Re: [Anima] representing ACP info in X.509 certs

Eliot Lear <> Wed, 24 June 2020 10:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 046903A0D36 for <>; Wed, 24 Jun 2020 03:41:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ZEnznp91QHR for <>; Wed, 24 Jun 2020 03:41:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E1A83A0CFA for <>; Wed, 24 Jun 2020 03:41:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=18689; q=dns/txt; s=iport; t=1592995273; x=1594204873; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=YKGZpPXmXNvTmBceHW117zMWzgECVkWDEL3ypCPlBig=; b=ditFgruWN2iS5ndaDWsbch5pZ5ZM7ZwrP0lQBeZMMnu3rEe9ffVsSAvz wug8tM5p5b3F7KdCWVqRQ6j4npyVm2xspJWCQFw+H0aQPgkwsNRtu6kq9 AjjkLb9rMw58Jd3Us+j9XnLkulZtiw6wYS3q0gRH/T0m8tFCGXefrgYx1 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.75,275,1589241600"; d="scan'208,217"; a="27403167"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2020 10:40:51 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 05OAenXE028763 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 24 Jun 2020 10:40:50 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E1CAF0AD-803D-4F7E-88AA-C3AA1C57DA9A"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 24 Jun 2020 12:40:48 +0200
In-Reply-To: <>
Cc: Michael Richardson <>, Eric Rescorla <>, Stephen Kent <>, Anima WG <>
To: Toerless Eckert <>
References: <> <> <> <> <> <> <> <15951.1592960140@localhost> <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Jun 2020 10:41:16 -0000

> On 24 Jun 2020, at 11:39, Toerless Eckert <> wrote:
> Thanks, Eliot,
> inline
> On Wed, Jun 24, 2020 at 09:04:59AM +0200, Eliot Lear wrote:
>> With ACP it???s clear they are overloading semantics of an rfc822name,
> What is your definition of "overloading" ?
> There are all type of entities addressed with rfc822name, not only
> people, but also functions and devices have been given rfc822names as well forever.
> Ok, so the name part is somewhat strange because it's numeric.
> How about companies giving users email addresses that are serial numbers.
> Quite ccommon actuall i think. - also roles can be found in
> rfc822names. We're just doing what everybody and their dog has done
> with rfc822 names forever.
>> and from an application standpoint we don???t like that because it is possible that different subsystems may have different uncoordinated allocation methods.
> I don't think this is true

If the ACP subsystem allocates a name and the user management system allocates a name, then you have the potential of a conflict.  Again, the odds of an actual conflict are very low.

>> That is- someone may be able to nab an email address via the mail subsystem a la <>,
> The example explicitly used instead of
> to ensure that allocation of email addresses in such a specific
> subdomain was not simply possible for arbitrary users who might
> allocate email addrs under Its common practivce
> in enterprises to have all type of subdomains for specific
> functions not accessible to the standard mail system setup.
> Arguing you can get an email address is like arguing you can
> fake a domain name in such a controlled environment. And see 
> the following: it wouldn't even be good enough.

You can make an operational recommendation of course.  However, some enterprises simply do not do subdomains (I email from one such enterprise now).

>> get a cert for that address
> Not from the necessary TA.
>> , and masquerade as an AN or an AN could start sending email as a user that has such an address.
> No.
> See section 6.1.4
> |  Certificates for an ACP MUST only be given to nodes that are allowed
> |  to be members of that ACP.  Because the signing CA relies on an ACP
> |  Registrar, the CA MUST only sign certificates with ACP domain
> |  information through trusted ACP Registrars.  Any existing CA, unaware
> |  of the new ACP domain information field, can be used as long as it
> |  only allows signing requests from trusted ACP Registrars and from
> |  nodes or registrars trusted not to include ACP domain information in
> |  their certificates.

Ok, but...

> |  These requirements can be achieved by using TA private to the owner
> |  of the ACP domain or potentially through appropriate contractual
> |  agreements between the involved parties.  Public CA without such
> |  obligations and guarantees can not be used as TA for ACP domains, but
> |  they can be used to obtain certificates for TAs of ACP domain.
> Aka: The ACP trust model is built on controlled access TA and 
> specific functionality registrar, it does not matter at all which
> field the information is encoded into for the trust model described.

If the TA is itself signed by a public CA, then the CA can sign other names or for that matter issue other signing certs , and (at least by normal use of PKI) the name will validate without the TA ever having been used.  Assuming that’s not what you mean, how does the client know which TA is authorized?

>> Let???s agree that the latter is so minimal a risk as to not warrant further discussion.
> Lets agree this would only happen by explicit violation of
> mandatory document requirements by a real misguided operator. And
> under those circumstances most RFCs would not be safe.
>> It???s only the former that???s really of concern.  That can be mitigated through operational guidance, a???la ???don???t allow email addresses in your domain that begin with rfcSELF+???.
> Actually right now my personal recommendation would be to allocate that
> email address (prefix) rfcSELF{+...}@.. to the ACP admin to see if there was ever
> some unintended side effect such as email to that address
> that was generated by other software.

I like that idea.

> Btw: ANIMA and ACME folks had a side meeting last year (i think you
> where there ?!), and of course one of the ideas is to be able
> to use ACME mail signed certs in the future, but this is outside
> the scope of the document. But the recommendation
> in the doc to use an ACP domain name part that you own already
> prepares for that, so i think it should be fairly easy to use
> in the future ACME web PKI as TA just from the perspective of
> using the ACP rfc822name as the validation email mechanism. There
> may be other ACME issues to resolve though.
>> It???s not perfect.
> Thats how i started to think of initially as well coming from
> just the problem of how to overcome ossification of the ecosystem
> we have to deal with. But in the meantime i think the format
> of rfc822name is near perfect for both human consumption as well
> as for managing it - has domain-name to tie into something you
> can have authoritatively. 
>> That???s the nature of an expedient.  But it???s probably Good Enough for now.  For the eventuality that another name could be used over time, it???s probably worth getting an OID and using otherName where possible, but we shouldn???t hold this work up over a highly theoretical attack.
> I think the reason for solutions that like to reuse the
> rfc822name format of local@domain but choose new encoding
> points is so that they can reuse existing local@domain
> user identifiers but indicate a specific app. Much
> like a uri scheme of newapp:local@domain

This requires a broader discussion that need not hold up this draft.

> In the case of ACP this is not necessary, because we
> simply distinguish on the local part and/or the domain
> name. No need to support overloading of the same rfc822names
> for different uses. That is something more relevant to
> humans who like to have a single local@domain ID for 
> themselves across all apps. ACP IDs are more functional IDs.
> Cheers
>    Toerless
>> Eliot
>> _______________________________________________
>> Anima mailing list
> -- 
> ---