Re: [Anima] representing ACP info in X.509 certs

Eric Rescorla <> Sun, 21 June 2020 17:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C015C3A0788 for <>; Sun, 21 Jun 2020 10:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vwDtIfCCxF_s for <>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E7913A077D for <>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
Received: by with SMTP id n23so16731195ljh.7 for <>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OAH8k1WPV3b51R8f/uTHnmfk/MC1WyQF9kQeKHlWVXE=; b=E5SaV2ik1BZKw8yMmDSN3dsJygKjOiJ98dPEIDGuAz+7s3mivKA1dklXz1qDb3uilt nI0E8QQwOzbw0ZmvosIYMqvkTY9Lo9EutM3b29YxibFto+3Q8bAbBaGCuFWL+74WN7VR 00ZX3BJtW3bhy4d/Ok+S4YRfpAfSFXxDwsNKUIWw5AuBnGVmU/ilE48z/CVKDTxP78Sh Yy699iqyV4vin9Jrcx2IQbhmGU61XJaeLg2sxcMF8ZsHuPogUUJVZ5LH/onfxh1esVDF Cw51qUC7tZw80RFPESV1IQYxhtWrVXgZ1rCrRnwO6wAZHtu/sn5f9bDwJeQrsIxGbCnt kRYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OAH8k1WPV3b51R8f/uTHnmfk/MC1WyQF9kQeKHlWVXE=; b=merfTRCqDXEDmY3WA+KRlhie9hFysU786X9/VywwbNe0lgaIHlfIM2YHkrss/ZWvAM jj6Sl1W2bL2tFZ7RV1fh+7DI3RJTtbnNISQ0QZ7WKNfSQTw2S++KBQ6fckq5vWqHnq+x lAtvy7SlKhAB8TCrPk3/bG4g0cWnrhBClPkdXtjLFRz4uAIsVR7+z6MKoee9MVMrRZVP KU4KUvE2bYsC7u614WSCE7Ir3L3Gl34ZX5TBgdZXq9cOzomXdvyYfNNfIOG38Hv3MPyc 7Qz4/cYLmqoo4tl2LhvaP9cUXUBjSQ11+KFkDGkrwtgulnVvRMMJ+TbTIsal1wHC2wv8 DoQQ==
X-Gm-Message-State: AOAM530MC1yCkstYdWd/dJPlTapqvvi1ojOh0DjNX1vO6TKH44SksFoQ hoZhmirRyhyh5ftX0uI2IZ+TBr/PdsdbXedcjHcrKQ==
X-Google-Smtp-Source: ABdhPJzFk1L7mS+Ix+u+PRdFjslpdhyUClv1zRAKpaVLiLSvcOL8l9gYx4MklqMyPWhVMGfIQpIskhnvE8yH5HUIcAw=
X-Received: by 2002:a05:651c:1044:: with SMTP id x4mr6240698ljm.409.1592760961253; Sun, 21 Jun 2020 10:36:01 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <4280.1592755750@localhost>
In-Reply-To: <4280.1592755750@localhost>
From: Eric Rescorla <>
Date: Sun, 21 Jun 2020 10:35:25 -0700
Message-ID: <>
To: Michael Richardson <>
Cc: Stephen Kent <>, Anima WG <>
Content-Type: multipart/alternative; boundary="0000000000004ed69705a89b8fcc"
Archived-At: <>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Jun 2020 17:36:06 -0000

> Eric Rescorla <> wrote:
>     > One thing that's not clear to me: is the expectation that you will
>     > using a public CA or that you will be using an enterprise-level one?
> There are different many use cases, and it is precisely because we can't
> prescriptive about the operation of the CA involved that the WG
> on a solution that we know can be deployed today.
> I wasn't happy with the result, but I realized that I could live with the
> compromise result.  The WG did consider all the points that you have

Well, strictly speaking, I believe it was others who raised the points;
however, I do concur with them. In any cases, as Ben notes, this decision
cannot be made by this WG alone.

> 1) a private-CA internal to the ACP Registar.
> 2) an enterprise private-CA external to the ACP Registrar, which is
>    in another system, such as ActiveDirectory

I am not particularly expert on private CAs, though I see that
Sean made some notes on what could be done with that software.

> 3) when we started this work, it was possible to have (a) and (b) with
>    anchors toward public CAs

> 5) a small (or growing) enterprise entity that uses ACME to a public CA.
>    The is no "group" policy to deploy a private CA, and there is a strong
>    desire that the devices that are enrolled do not train users to think
>    security exceptions are "normal".
>    Obviously, the DN presented to a browser is not a rfc822Name,
>    but would have to be an dnsName.  The ACP rfc822Name
>    may not be the only SAN in the certificate, but it is one that
>    draft-ietf-acme-email-smime-08 allow the Registrar to validate.

I'm assuming that by "public CA" we are talking about a CA which
issues certificates which are acceptable to browsers or other generic
clients. On that topic, I would make a few points:

1. It is not impossible to get CAs to issue certificates with custom
extensions. For instance, DigiCert issues certificates with the
Delegated Credentials extension:

It's of course possible that otherName would be different.

2. I believe the Mozilla Root Store Policy [0] would require a CA to
revoke certificates used as described in this specification. See
Section 6.2 (S/MIME Certificates) [1]:

   For any certificate in a hierarchy capable of being used for
   S/MIME, CAs MUST revoke certificates upon the occurrence of any of
   the following events:


   3. the CA obtains reasonable evidence that the certificate has been
   used for a purpose outside of that indicated in the certificate or
   in the CA's subscriber agreement;

I imagine that other root programs have similar restrictions.
Of course this wouldn't preclude a CA that wasn't subject to these
restrictions issuing ACP certificates.


[1] There are a number of other clauses which I believe would also apply,
but I believe this is the most on-point.