Re: [Anima] representing ACP info in X.509 certs

Stephen Kent <stkent@verizon.net> Tue, 23 June 2020 23:52 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F12A93A0C80 for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 16:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yFz-L89gFLE for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 16:52:30 -0700 (PDT)
Received: from sonic316-12.consmr.mail.bf2.yahoo.com (sonic316-12.consmr.mail.bf2.yahoo.com [74.6.130.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00213A0C7F for <anima@ietf.org>; Tue, 23 Jun 2020 16:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1592956348; bh=trDafBFF0Xbq25Xru9mh+qQEwOUMw3suOSD3GLYTmfQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=nMG5P8vII3DwqB6g8P7yVXYX6jPupZoNmaOiGMBKeVU4FeneNoIVe5lZWgpCtellHPRYzD2dtlCCmovGgIbXjxHD6m5n90rPMfvr33Ly1/UEtCMjsQgasX+q+WoBEqZzVX+IaYxUOmnbUmaXAwRIs5h5zGO9bQjF01gebgTSalx591Py8Hx5557mVJGtl/bNUSQqZ2s5WXeslgXlhMrk4bH4tnMbyECHkZmpo+GIicLR0bP99pMph3tUupDwynrQDYRoe/D16E50F+HejTcal6mN72O0/wTeVw6uVUeFkv03wNNlFJ32yEAtVrDaFXbPOHO2y6OneSCS2nw0w3aMIA==
X-YMail-OSG: PoYbMVIVM1ntwPhsyDEdqYOEpO9G4xNJtKqCmi.U9ubS18on5KIlYlUPJ5QVBOT u0JyOPd1hG.0mIK6hg2NtNL655ncEQYMI9W87id.ORSuWTO0LzmoK1VnOg6mhcZeMbW_ztCcG0Hf 3YJanzR367Gu2JYnopaXTrhL_S4T8DGDVFqTQxVDqlhubRKAxsj73NYCKIaJsEax4CR6GBxq5el3 R4I52XD05OptJqrL.1pDaFfeAbF7vC3kFtNoLYUf96hjjt2T5JocR2KNHL2hHmSuk5rcSJbWkO0x j1EMB5sBUYX9u6JQL9_TJIzaPvfbdzGEaxuM.0nv2ppu97E5fs2wjAc59f4Yw0rDLB.HVk8R_58r i17GO0qD6KQrvt574jWOtyJUMudia3EU5YRvYN0b0RqWDKEjPi7GMzb3bZaVmnKfyTMnGyLvwBGP DYHalZOk7KahlMoO93CYKScqJqUKro_L0_7aFTWC9sbwE.88rxRgrz9A8YyqKmdX7HM4dNV9E0Ww qbh0jgeBT_9qtC1rs.rQbK8zULb2MJwMEXowZYbrHFxqJT.kwQJKkfKmXwJyxU81reI10RCAGoVf Xh5xuAlZUaAX4dWKQtlFEGXBlSiXWk_vDqfDXaHFNpKvoPz4YqG803Rlm8.SgNJ3RxI6j7iTlwzT RqaQkColPcAJn.knT9Y_SnO3dYzQJvZdOUleX0Cc6BgyhRZM4CiGmL55GIoTuC4p5YDpF8iZ8.z. ZRctqovBbjSe530Jojge3SRL1GRVernwKFM_dVaGEbl20OpsWemFT2wZcVM8YqPYO16ZiSjvtaao OKtgdPbrzferdYSmFxUtwZxzGFi9O1p8bEPvmwurBGH_ZYTW9qsPlJ5aVkpZFHWH.Luat.qvx3rW t6IIfr3cmtCKo72Hrvv.fQDFLBC1pS5r_7L0Rrbc3I493dlVuyrwOnEfYKnxQFTZWJnJYhpdAH6k bgNNjvDkBefD6lJaLXrNNf0AuGlYBJkOTvqvWSx2NAob_IDyBfJ4BmN_UnKhmb40gLClx5kMztiO .nIradXcfzOrN4Z0Gka9ICTVIdNlgZ4Pba_L52X_t_9ISF9sm.dzTsdUzcVCZq7ylk779YRECEdO EBMMz8kqYot12H4cYpSzw19j0obr0g3mTYV2xJn9YviIX.eDCXA9uuLJ.H8PIcrLSLa7dEvLbqke 82_jlnoJPOdXMeaAKFAL8Nr51aE.f8f0rSnXAeV0FHb2FZtJjKVcaDSSUWwKXuvNCtkaohZNkhqf J_uSh7isPyMHTffFiengzvYbxY5Xz9pQgwM7PGw.o2svI8mGmxdjHdP.AkMOdDBrEGA.IkiaDuR2 f.MtsKlZaEuE9i3qSUsvzSjEtpeBOhghQ8ns9EG6b9IwXm0nPustdYgZBxxUCUzNmDwDg.ka7vFo IIJPqx5mYA0cYY5XaadyFdT.AR4.I82lFxITJnVDptNqWdW.IyFjcdGsW_2Oo60jMQ3UN7_JAyRo 8KFhGx7NQ.yKrNFhpT4c3re90nezgWyzRYnNspw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Tue, 23 Jun 2020 23:52:28 +0000
Received: by smtp413.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID a3a54140683b6475eb93bd20ef472d43; Tue, 23 Jun 2020 23:52:27 +0000 (UTC)
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Anima WG <anima@ietf.org>, rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com> <6981a76f-76f1-e9b2-319d-473c7a4bc847@verizon.net> <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net>
Date: Tue, 23 Jun 2020 19:52:25 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.16138 hermes_aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/5E6hLbv3mN9747jzOKq-nycHKtM>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 23:52:31 -0000

Brian,
> Common sense argues against putting something other than an e-mail address in the rfc822namem attribute.
>
> I expect ADs to use common sense, as well as careful reading of prior RFCs, when making decisions.
> Indeed, but that cuts both ways, since running code is our goal. No parser is in a position to say that rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com isn't an email address.

If we were only AIs that would be a suitable reply ;-).

But, we're not- we all know that the proposed IDs are NOT rfc822 
addresses, so let's not play games.

The simple answer is that when, in the past, developers have chosen to 
abuse the semantics of subject name fields in certs, the result shave 
been VERY long lasting, and embarrassing. Long ago, Netscape chose to 
shove a DNS name into the DN common name filed because it was an easy 
fix for their problem. As a result, we still have browsers and CAs that 
misuse that field. At least that egregious behavior was not the result 
of an IETF WG. Let's not screw this up in the name of expediency!

Steve