IETF Logo Mail Archive

Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 27 June 2020 20:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156E83A0796 for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 13:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkngUwIm21J7 for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 13:47:52 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465073A077A for <anima@ietf.org>; Sat, 27 Jun 2020 13:47:52 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id u5so6185274pfn.7 for <anima@ietf.org>; Sat, 27 Jun 2020 13:47:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=gOHzTXBObxEUejNLxFcLAaBE3l3VjdTyDIs1psxe1t0=; b=splLLne/39dOOIZqCIjalQKKjoU8ae1l3k7ZBNkCMG2/U8qM/pUx9THDwuze9Vv4EJ rxsSTaEGFEJsp1REmNmvUSKt612G+2knM4o4shFVXX5wdFUiYaRpbn3BuJOycpLQ3Uh/ DX7bU3rSBY634xQhiL9jnnPZdLDhP/SoZOEsXrJykiSz6hAvDbBvkfySWU9GlYB5IcXJ oOPownarztS1+jycC1cgZpTZBGg1bePhL1M2R1htqCPWRc275bpWb044nrKR3daGiNDN iofVIePFEuikJWoSGL/n2Hb9AYBxw+TmQ+Tc7N8KpP1CCzrvhkkjCVP4XufGs6YRxas9 XEFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=gOHzTXBObxEUejNLxFcLAaBE3l3VjdTyDIs1psxe1t0=; b=SyTS6Q+63Vl4LBZCaDz5l9YdMYMdLZPwCnyflbpePRfQg5ybfAi0Di0F1+KbbTQ+na 98Oy3Xb94D4d5vYwDkr9hE17Z1+GePQ8gB6otQqo6mLyOw8mgXKvIGYM8y5EdsuDmeP5 hJ5OPL+taHBngEUp99xUaWjT3c5sZo0c+1hWNgNNJSzFERr9i5SlRQ3YX3/jG+n75UEG 9L7kllWV159vVd5NTucOM8AmZ+yjvOwlh/tELRwY8kKUyDB/bw4ADDmHaPWGx2K3C5YM H2N3tu0Ch5x1QZF5ayByUMUSth7i5zwIpDdRGV9x+vxS7HFwkY815aeKQqxUlQNrQR+H 1/7Q==
X-Gm-Message-State: AOAM531qjAds0MW2MVAap1Q22mXdgTJ1pshXe9IOUurMYdUtbupJcfPY yDQtNnDv6Frd8zRubg4YFHAYx55o9p8=
X-Google-Smtp-Source: ABdhPJyrfi9Iau9XNgzw5arZXyarsY2Sb3fTk5RYU98xpBGSfZZa5L9v0DVCn6cNTfAM+Ael02GDBA==
X-Received: by 2002:a63:dd42:: with SMTP id g2mr4774672pgj.442.1593290871341; Sat, 27 Jun 2020 13:47:51 -0700 (PDT)
Received: from [192.168.178.20] (203.90.69.111.dynamic.snap.net.nz. [111.69.90.203]) by smtp.gmail.com with ESMTPSA id u13sm7396551pjy.40.2020.06.27.13.47.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Jun 2020 13:47:50 -0700 (PDT)
To: Russ Housley <housley@vigilsec.com>, Toerless Eckert <tte@cs.fau.de>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Ben Kaduk <kaduk@mit.edu>, anima@ietf.org
References: <11428.1592266833@localhost> <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com> <20200617024412.GA11992@kduck.mit.edu> <9584c5cd-c68d-ddc3-0704-da672842e359@gmail.com> <FB6127DD-A111-4E40-A095-5E3C03AA6660@vigilsec.com> <9406.1592756905@localhost> <3A92516D-B980-4231-9059-EF7234BA8610@vigilsec.com> <20200627054056.GA35664@faui48f.informatik.uni-erlangen.de> <FF181E1F-2B93-47BB-AB45-7F66D880108B@vigilsec.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <0bec7478-2661-71fe-2263-d0f5d3e75ba9@gmail.com>
Date: Sun, 28 Jun 2020 08:47:46 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <FF181E1F-2B93-47BB-AB45-7F66D880108B@vigilsec.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/6SKsBldXudOgJRLkrr6_0l7LP9E>
Subject: Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 20:47:54 -0000

On 28-Jun-20 03:52, Russ Housley wrote:
> Toerless:
> 
> I think Brian actually made my point.  While the filed contains an email address, using it as such would result in a delivery failure.  The private key holder cannot be reached by this address.

I don't see a requirement in RFC5280 that the email address in an rfc822name must be reachable, or that it must belong to the private key holder.

   Brian

> 
> Russ
> 
> 
>> On Jun 27, 2020, at 1:40 AM, Toerless Eckert <tte@cs.fau.de> wrote:
>>
>> Russ,
>>
>> Top posting re. your ACP vs. ACME question.
>>
>> ACP rfc822name are meant to be under control of the ACP network operations.
>> aka: the ACP registrars could be controlling rfcSELF*@example.com mailboxes using
>> ACME S/MIME to get rfcSELF*@example.com certificates or IMHO easier control
>> the acp.example.com MTA.  Just no need/benefit to do this now IMHO:
>>
>> An ACP is a private network which is ideally isolated from other
>> ACP networks by use of private TA. Using the ACME rfc822name scheme would
>> IMHO create a lot of attack components (all the MTA in the mail path
>> and domain names) if used acros the Internet - without benefits for
>> ACP. Of course, if it was all a private ACME setup within an enterprise,
>> and using mailboxes and ACME is a popular choice - sure, why not.
>> But for private CA setups there are existing IMO easier options
>> (private CA VMs using EST or the like).
>>
>> IMHO public ACME CAwith S/MIME authenitcation could  make sense 
>> in the future to enable authentication across different ACP domains.
>>
>> Any network has links into other domains and today they are usually
>> unauthenticated, that could be solved IMHO fairly easily.
>>
>> "private" CA of ACP domain , lets call it acpCA signs all ACP certs.
>> Its own cert is not self-signed, but signed by ACME CA via S/MIME,
>> maybe email is rfcSELF@example.com (no ACP IPv6 address in it)
>>
>> Now the ACP nodes actually use acpCA PLUS ACMA CA's as TA.
>> After IKEv2 authenticates neigbor the followup ACP domain membership
>> step checks if the TA of the peer is acpCA. If yes, then peer
>> becomes ACP member, otherwise we have an authenticated signalling
>> channel to an interdomain / different CA peer. And that of course
>> would enable better/secure auto-configuration of such interdomain
>> links.
>>
>> This gives me good mix of security: Its still only relying on
>> well controlled private TA to get into ACP, but also doubles
>> at less secure but best available "Internet/Interdomain"
>> authentication.
>>
>> Cheers
>>    Toerless
>>
>> On Sun, Jun 21, 2020 at 12:36:06PM -0400, Russ Housley wrote:
>>>> On Jun 21, 2020, at 12:28 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>>>
>>>>
>>>> Russ Housley <housley@vigilsec.com> wrote:
>>>>> One cannot send email to the character string in this specification, so
>>>>> it should not be carried in the rfc822name.
>>>>
>>>> You can send email to that character string if you configure the MX.
>>>> It was designed specifically to accomodate that.
>>>>
>>>> I objected at the time: I thought it was a stupid feature, that no sensible IKEv2 daemon
>>>> was going to have to send/receive email.
>>>>
>>>> But, Toerless was paranoid that if we did anything at all out of the
>>>> ordinary, that the corporate CA people, in order to protect their fiefdom,
>>>> would freak out and throw some huge roadblock in the way of deploying the ACP.
>>>>
>>>> And, now have an ACME method past WGLC that does certificate validation by
>>>> SMTP.
>>>
>>> Looking at the email certificate enrollment work in the ACME WG (draft-ietf-acme-email-smime-08), I have a hard time seeing how the device that knows the private key could participate in such a protocol.  How do you see it working?
>>>
>>> Russ
>>>
>>
>>
>>
>>> _______________________________________________
>>> Anima mailing list
>>> Anima@ietf.org
>>> https://www.ietf.org/mailman/listinfo/anima
>>
>>
>> -- 
>> ---
>> tte@cs.fau.de
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email