IETF Logo Mail Archive

Re: [Anima] a multiplicity of pinned certificates

Kent Watsen <kwatsen@juniper.net> Mon, 03 December 2018 17:00 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCF0130E0E for <anima@ietfa.amsl.com>; Mon, 3 Dec 2018 09:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.161
X-Spam-Level:
X-Spam-Status: No, score=-4.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNA7eTZG81mA for <anima@ietfa.amsl.com>; Mon, 3 Dec 2018 09:00:21 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D383130F52 for <anima@ietf.org>; Mon, 3 Dec 2018 09:00:19 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wB3GswuB019217; Mon, 3 Dec 2018 09:00:17 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=xBNfY6E8EHk7VBLudLk4AW54eZ516Xb/fEgvRfQ15iw=; b=qo84W/MUc3jGUVJdVHf6vhTFdhazyrv53GFKKMKl9zuHfncfHsUxFGD9WWsOz8aKKEeJ 2wrRwWl2iqpiiUxFb8CrAvOUUDlivnVt0swTIus8B43aV/g7EdsHhMBRVQMit/9iIiaD /2SwkqUfWs851htAzJjCXQZ8T1b844YXcegzSxq7Q+2kR3GVRT71E0gtFVlg96Ad/htJ StjKih2qrgLIHFvFX9L0ie9w4bJrcz9ZH8cs0sRg0Xi6upNvwiBn39a0OQNVwKQT/UT5 3cXNoRBwklTXi4htuntLYsgxcQXmDEe8Ppvjhd1X4va0x3ql26CaShxIcxok12x/MCQ/ /w==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2053.outbound.protection.outlook.com [104.47.44.53]) by mx0a-00273201.pphosted.com with ESMTP id 2p51p7gpnj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 03 Dec 2018 09:00:16 -0800
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4652.namprd05.prod.outlook.com (20.176.109.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.13; Mon, 3 Dec 2018 17:00:14 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c%2]) with mapi id 15.20.1404.016; Mon, 3 Dec 2018 17:00:14 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michael Richardson <mcr@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: a multiplicity of pinned certificates
Thread-Index: AQHUilTUUtb7vITjiUW38W2QpXJC3qVs6tmA
Date: Mon, 03 Dec 2018 17:00:14 +0000
Message-ID: <E967EC8A-E665-4F60-994E-96D40A074B92@juniper.net>
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <153874289877.989.15433226866680411112@ietfa.amsl.com> <24358.1543530974@dooku.sandelman.ca> <480.1543543174@dooku.sandelman.ca> <E79F03FA-E4D7-4ED1-9552-F00300C6DD9D@juniper.net> <3750.1543764960@dooku.sandelman.ca>
In-Reply-To: <3750.1543764960@dooku.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.4.181110
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4652; 6:5AZ7otJn4SQG7lI/Dt67ms/TgWx7AHdMSESdH4pBiNiGb8Ejy17be47fzRNiaxJ/TnGOlzW6DmJDIuJZdZqijWDIeokM9a+Znqi3raF1cWBIU4mFh+w4BiEN+dNnNgaSK7DkjtY1v0L9mQlve03FvLX9tHcrRk3LbLRLJg1ow3uPd1I6ZCBVIN/g2tiJx8ErpLGLix6F00loQpvjODft13Oxlo70F0Ev/xgpUGfZq+rHnXg8Xrq5PrBzCa/rppw7wQc86QPZk0zGzT+utdhuurZNmLwJKoG1bQUBL/V7awXAKExcjD6Fsqjjg8NWdFpJxMk9TljposGWbJnAQijM0gIBmQjAVKSUkd+gvNvvsAyATQK6T14NgAZNlup6Fq2hI8uBpsizEXwCybJuHiez3qh7dHkB5hm2OmhkI4iODnA7G25StR9aYKDEIg7rYknt3hjMRREgIjrUK0bCBBkWPA==; 5:upzDcaq2eDh94QRlSVceh40nILZL4NJa5n/3SiFwHvaC88vEgimsq2PimjweTRbWVct5yDgSI0MEnX30/av1leCyjQrFfTYK3ICThT0vMKSDfYYatLDLmyf+EHeTXM19w1VH9oaGW2YyIyfwidxpcUb0QrXESP0kwNseEEZYBys=; 7:YFilP4VOEZI/8QY6lkKtBkwKjXL0jhEgmFb8XvOkwHKhZQujR+UV34VnytJTbJZlwwo7Dbb3tfEUXqYyZWVhN0wJHS0C/yCJ+4mOCDAYYb2hrj5XlJtKvQX9sanyX2f5ntNQVtoNYx4tEBZHZ1CGQA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 37916703-172b-408d-a424-08d65940cb8e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4652;
x-ms-traffictypediagnostic: DM6PR05MB4652:
x-microsoft-antispam-prvs: <DM6PR05MB46523442B005B56CB1CFEDD6A5AE0@DM6PR05MB4652.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231455)(999002)(944501493)(52105112)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:DM6PR05MB4652; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4652;
x-forefront-prvs: 08756AC3C8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(39860400002)(346002)(376002)(136003)(189003)(199004)(105586002)(82746002)(316002)(68736007)(83716004)(93886005)(97736004)(476003)(25786009)(71200400001)(71190400001)(106356001)(478600001)(102836004)(33656002)(256004)(486006)(76176011)(58126008)(2616005)(6506007)(110136005)(186003)(99286004)(2906002)(14444005)(6246003)(66066001)(6436002)(14454004)(5660300001)(305945005)(446003)(7736002)(36756003)(53936002)(6512007)(3846002)(6116002)(6486002)(86362001)(11346002)(81166006)(229853002)(26005)(81156014)(8936002)(2501003)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4652; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4sMAS8iQtr+TcSK9DbCKhI19171G/SF+nJppRFHUlX2Fg4dnZC+76ICR/+LO+3tRyMa/3bTjhEqvzVkN9na0cmRyWUNdFifW+uXR439bFoBxzifjlgBl4rqG/pNjF+IuE5dT7dgEbTGT/de5K3Z7fg9oxlHL/Mc1FuJPhMHa0xLqwyvYmQWYSeJrmjCCZTylm/d0qrc/T6/knbPJJGUDkOkvM1YMEekhxCay0vscrAMNEJJ1anJH4YEzXrDYZ1lGofF0Ao+fAzAPxpSClQ+blIw3QV44RowjzY5UDhA5ni4zlxEMr5d9A2aIw0UNUyYfgauuB/jsdksMsQY2Kldfu9/TvEd+qp0WIGPhwKtzJQ8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A77B26001CE05E428376A6756F1A94E6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 37916703-172b-408d-a424-08d65940cb8e
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2018 17:00:14.5864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4652
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812030158
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/_jw3zOREm9Nw50UGAlLETq1v0I4>
Subject: Re: [Anima] a multiplicity of pinned certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 17:00:28 -0000


>    > Separately, as long as we're raising issues with RFC 8366, I strongly
>    > believe that the pinned-domain-certificate should've be a list of
>    > certificates.  Or, in crypto-types [1] terms, a trust-anchor-cert-cms,
>    > not a trust-anchor-cert-x509.  To enable the pinned-domain-certificate
>    > for an intermediate CA to be a chain that includes the root self-signed
>    > certificate, thus supporting tooling unable to validate partial-chains.
>
> I believe that a future version could make this change relatively easily,
> particularly if we do it quickly. Destinguishing between arrays of 1-element
> and single-items isn't that difficult in the serializations we have.

By "future version", do you mean an rfc8366bis?

If open to that, I could draft an I-D...

K.

v2.23.0 | Report a Bug | By Email