IETF Logo Mail Archive

Re: [Anima] representing ACP info in X.509 certs

Toerless Eckert <tte@cs.fau.de> Sat, 27 June 2020 14:19 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA003A093C for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 07:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.36
X-Spam-Level:
X-Spam-Status: No, score=-0.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwTtbnu_PBwt for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 07:19:18 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D230E3A093D for <anima@ietf.org>; Sat, 27 Jun 2020 07:19:17 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6E731548011; Sat, 27 Jun 2020 16:19:11 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 64E2E440043; Sat, 27 Jun 2020 16:19:11 +0200 (CEST)
Date: Sat, 27 Jun 2020 16:19:11 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Eric Rescorla <ekr@rtfm.com>, rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com, Anima WG <anima@ietf.org>
Message-ID: <20200627141911.GA49753@faui48f.informatik.uni-erlangen.de>
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com> <6981a76f-76f1-e9b2-319d-473c7a4bc847@verizon.net> <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com> <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/3gLkAgihfILhVoK8247lIFKA2bI>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 14:19:20 -0000

Dear Stephen,

Thank you very much for your thoughts, but i do not think we can move
the discussion ahead when it stops with non-technical opinion dropping
statements like "lets not play games" (you) or "i do not think this
is the right thing to do" (Ben/Russ).

Could you please explain your assertion with technical arguments ?

More inline

On Tue, Jun 23, 2020 at 07:52:25PM -0400, Stephen Kent wrote:
> Brian,
> > Common sense argues against putting something other than an e-mail address in the rfc822namem attribute.
> > 
> > I expect ADs to use common sense, as well as careful reading of prior RFCs, when making decisions.
> > Indeed, but that cuts both ways, since running code is our goal. No parser is in a position to say that rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com isn't an email address.
> 
> If we were only AIs that would be a suitable reply ;-).

I can only guess what this mean. You don't like the look of it as a human ?

I for once have been confused a lot by solutions where some data only
have a well-defined binary representation for "AI" ? to handle but none
for humans. In result, those solutions all are IMHO hard to troubleshoot, because
every CLI/GUI software came up with its own representation. For information
which naturally represents the domain, name and role attributes of an
entity, there is IMHO no better human recognizable standardized
representation in a single string than using the local-part@domain format.

ACP nodes in the acp.example.com domain only have one name, which is
their registrar assigned IPv6 address, therefore

   fd89b714F3db00000200000064000000@acp.example.com

really is the most human readible representation of that identification i can
think of.

   rfcSELF+fd89b714F3db00000200000064000000@acp.example.com

The rfcSELF is just a prefix to allow isolation of namespaces in the
local part. Think of staff.john.smith@example.com vs. contractor.john.smith@example.com

Likewise the +area51.research is just like a department name,
john.smith.research.area51@example.com

A lot more legible than what poor network operators would normally see IMHO.

> But, we're not- we all know that the proposed IDs are NOT rfc822 addresses,
> so let's not play games.

This is not meant to be playing games. These are syntactically perfect rfc822Names/
email-addresses and semantically they can be perfect electronic mail boxes.
Remember that as the draft explains also in section 6.1.2, there is good amount
of prior examples where local-part@domain is used as just identifiers without
using any email boxes in the process. For example inter-domain access authentication,
eduroam or the like.

[ Then again, IMHO IETF is also supposed to develop new technologies,
  so i am not even sure why i always end up having to argue that solutions are
  better because they don't do something fundamentally new.]

> The simple answer is that when, in the past, developers have chosen to abuse
> the semantics of subject name fields in certs, the result shave been VERY
> long lasting, and embarrassing. Long ago, Netscape chose to shove a DNS name
> into the DN common name filed because it was an easy fix for their problem.
> As a result, we still have browsers and CAs that misuse that field. At least
> that egregious behavior was not the result of an IETF WG. Let's not screw
> this up in the name of expediency!

I have also not seen a reply from you to Michael Richardsons question about
that statement. I am not aware of the history, so i can not comment, but
i am curious about your reply.

Nevertheless, i do not think your example has any relevance here, because
we are not choosing a potentially wrong encoding for an existing 
piece of information, but we are arguing that our strgins are are perrfectly
syntactic and semantic correct electronic email addresses and therefore
deserve to use the standard encoding for electronic email addresses.

Cheers
    Toerless
> 
> Steve
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email