Re: [Anima] representing ACP info in X.509 certs
Toerless Eckert <tte@cs.fau.de> Wed, 24 June 2020 09:39 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 355EB3A0CEF for <anima@ietfa.amsl.com>; Wed, 24 Jun 2020 02:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feyyvGaVpzsY for <anima@ietfa.amsl.com>; Wed, 24 Jun 2020 02:39:38 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5963A0CED for <anima@ietf.org>; Wed, 24 Jun 2020 02:39:38 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 62DF854843F; Wed, 24 Jun 2020 11:39:33 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 5BFA5440043; Wed, 24 Jun 2020 11:39:33 +0200 (CEST)
Date: Wed, 24 Jun 2020 11:39:33 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Eric Rescorla <ekr@rtfm.com>, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, Anima WG <anima@ietf.org>
Message-ID: <20200624093933.GC47499@faui48f.informatik.uni-erlangen.de>
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com> <6981a76f-76f1-e9b2-319d-473c7a4bc847@verizon.net> <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com> <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net> <15951.1592960140@localhost> <9AF4DB48-EAB5-4BFB-8FF1-E55EF0F59140@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9AF4DB48-EAB5-4BFB-8FF1-E55EF0F59140@cisco.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/5Uqv7Cy5hDjCFxOd72dqUDkZE50>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 09:39:41 -0000
Thanks, Eliot, inline On Wed, Jun 24, 2020 at 09:04:59AM +0200, Eliot Lear wrote: > With ACP it???s clear they are overloading semantics of an rfc822name, What is your definition of "overloading" ? There are all type of entities addressed with rfc822name, not only people, but also functions and devices have been given rfc822names as well forever. Ok, so the name part is somewhat strange because it's numeric. How about companies giving users email addresses that are serial numbers. Quite ccommon actuall i think. Prof.Dr.Acme.Example@domain.com - also roles can be found in rfc822names. We're just doing what everybody and their dog has done with rfc822 names forever. > and from an application standpoint we don???t like that because it is possible that different subsystems may have different uncoordinated allocation methods. I don't think this is true > That is- someone may be able to nab an email address via the mail subsystem a la rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com <mailto:rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com>, The example explicitly used acp.example.com instead of example.com to ensure that allocation of email addresses in such a specific subdomain was not simply possible for arbitrary users who might allocate email addrs under example.com. Its common practivce in enterprises to have all type of subdomains for specific functions not accessible to the standard mail system setup. Arguing you can get an email address is like arguing you can fake a domain name in such a controlled environment. And see the following: it wouldn't even be good enough. > get a cert for that address Not from the necessary TA. > , and masquerade as an AN or an AN could start sending email as a user that has such an address. No. See section 6.1.4 | Certificates for an ACP MUST only be given to nodes that are allowed | to be members of that ACP. Because the signing CA relies on an ACP | Registrar, the CA MUST only sign certificates with ACP domain | information through trusted ACP Registrars. Any existing CA, unaware | of the new ACP domain information field, can be used as long as it | only allows signing requests from trusted ACP Registrars and from | nodes or registrars trusted not to include ACP domain information in | their certificates. | These requirements can be achieved by using TA private to the owner | of the ACP domain or potentially through appropriate contractual | agreements between the involved parties. Public CA without such | obligations and guarantees can not be used as TA for ACP domains, but | they can be used to obtain certificates for TAs of ACP domain. Aka: The ACP trust model is built on controlled access TA and specific functionality registrar, it does not matter at all which field the information is encoded into for the trust model described. > Let???s agree that the latter is so minimal a risk as to not warrant further discussion. Lets agree this would only happen by explicit violation of mandatory document requirements by a real misguided operator. And under those circumstances most RFCs would not be safe. > It???s only the former that???s really of concern. That can be mitigated through operational guidance, a???la ???don???t allow email addresses in your domain that begin with rfcSELF+???. Actually right now my personal recommendation would be to allocate that email address (prefix) rfcSELF{+...}@.. to the ACP admin to see if there was ever some unintended side effect such as email to that address that was generated by other software. Btw: ANIMA and ACME folks had a side meeting last year (i think you where there ?!), and of course one of the ideas is to be able to use ACME mail signed certs in the future, but this is outside the scope of the document. But the recommendation in the doc to use an ACP domain name part that you own already prepares for that, so i think it should be fairly easy to use in the future ACME web PKI as TA just from the perspective of using the ACP rfc822name as the validation email mechanism. There may be other ACME issues to resolve though. > It???s not perfect. Thats how i started to think of initially as well coming from just the problem of how to overcome ossification of the ecosystem we have to deal with. But in the meantime i think the format of rfc822name is near perfect for both human consumption as well as for managing it - has domain-name to tie into something you can have authoritatively. > That???s the nature of an expedient. But it???s probably Good Enough for now. For the eventuality that another name could be used over time, it???s probably worth getting an OID and using otherName where possible, but we shouldn???t hold this work up over a highly theoretical attack. I think the reason for solutions that like to reuse the rfc822name format of local@domain but choose new encoding points is so that they can reuse existing local@domain user identifiers but indicate a specific app. Much like a uri scheme of newapp:local@domain In the case of ACP this is not necessary, because we simply distinguish on the local part and/or the domain name. No need to support overloading of the same rfc822names for different uses. That is something more relevant to humans who like to have a single local@domain ID for themselves across all apps. ACP IDs are more functional IDs. Cheers Toerless > Eliot > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima -- --- tte@cs.fau.de
- [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Owen Friel (ofriel)
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Brian E Carpenter
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert