Re: [Anima] Moving forward with draft-ietf-anima-autonomic-control-plane
Eliot Lear <lear@cisco.com> Tue, 23 June 2020 12:49 UTC
Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF1C3A0C5F for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 05:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvQyP_-3Kr_U for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 05:49:33 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 660D83A0C47 for <anima@ietf.org>; Tue, 23 Jun 2020 05:49:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4722; q=dns/txt; s=iport; t=1592916573; x=1594126173; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=pBZw4Xyg2jdHGhckJR44voQqBv3ht556AhoMTeByBvc=; b=TqSODXITAhDV+bJ6mhuBRtnl1xZJQyx9Nt5Ta/3CiQ+uFHZsi+v0giVi 4BQS3+d6HmBJrYnuYxNpvTq91E0XiImQQcJQukMchT2psb05bj70HH98u 3gRJ9teudx2bua+6R40p+P4TJjmdRbamp6s0DG08BKlFyGBxzOimw5tvl I=;
X-IronPort-AV: E=Sophos; i="5.75,271,1589241600"; d="scan'208,217"; a="27310002"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jun 2020 12:49:31 +0000
Received: from [10.61.204.134] ([10.61.204.134]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 05NCnUkq004894 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 23 Jun 2020 12:49:31 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <8C94BD38-B6D1-4473-8A92-A6DD11C7A7EC@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1F45DA0D-9EEC-4068-AB40-188F4C76D868"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 23 Jun 2020 14:49:30 +0200
In-Reply-To: <CABcZeBPFLjX06dknejymdE9Je8PTZTXVogOB2A2b+HsNuOo1Ug@mail.gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Eric Vyncke <evyncke@cisco.com>, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, Anima WG <anima@ietf.org>, "Michael.H.Behringer@gmail.com" <Michael.H.Behringer@gmail.com>, "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>, "Joel M. Halpern" <jmh@joelhalpern.com>, "warren@kumari.net" <warren@kumari.net>, "sbjarnason@arbor.net" <sbjarnason@arbor.net>, "jiangsheng@huawei.com" <jiangsheng@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <1C60B01B-3258-4F93-A782-2B2940CAAC49@cisco.com> <20200623033116.GG58278@kduck.mit.edu> <6EA0BD6D-2B81-4428-A45A-24A0A21B73D0@cisco.com> <CABcZeBPFLjX06dknejymdE9Je8PTZTXVogOB2A2b+HsNuOo1Ug@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Outbound-SMTP-Client: 10.61.204.134, [10.61.204.134]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Ex7mCeACJ24czm5dyE-vnpGJtWA>
Subject: Re: [Anima] Moving forward with draft-ietf-anima-autonomic-control-plane
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 12:49:36 -0000
> On 23 Jun 2020, at 14:01, Eric Rescorla <ekr@rtfm.com> wrote: > > I don’t know if the group looked at this, but I can say that from a public CA standpoint, it’s not much different from otherName because there is a requirement to validate the name. A new URI scheme would require a new resolution mechanism. Perhaps that is needed as part of ACP anyway. The one value of URI is that it is easier to configure in some of the tooling like OpenSSL. > > What disturbs me about all of this is that public CAs will accept otherNames and produce garbage out. That’s just asking for a boot to the head* from a vulnerability perspective. > > This would at present appear to violate the BRs. S 7.1.4.2.1 says: > Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. > > -Ekr > Oh it does the DV. It just adds garbage into the cert :-(
- [Anima] Moving forward with draft-ietf-anima-auto… Eric Vyncke (evyncke)
- Re: [Anima] Moving forward with draft-ietf-anima-… Benjamin Kaduk
- Re: [Anima] Moving forward with draft-ietf-anima-… Eliot Lear
- Re: [Anima] Moving forward with draft-ietf-anima-… Eric Rescorla
- Re: [Anima] Moving forward with draft-ietf-anima-… Eliot Lear
- Re: [Anima] Moving forward with draft-ietf-anima-… Eric Rescorla
- Re: [Anima] Moving forward with draft-ietf-anima-… Eliot Lear