[Anima] rfc822Name "abuse" in Autonomic Control Plane document

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 16 June 2020 00:20 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 63DE43A0F13 for <anima@ietfa.amsl.com>; Mon, 15 Jun 2020 17:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Fx6UZT2YL6z1 for <anima@ietfa.amsl.com>; Mon, 15 Jun 2020 17:20:37 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32D613A0F12 for <anima@ietf.org>; Mon, 15 Jun 2020 17:20:35 -0700 (PDT)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id B550038A20; Mon, 15 Jun 2020 20:18:00 -0400 (EDT)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id bIWh4PZ3G5HW; Mon, 15 Jun 2020 20:17:59 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca []) by tuna.sandelman.ca (Postfix) with ESMTP id A4E7638A1B; Mon, 15 Jun 2020 20:17:59 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 58A2435C; Mon, 15 Jun 2020 20:20:33 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
cc: Russ Housley <housley@vigilsec.com>, kaduk@mit.edu
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 15 Jun 2020 20:20:33 -0400
Message-ID: <11428.1592266833@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/WZmA8jOhXqKYdwFphTzG48kNlfM>
Subject: [Anima] rfc822Name "abuse" in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 00:20:40 -0000

Hi, I have had a few conversations with Toerless who is trying to deal with
the feedback on the ACP document.

An item that has come up is the use, or claimed abuse of the rfc822Name SAN.

We already had this debate.
Some time ago.  The WG decided.
Three or four years ago, I think.

I sure wish that we could use something else.
But, CAs and CA software make that very difficult.

Given that the era of publically anchored Enterprise CAs is dead, there are
only two ways an (Enterprise) ACP Registrar is going to occur.

1) by running a private CA.
   Sure anything is possible if you are writing your own code, but
   most will not be doing that. (I've supported otherName in my code for
   other purposes, and it's not that difficult, but it's not trivial either)
   My experience with COTS CA systems it that it's really hard to
   get them to do it.    Please prove me wrong.
   The most popular Enterprise CA software is the Microsoft CA.

2) by using ACME to speak to a hosted CA.  Maybe WebPKI, maybe not.
   Either way, getting otherName supported is even harder, because
   nobody else uses it.

If we can't depend upon otherName being filled in, then we have to look for
two things.  That means more code paths (two more) to test, more test
vectors, and what exactly does an end point do when both are present, BUT
THEY DO NOT MATCH?  So three more pages of text there.
Remember, that just rejecting the certificate means that we have to send out
a truck, which is what ACP aims to avoid, so that won't be popular.
And of course, there could also be bugs (maybe even CVEs) in the code that
tries to deal with the tie.

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-