Re: [Anima] representing ACP info in X.509 certs
Toerless Eckert <tte@cs.fau.de> Sat, 27 June 2020 14:19 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA003A093C for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 07:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.36
X-Spam-Level:
X-Spam-Status: No, score=-0.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwTtbnu_PBwt for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 07:19:18 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D230E3A093D for <anima@ietf.org>; Sat, 27 Jun 2020 07:19:17 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6E731548011; Sat, 27 Jun 2020 16:19:11 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 64E2E440043; Sat, 27 Jun 2020 16:19:11 +0200 (CEST)
Date: Sat, 27 Jun 2020 16:19:11 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Eric Rescorla <ekr@rtfm.com>, rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com, Anima WG <anima@ietf.org>
Message-ID: <20200627141911.GA49753@faui48f.informatik.uni-erlangen.de>
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com> <6981a76f-76f1-e9b2-319d-473c7a4bc847@verizon.net> <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com> <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/3gLkAgihfILhVoK8247lIFKA2bI>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 14:19:20 -0000
Dear Stephen, Thank you very much for your thoughts, but i do not think we can move the discussion ahead when it stops with non-technical opinion dropping statements like "lets not play games" (you) or "i do not think this is the right thing to do" (Ben/Russ). Could you please explain your assertion with technical arguments ? More inline On Tue, Jun 23, 2020 at 07:52:25PM -0400, Stephen Kent wrote: > Brian, > > Common sense argues against putting something other than an e-mail address in the rfc822namem attribute. > > > > I expect ADs to use common sense, as well as careful reading of prior RFCs, when making decisions. > > Indeed, but that cuts both ways, since running code is our goal. No parser is in a position to say that rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com isn't an email address. > > If we were only AIs that would be a suitable reply ;-). I can only guess what this mean. You don't like the look of it as a human ? I for once have been confused a lot by solutions where some data only have a well-defined binary representation for "AI" ? to handle but none for humans. In result, those solutions all are IMHO hard to troubleshoot, because every CLI/GUI software came up with its own representation. For information which naturally represents the domain, name and role attributes of an entity, there is IMHO no better human recognizable standardized representation in a single string than using the local-part@domain format. ACP nodes in the acp.example.com domain only have one name, which is their registrar assigned IPv6 address, therefore fd89b714F3db00000200000064000000@acp.example.com really is the most human readible representation of that identification i can think of. rfcSELF+fd89b714F3db00000200000064000000@acp.example.com The rfcSELF is just a prefix to allow isolation of namespaces in the local part. Think of staff.john.smith@example.com vs. contractor.john.smith@example.com Likewise the +area51.research is just like a department name, john.smith.research.area51@example.com A lot more legible than what poor network operators would normally see IMHO. > But, we're not- we all know that the proposed IDs are NOT rfc822 addresses, > so let's not play games. This is not meant to be playing games. These are syntactically perfect rfc822Names/ email-addresses and semantically they can be perfect electronic mail boxes. Remember that as the draft explains also in section 6.1.2, there is good amount of prior examples where local-part@domain is used as just identifiers without using any email boxes in the process. For example inter-domain access authentication, eduroam or the like. [ Then again, IMHO IETF is also supposed to develop new technologies, so i am not even sure why i always end up having to argue that solutions are better because they don't do something fundamentally new.] > The simple answer is that when, in the past, developers have chosen to abuse > the semantics of subject name fields in certs, the result shave been VERY > long lasting, and embarrassing. Long ago, Netscape chose to shove a DNS name > into the DN common name filed because it was an easy fix for their problem. > As a result, we still have browsers and CAs that misuse that field. At least > that egregious behavior was not the result of an IETF WG. Let's not screw > this up in the name of expediency! I have also not seen a reply from you to Michael Richardsons question about that statement. I am not aware of the history, so i can not comment, but i am curious about your reply. Nevertheless, i do not think your example has any relevance here, because we are not choosing a potentially wrong encoding for an existing piece of information, but we are arguing that our strgins are are perrfectly syntactic and semantic correct electronic email addresses and therefore deserve to use the standard encoding for electronic email addresses. Cheers Toerless > > Steve > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima -- --- tte@cs.fau.de
- [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Owen Friel (ofriel)
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Brian E Carpenter
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert