IETF Logo Mail Archive

Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document

Eric Rescorla <ekr@rtfm.com> Sat, 27 June 2020 22:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 267323A079D for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 15:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4pbVukKcSr6 for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233683A0766 for <anima@ietf.org>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id d21so7003500lfb.6 for <anima@ietf.org>; Sat, 27 Jun 2020 15:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7/aDGa2hX4NzjXYSFCLqxNdDK0MbBwvNSwgsH95NFeU=; b=gQZG3uxwrEYE0WPr2OQKqnCWEYVJKFvkpgVKIrJVoOYT2u/0s6NUfTLUQe7QMdklFC ThoZ3FKj8NJx0W94JYKeyHS/PQqoBJVOiFAh6ctoCTz0Kg9F0UGCjJ+NYT/1szsEj5mX rGwd6aKM9EAzgDSWBSiADBL5qbJa6WPRC57es4NU3sxO4zSH0rX0L0ILC+PR049ywRx+ Li0kHaFmreaOhz0aC1ewcbkBTiNXXWDCX+2wPfNOuWuhbmiyNCbgoxdhdcCK0qns9N5T 5QVSPJE0uunRuw7h5L0WLyIANHQ12FDyDWBv5KOF28SCDGK1YaVyxxDWr1RSSQevE3QG GgNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7/aDGa2hX4NzjXYSFCLqxNdDK0MbBwvNSwgsH95NFeU=; b=qUe6sd/3WYxlAjxUi9/uwIBgyMIfUW6P3Df+KQ+NT6y8sjue79uinKs4NgJyGZw4lF jBSItAjQyC4KLp052F1GUbeHN+OHthLJQrqKqCLL+CQqxW93Vdl3YJ3CRqFhciHuU80R EiImEHrZaLH/otqRXYto3AWVDOovn0rynpRYyuUW0oWd+d3/knpWO1EUI0m3FjH0dl+S 2c2JRrM4I4KtG8GleR7AP0/uH04Lefy5l1VpGjER9NXaQKwRFpWaIQjW0sRKoorccWJI Ja61LKHx3j+Yi5pNC3nzl5JYUpHNd4akuz0qGZ4nZ6j8dq9hjmirE+54Ue49E+/XKadv 0OfA==
X-Gm-Message-State: AOAM533bkPpyrAzrrwJIh65VEPkh1yx6SMqmvjxxG92DgybYeAgzOB4W xyuXLodBichG45jiMfAVC1K4es2M4bp+pUF5xsqGHWrcEVE=
X-Google-Smtp-Source: ABdhPJwc+YxX9GKT/sxI4sX4hOGby91DW45IN2W/Lcs9/jiKVDftaBxcy5hQyRbQWYgiZkqcNb/TTzcV67SUNCvUuuM=
X-Received: by 2002:ac2:5f0b:: with SMTP id 11mr5506370lfq.201.1593298737161; Sat, 27 Jun 2020 15:58:57 -0700 (PDT)
MIME-Version: 1.0
References: <11428.1592266833@localhost> <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com> <20200617024412.GA11992@kduck.mit.edu> <9584c5cd-c68d-ddc3-0704-da672842e359@gmail.com> <FB6127DD-A111-4E40-A095-5E3C03AA6660@vigilsec.com> <9406.1592756905@localhost> <3A92516D-B980-4231-9059-EF7234BA8610@vigilsec.com> <20200627054056.GA35664@faui48f.informatik.uni-erlangen.de> <FF181E1F-2B93-47BB-AB45-7F66D880108B@vigilsec.com> <20200627224640.GA41058@faui48f.informatik.uni-erlangen.de>
In-Reply-To: <20200627224640.GA41058@faui48f.informatik.uni-erlangen.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 27 Jun 2020 15:58:21 -0700
Message-ID: <CABcZeBN_tQgH8ZZmVg82h8-cthm0uQ6b846N71G9NYFSxdUMRQ@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: Russ Housley <housley@vigilsec.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Ben Kaduk <kaduk@mit.edu>, Anima WG <anima@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ffa0b05a918c5d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LMmFPoHD9L_Sh7EaOPB8kP90AF8>
Subject: Re: [Anima] Russ: Re: rfc822Name use in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 22:59:02 -0000

I'm not Russ, but I don't take his point to be about ACME one way or the
other.

Rather, I take his point to be (as he just said in his response to Brian)
that while this is *formatted* as an e-mail address, it does not in fact
correspond to something to which e-mail can be delivered and therefore does
not match the semantics of RFC 5280.

Taking a step back from the substantive issue, it seems to me that to the
extent to which their is debate about the meaning of 5280, this is a
discussion which cannot be resolved entirely on this list, but instead
needs to involve the LAMPS WG.

-Ekr




On Sat, Jun 27, 2020 at 3:46 PM Toerless Eckert <tte@cs.fau.de> wrote:

> On Sat, Jun 27, 2020 at 11:52:20AM -0400, Russ Housley wrote:
> > Toerless:
> >
> > I think Brian actually made my point.  While the filed contains an email
> address, using it as such would result in a delivery failure.  The private
> key holder cannot be reached by this address.
>
> Russ, i said:
>
> > First of all, you can if you want to,
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Aka: Yes, if an ACP admin thinks ACME style challenge/reply
> email authentication mechanism is useful, then he can of course
> set up those email addresses accordingly. I did reply to that
> point exhaustively in my reply about the ACME email mechanism.
>
>  Why do you ignore that answer ?
>
> > and secondly, i contest that it is a requirement to be able
> > to do that if the recipient doesn't need to support it.
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> > Think about noreply@bad-corporation.com.
> > You do want to make sure though that you are in control of
> > the electronic mail address though, and that is given for ACP
> > addresses.
>
> Where in rfc5280 or any other generic RFC about certificates does
> it say you MUST have a mailbox that is reachable ? Where does it
> say that all certificiates with rfc822Name must be email boxes
> that support ACME email style challenge-reply about the email address ?
> I think this is a non-existing requirement against email addresses.
>
> Of course, noreply@bad-corporation.com can have a certificate with
> that rfc822Name. It just can't use the ACME mechanism to be
> generated. But the signed mails sent from that address can be
> authenticated.
>
> Or there are never emails, because the email address just serves
> as identifier of an entity such as in wifi roaming identification
> and authentication. In that case you are not authenticating
> e.g.: password ownership for the email address via actual emails
> but via AAA protocols against a DNS domain known AAA server
> for the domain part of the email address.
>
> If you want to write a standards track RFC that all email addresses
> used in any X.509v3 certificate MUST support an ACME style
> challenge/reply email, then please do that, and seee if you get
> thast through. If would invalidate a lot of solutions like
> those wifi roaming ones. It WOULD NOT invalidate the ACP
> solution, because as said (no several times) the ACP solution
> can perfectly be set up to support this. It just does not
> need to.
>
> Cheers
>     Toerless
>
> > Russ
> >
> >
> > > On Jun 27, 2020, at 1:40 AM, Toerless Eckert <tte@cs.fau.de> wrote:
> > >
> > > Russ,
> > >
> > > Top posting re. your ACP vs. ACME question.
> > >
> > > ACP rfc822name are meant to be under control of the ACP network
> operations.
> > > aka: the ACP registrars could be controlling rfcSELF*@example.com
> mailboxes using
> > > ACME S/MIME to get rfcSELF*@example.com certificates or IMHO easier
> control
> > > the acp.example.com MTA.  Just no need/benefit to do this now IMHO:
> > >
> > > An ACP is a private network which is ideally isolated from other
> > > ACP networks by use of private TA. Using the ACME rfc822name scheme
> would
> > > IMHO create a lot of attack components (all the MTA in the mail path
> > > and domain names) if used acros the Internet - without benefits for
> > > ACP. Of course, if it was all a private ACME setup within an
> enterprise,
> > > and using mailboxes and ACME is a popular choice - sure, why not.
> > > But for private CA setups there are existing IMO easier options
> > > (private CA VMs using EST or the like).
> > >
> > > IMHO public ACME CAwith S/MIME authenitcation could  make sense
> > > in the future to enable authentication across different ACP domains.
> > >
> > > Any network has links into other domains and today they are usually
> > > unauthenticated, that could be solved IMHO fairly easily.
> > >
> > > "private" CA of ACP domain , lets call it acpCA signs all ACP certs.
> > > Its own cert is not self-signed, but signed by ACME CA via S/MIME,
> > > maybe email is rfcSELF@example.com (no ACP IPv6 address in it)
> > >
> > > Now the ACP nodes actually use acpCA PLUS ACMA CA's as TA.
> > > After IKEv2 authenticates neigbor the followup ACP domain membership
> > > step checks if the TA of the peer is acpCA. If yes, then peer
> > > becomes ACP member, otherwise we have an authenticated signalling
> > > channel to an interdomain / different CA peer. And that of course
> > > would enable better/secure auto-configuration of such interdomain
> > > links.
> > >
> > > This gives me good mix of security: Its still only relying on
> > > well controlled private TA to get into ACP, but also doubles
> > > at less secure but best available "Internet/Interdomain"
> > > authentication.
> > >
> > > Cheers
> > >    Toerless
> > >
> > > On Sun, Jun 21, 2020 at 12:36:06PM -0400, Russ Housley wrote:
> > >>> On Jun 21, 2020, at 12:28 PM, Michael Richardson <
> mcr+ietf@sandelman.ca> wrote:
> > >>>
> > >>>
> > >>> Russ Housley <housley@vigilsec.com> wrote:
> > >>>> One cannot send email to the character string in this
> specification, so
> > >>>> it should not be carried in the rfc822name.
> > >>>
> > >>> You can send email to that character string if you configure the MX.
> > >>> It was designed specifically to accomodate that.
> > >>>
> > >>> I objected at the time: I thought it was a stupid feature, that no
> sensible IKEv2 daemon
> > >>> was going to have to send/receive email.
> > >>>
> > >>> But, Toerless was paranoid that if we did anything at all out of the
> > >>> ordinary, that the corporate CA people, in order to protect their
> fiefdom,
> > >>> would freak out and throw some huge roadblock in the way of
> deploying the ACP.
> > >>>
> > >>> And, now have an ACME method past WGLC that does certificate
> validation by
> > >>> SMTP.
> > >>
> > >> Looking at the email certificate enrollment work in the ACME WG
> (draft-ietf-acme-email-smime-08), I have a hard time seeing how the device
> that knows the private key could participate in such a protocol.  How do
> you see it working?
> > >>
> > >> Russ
> > >>
> > >
> > >
> > >
> > >> _______________________________________________
> > >> Anima mailing list
> > >> Anima@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/anima
> > >
> > >
> > > --
> > > ---
> > > tte@cs.fau.de
>
> --
> ---
> tte@cs.fau.de
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email