secondly, i contest that it is a requirement to be able
>> to do that if the recipient doesn't need to support it.
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Think about
>> You do want to make sure though that you are in control of
>> the electronic mail address though, and that is given for ACP
>> addresses.
> Where in rfc5280 or any other generic RFC about certificates does
> it say you MUST have a mailbox that is reachable ? Where does it
> say that all certificiates with rfc822Name must be email boxes
> that support ACME email style challenge-reply about the email address ?
> I think this is a non-existing requirement against email addresses.
> Of course, can have a certificate with
> that rfc822Name. It just can't use the ACME mechanism to be
> generated. But the signed mails sent from that address can be
> authenticated.
> Or there are never emails, because the email address just serves
> as identifier of an entity such as in wifi roaming identification
> and authentication. In that case you are not authenticating
> e.g.: password ownership for the email address via actual emails
> but via AAA protocols against a DNS domain known AAA server
> for the domain part of the email address.
> If you want to write a standards track RFC that all email addresses
> used in any X.509v3 certificate MUST support an ACME style 
> challenge/reply email, then please do that, and seee if you get
> thast through. If would invalidate a lot of solutions like
> those wifi roaming ones. It WOULD NOT invalidate the ACP
> solution, because as said (no several times) the ACP solution
> can perfectly be set up to support this. It just does not
> need to.

I have explained reasoning in a note yesterday in response to Brian, and it had nothing to do with ACME.