Re: [Anima] No certs for noreply (was: Re: Russ: Re: rfc822Name use in Autonomic Control Plane) document
Toerless Eckert <tte@cs.fau.de> Mon, 29 June 2020 14:21 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 784FC3A0F34 for <anima@ietfa.amsl.com>; Mon, 29 Jun 2020 07:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.641
X-Spam-Level:
X-Spam-Status: No, score=-1.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbcqZ2InUJzb for <anima@ietfa.amsl.com>; Mon, 29 Jun 2020 07:21:29 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 886763A0F3E for <anima@ietf.org>; Mon, 29 Jun 2020 07:21:29 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id BA4AD548441; Mon, 29 Jun 2020 16:21:24 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id B38D6440043; Mon, 29 Jun 2020 16:21:24 +0200 (CEST)
Date: Mon, 29 Jun 2020 16:21:24 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Russ Housley <housley@vigilsec.com>
Cc: Brian Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Ben Kaduk <kaduk@mit.edu>, anima@ietf.org, barryleiba@computer.com
Message-ID: <20200629142124.GE16571@faui48f.informatik.uni-erlangen.de>
References: <9406.1592756905@localhost> <3A92516D-B980-4231-9059-EF7234BA8610@vigilsec.com> <20200627054056.GA35664@faui48f.informatik.uni-erlangen.de> <FF181E1F-2B93-47BB-AB45-7F66D880108B@vigilsec.com> <0bec7478-2661-71fe-2263-d0f5d3e75ba9@gmail.com> <020EE6AB-26B3-419B-8D5D-F573891E7293@vigilsec.com> <20200628000654.GD41058@faui48f.informatik.uni-erlangen.de> <7A22A1E0-D5E6-408F-8D15-31E09BCCF849@vigilsec.com> <20200628170128.GB16571@faui48f.informatik.uni-erlangen.de> <0E9FB38C-B615-4A4D-876C-D27F3C8DA288@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0E9FB38C-B615-4A4D-876C-D27F3C8DA288@vigilsec.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/UMGs3TQLmpoWkbPPHYzgIR6gxNQ>
Subject: Re: [Anima] No certs for noreply (was: Re: Russ: Re: rfc822Name use in Autonomic Control Plane) document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 14:21:32 -0000
On Mon, Jun 29, 2020 at 09:59:09AM -0400, Russ Housley wrote: > > Wrt to the technical argument: > > > > noreply@example.com is an interesting example, because i hate receiving these > > emails, so i would LOVE to see a normative RFC saying that these type of > > email addresses MUST NOT get certificates. However, technically i think that > > is not defensible, because obviously (to me) its perfect valid for a > > mailbox to not receive or not to send emails. Its to me just a controlled subject > > with a name/address. > > > > And customer harrasment departments are of course also > > interested to be protected from phishing and the like, so they will > > of course also use certificates for mails from noreply@example.com as soon > > as enough customers would understand security (*sigh*). And i am willing > > to take any bet with you, that there will be nothing from the IETF that > > normatively says this should not be done. > > No. I go not agree. The noreply@example.com mailbox is not ever used to communicate with the party that holds the private key. So, it should not be bound to the subject public key in a certificate. Why can noreply@example.com not have the private key for the certificate which has noreply@example.com in its rfc822Name ? Are you excluding the option for any validation procedure that does not include an actual ?challenge? email to the email address ? Remember that in a private PKI environment ALL names in a certificate could be assigned to the entity based on a validation that by itself may not show up in the certificate at all. E.g.: When i become employee of a company, someone might see my drivers license, but the company PKI generated cert for me in that enrollment process would not have any info from that drivers license, but just my name in the SNand company email address in the rfc822Name SAN. On a USB TPM stick. To sign my email, or whatever else. Oh, and i was hired to be responsible to send harrassment emails to customers, so i get a second USB TPM stick to use specifically for this job role and it has only rfc822Name email address with noreply@example.com. Cheers Toerless > Russ
- [Anima] rfc822Name "abuse" in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name "abuse" in Autonomic Contr… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Eliot Lear
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Sean Turner
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- [Anima] Russ: Re: rfc822Name use in Autonomic Con… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Benjamin Kaduk
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- [Anima] No certs for noreply (was: Re: Russ: Re: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eliot Lear
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson