Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document

[Russ Housley <housley@vigilsec.com>]

> On Jun 27, 2020, at 6:46 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> On Sat, Jun 27, 2020 at 11:52:20AM -0400, Russ Housley wrote:
>> Toerless:
>> 
>> I think Brian actually made my point.  While the filed contains an email address, using it as such would result in a delivery failure.  The private key holder cannot be reached by this address.
> 
> Russ, i said:
> 
>> First of all, you can if you want to,
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Aka: Yes, if an ACP admin thinks ACME style challenge/reply
> email authentication mechanism is useful, then he can of course
> set up those email addresses accordingly. I did reply to that
> point exhaustively in my reply about the ACME email mechanism.
> 
> Why do you ignore that answer ?

You and Michael have said that MX records could be set up, but Brian says that will lead to delivery failures.  And then Ben pointed out that a single mailbox rfcSELF@<domain> is used for all ACP identities in the domain.  That has not been resolved.

> 
>> and secondly, i contest that it is a requirement to be able
>> to do that if the recipient doesn't need to support it.
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
>> Think about noreply@bad-corporation.com.
>> You do want to make sure though that you are in control of
>> the electronic mail address though, and that is given for ACP
>> addresses.
> 
> Where in rfc5280 or any other generic RFC about certificates does
> it say you MUST have a mailbox that is reachable ? Where does it
> say that all certificiates with rfc822Name must be email boxes
> that support ACME email style challenge-reply about the email address ?
> I think this is a non-existing requirement against email addresses.
> 
> Of course, noreply@bad-corporation.com can have a certificate with
> that rfc822Name. It just can't use the ACME mechanism to be
> generated. But the signed mails sent from that address can be
> authenticated.
> 
> Or there are never emails, because the email address just serves
> as identifier of an entity such as in wifi roaming identification
> and authentication. In that case you are not authenticating
> e.g.: password ownership for the email address via actual emails
> but via AAA protocols against a DNS domain known AAA server
> for the domain part of the email address.
> 
> If you want to write a standards track RFC that all email addresses
> used in any X.509v3 certificate MUST support an ACME style 
> challenge/reply email, then please do that, and seee if you get
> thast through. If would invalidate a lot of solutions like
> those wifi roaming ones. It WOULD NOT invalidate the ACP
> solution, because as said (no several times) the ACP solution
> can perfectly be set up to support this. It just does not
> need to.

I have explained reasoning in a note yesterday in response to Brian, and it had nothing to do with ACME.

Russ