Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document
Eric Rescorla <ekr@rtfm.com> Sat, 27 June 2020 22:59 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 267323A079D for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 15:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4pbVukKcSr6 for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233683A0766 for <anima@ietf.org>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id d21so7003500lfb.6 for <anima@ietf.org>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7/aDGa2hX4NzjXYSFCLqxNdDK0MbBwvNSwgsH95NFeU=; b=gQZG3uxwrEYE0WPr2OQKqnCWEYVJKFvkpgVKIrJVoOYT2u/0s6NUfTLUQe7QMdklFC ThoZ3FKj8NJx0W94JYKeyHS/PQqoBJVOiFAh6ctoCTz0Kg9F0UGCjJ+NYT/1szsEj5mX rGwd6aKM9EAzgDSWBSiADBL5qbJa6WPRC57es4NU3sxO4zSH0rX0L0ILC+PR049ywRx+ Li0kHaFmreaOhz0aC1ewcbkBTiNXXWDCX+2wPfNOuWuhbmiyNCbgoxdhdcCK0qns9N5T 5QVSPJE0uunRuw7h5L0WLyIANHQ12FDyDWBv5KOF28SCDGK1YaVyxxDWr1RSSQevE3QG GgNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7/aDGa2hX4NzjXYSFCLqxNdDK0MbBwvNSwgsH95NFeU=; b=qUe6sd/3WYxlAjxUi9/uwIBgyMIfUW6P3Df+KQ+NT6y8sjue79uinKs4NgJyGZw4lF jBSItAjQyC4KLp052F1GUbeHN+OHthLJQrqKqCLL+CQqxW93Vdl3YJ3CRqFhciHuU80R EiImEHrZaLH/otqRXYto3AWVDOovn0rynpRYyuUW0oWd+d3/knpWO1EUI0m3FjH0dl+S 2c2JRrM4I4KtG8GleR7AP0/uH04Lefy5l1VpGjER9NXaQKwRFpWaIQjW0sRKoorccWJI Ja61LKHx3j+Yi5pNC3nzl5JYUpHNd4akuz0qGZ4nZ6j8dq9hjmirE+54Ue49E+/XKadv 0OfA==
X-Gm-Message-State: AOAM533bkPpyrAzrrwJIh65VEPkh1yx6SMqmvjxxG92DgybYeAgzOB4W xyuXLodBichG45jiMfAVC1K4es2M4bp+pUF5xsqGHWrcEVE=
X-Google-Smtp-Source: ABdhPJwc+YxX9GKT/sxI4sX4hOGby91DW45IN2W/Lcs9/jiKVDftaBxcy5hQyRbQWYgiZkqcNb/TTzcV67SUNCvUuuM=
X-Received: by 2002:ac2:5f0b:: with SMTP id 11mr5506370lfq.201.1593298737161; Sat, 27 Jun 2020 15:58:57 -0700 (PDT)
MIME-Version: 1.0
References: <11428.1592266833@localhost> <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com> <20200617024412.GA11992@kduck.mit.edu> <9584c5cd-c68d-ddc3-0704-da672842e359@gmail.com> <FB6127DD-A111-4E40-A095-5E3C03AA6660@vigilsec.com> <9406.1592756905@localhost> <3A92516D-B980-4231-9059-EF7234BA8610@vigilsec.com> <20200627054056.GA35664@faui48f.informatik.uni-erlangen.de> <FF181E1F-2B93-47BB-AB45-7F66D880108B@vigilsec.com> <20200627224640.GA41058@faui48f.informatik.uni-erlangen.de>
In-Reply-To: <20200627224640.GA41058@faui48f.informatik.uni-erlangen.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 27 Jun 2020 15:58:21 -0700
Message-ID: <CABcZeBN_tQgH8ZZmVg82h8-cthm0uQ6b846N71G9NYFSxdUMRQ@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: Russ Housley <housley@vigilsec.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Ben Kaduk <kaduk@mit.edu>, Anima WG <anima@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ffa0b05a918c5d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LMmFPoHD9L_Sh7EaOPB8kP90AF8>
Subject: Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 22:59:02 -0000
I'm not Russ, but I don't take his point to be about ACME one way or the other. Rather, I take his point to be (as he just said in his response to Brian) that while this is *formatted* as an e-mail address, it does not in fact correspond to something to which e-mail can be delivered and therefore does not match the semantics of RFC 5280. Taking a step back from the substantive issue, it seems to me that to the extent to which their is debate about the meaning of 5280, this is a discussion which cannot be resolved entirely on this list, but instead needs to involve the LAMPS WG. -Ekr On Sat, Jun 27, 2020 at 3:46 PM Toerless Eckert <tte@cs.fau.de> wrote: > On Sat, Jun 27, 2020 at 11:52:20AM -0400, Russ Housley wrote: > > Toerless: > > > > I think Brian actually made my point. While the filed contains an email > address, using it as such would result in a delivery failure. The private > key holder cannot be reached by this address. > > Russ, i said: > > > First of all, you can if you want to, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Aka: Yes, if an ACP admin thinks ACME style challenge/reply > email authentication mechanism is useful, then he can of course > set up those email addresses accordingly. I did reply to that > point exhaustively in my reply about the ACME email mechanism. > > Why do you ignore that answer ? > > > and secondly, i contest that it is a requirement to be able > > to do that if the recipient doesn't need to support it. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Think about noreply@bad-corporation.com. > > You do want to make sure though that you are in control of > > the electronic mail address though, and that is given for ACP > > addresses. > > Where in rfc5280 or any other generic RFC about certificates does > it say you MUST have a mailbox that is reachable ? Where does it > say that all certificiates with rfc822Name must be email boxes > that support ACME email style challenge-reply about the email address ? > I think this is a non-existing requirement against email addresses. > > Of course, noreply@bad-corporation.com can have a certificate with > that rfc822Name. It just can't use the ACME mechanism to be > generated. But the signed mails sent from that address can be > authenticated. > > Or there are never emails, because the email address just serves > as identifier of an entity such as in wifi roaming identification > and authentication. In that case you are not authenticating > e.g.: password ownership for the email address via actual emails > but via AAA protocols against a DNS domain known AAA server > for the domain part of the email address. > > If you want to write a standards track RFC that all email addresses > used in any X.509v3 certificate MUST support an ACME style > challenge/reply email, then please do that, and seee if you get > thast through. If would invalidate a lot of solutions like > those wifi roaming ones. It WOULD NOT invalidate the ACP > solution, because as said (no several times) the ACP solution > can perfectly be set up to support this. It just does not > need to. > > Cheers > Toerless > > > Russ > > > > > > > On Jun 27, 2020, at 1:40 AM, Toerless Eckert <tte@cs.fau.de> wrote: > > > > > > Russ, > > > > > > Top posting re. your ACP vs. ACME question. > > > > > > ACP rfc822name are meant to be under control of the ACP network > operations. > > > aka: the ACP registrars could be controlling rfcSELF*@example.com > mailboxes using > > > ACME S/MIME to get rfcSELF*@example.com certificates or IMHO easier > control > > > the acp.example.com MTA. Just no need/benefit to do this now IMHO: > > > > > > An ACP is a private network which is ideally isolated from other > > > ACP networks by use of private TA. Using the ACME rfc822name scheme > would > > > IMHO create a lot of attack components (all the MTA in the mail path > > > and domain names) if used acros the Internet - without benefits for > > > ACP. Of course, if it was all a private ACME setup within an > enterprise, > > > and using mailboxes and ACME is a popular choice - sure, why not. > > > But for private CA setups there are existing IMO easier options > > > (private CA VMs using EST or the like). > > > > > > IMHO public ACME CAwith S/MIME authenitcation could make sense > > > in the future to enable authentication across different ACP domains. > > > > > > Any network has links into other domains and today they are usually > > > unauthenticated, that could be solved IMHO fairly easily. > > > > > > "private" CA of ACP domain , lets call it acpCA signs all ACP certs. > > > Its own cert is not self-signed, but signed by ACME CA via S/MIME, > > > maybe email is rfcSELF@example.com (no ACP IPv6 address in it) > > > > > > Now the ACP nodes actually use acpCA PLUS ACMA CA's as TA. > > > After IKEv2 authenticates neigbor the followup ACP domain membership > > > step checks if the TA of the peer is acpCA. If yes, then peer > > > becomes ACP member, otherwise we have an authenticated signalling > > > channel to an interdomain / different CA peer. And that of course > > > would enable better/secure auto-configuration of such interdomain > > > links. > > > > > > This gives me good mix of security: Its still only relying on > > > well controlled private TA to get into ACP, but also doubles > > > at less secure but best available "Internet/Interdomain" > > > authentication. > > > > > > Cheers > > > Toerless > > > > > > On Sun, Jun 21, 2020 at 12:36:06PM -0400, Russ Housley wrote: > > >>> On Jun 21, 2020, at 12:28 PM, Michael Richardson < > mcr+ietf@sandelman.ca> wrote: > > >>> > > >>> > > >>> Russ Housley <housley@vigilsec.com> wrote: > > >>>> One cannot send email to the character string in this > specification, so > > >>>> it should not be carried in the rfc822name. > > >>> > > >>> You can send email to that character string if you configure the MX. > > >>> It was designed specifically to accomodate that. > > >>> > > >>> I objected at the time: I thought it was a stupid feature, that no > sensible IKEv2 daemon > > >>> was going to have to send/receive email. > > >>> > > >>> But, Toerless was paranoid that if we did anything at all out of the > > >>> ordinary, that the corporate CA people, in order to protect their > fiefdom, > > >>> would freak out and throw some huge roadblock in the way of > deploying the ACP. > > >>> > > >>> And, now have an ACME method past WGLC that does certificate > validation by > > >>> SMTP. > > >> > > >> Looking at the email certificate enrollment work in the ACME WG > (draft-ietf-acme-email-smime-08), I have a hard time seeing how the device > that knows the private key could participate in such a protocol. How do > you see it working? > > >> > > >> Russ > > >> > > > > > > > > > > > >> _______________________________________________ > > >> Anima mailing list > > >> Anima@ietf.org > > >> https://www.ietf.org/mailman/listinfo/anima > > > > > > > > > -- > > > --- > > > tte@cs.fau.de > > -- > --- > tte@cs.fau.de > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima >
- [Anima] rfc822Name "abuse" in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name "abuse" in Autonomic Contr… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Eliot Lear
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Sean Turner
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- [Anima] Russ: Re: rfc822Name use in Autonomic Con… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Benjamin Kaduk
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- [Anima] No certs for noreply (was: Re: Russ: Re: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eliot Lear
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson