Re: [Anima] representing ACP info in X.509 certs
"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 23 June 2020 03:31 UTC
Return-Path: <ofriel@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0573A1720 for <anima@ietfa.amsl.com>; Mon, 22 Jun 2020 20:31:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=j2E9gHo0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=LyZCq1fX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jj7kQasjwolr for <anima@ietfa.amsl.com>; Mon, 22 Jun 2020 20:31:49 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 584E43A172D for <anima@ietf.org>; Mon, 22 Jun 2020 20:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9688; q=dns/txt; s=iport; t=1592883109; x=1594092709; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=HKlqCbJFVFN9ZXMXU7x93TKU+Rf8fEnEGQ138qoxjh4=; b=j2E9gHo0jcqVjFHnc1QeYByGENUr0pOifEa1/fr8ZXJu9rkoge/xP/sG Z+TVEm0q0tmVixvm0Jb6cQXW9Q4+KaaQK/m6QlOouoT32SOXs5hGYR8RS ztCw1e8IeD/8P2zgR/xcK+KlC8/oPZjxbOL+APQ3Mg0DYLasbNf88FPnY w=;
IronPort-PHdr: 9a23:w04NThREYoI4HiqOk/dir1BNG9psv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBN+J8e5KjqzdtKWzEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutfUHcpzu56jtBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DdAQCodvFe/5RdJa1mGwEBAQEBAQEBBQEBARIBAQEDAwEBAYIKgSMvUQdvWC8sCoQag0YDjUOTbIRogUKBEANVCwEBAQwBARgBCgoCBAEBhEcCF4IUAiQ4EwIDAQELAQEFAQEBAgEGBG2FLgcmDIVyAQEBAQMBARARChMBASwLAQ8CAQgOAwQBASgDAgICJQsUCQgCBAENBQgagwWBfk0DLgEOq2UCgTmIYXaBMoMBAQEFhRsYgg4DBoE4gmeJfBqBQT+BVIIfLj6CXAEBAoEoARIBIysJgl4zgi2SKYY6m3QKglqZSZ57kSueSAIEAgQFAg4BAQWBaiJmcHAVO4JpUBcCDYQDihuDcYUUhUJ0AjUCBgEHAQEDCXyOawGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,269,1589241600"; d="scan'208,217";a="501078277"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jun 2020 03:31:48 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 05N3VmDD023063 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 23 Jun 2020 03:31:48 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 22:31:48 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 22:31:47 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 22 Jun 2020 22:31:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QDnEZ29qNoQCuEjpRYkLUv0wITNZzrwJi4cOl+vQkHY81bE/pJNWwfQVV2H7iR/rc1kO8DIRtflOEAVpBezgzIj/7GPjB5hew79pntGf0rpNV3/tn2Tqnwdt8ASDl+QrO2xd7NVE8hfZxWh6l3MiSrGt9t6/yRW31CiWcUNhe/Av7jSgCYCxwU4/GZ6azjYM+jc8C2K5ch3D4zQgugrfTPoWWX0Uyh642Aozy/m78kkJaOVaQTz35datzyWOhMo8axFtTnq+RSyxG831clsy4CWRyvoPHLfGKoso2XyEaqQvgHg3MutlWHqoWSrsgsvwdKsQdk99KKZs640ugTxPzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HKlqCbJFVFN9ZXMXU7x93TKU+Rf8fEnEGQ138qoxjh4=; b=IeR6beS03FzZMoWIAGrMjRgfpWnSbLQ0AORthDTo9wfk3ZbwXwsJh+NXdbj7cylPyH2u1Ikiw2HKXLLI9Q6koPG50HrNN64rIkMuUgKv+PCySaxmQ9mU26UdfH1KWTRISoskI4EJqUbfAGSg3XoMBiT/brFVq27v91YvFYLxB0BV+cR79kwfYP5U1QswiPMkJX2Hcuf5ulc/Stn1q1I3coFrd/EqvQ/zU0cMowoAB47lB9Ub/SqG600DmXlN6OYyC3PdvDK4Bm2sFCI4FNNmx5ynKZDMIBknzGG5NfMM2Tmzi8VoCJNu41zEeodGHd6aKtvE/o/Io7QEMuBpn7JIXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HKlqCbJFVFN9ZXMXU7x93TKU+Rf8fEnEGQ138qoxjh4=; b=LyZCq1fXe0tBsobdi6obahwrgK3Ucahtuf4aP2jTXLLgj1CbW+qWru/4dpNPx4lnJaMLPrVNt5sISpYt2Kc6YJYF74fBKZ55Iu93C91uWE8miZgaiywaHEcbGSkBKECBUF8Gc5gJoIk3Tc9C/46elOGwAUKuwAZvYKwRBU8uXb4=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (2603:10b6:208:138::12) by MN2PR11MB3856.namprd11.prod.outlook.com (2603:10b6:208:ef::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.21; Tue, 23 Jun 2020 03:31:46 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::8492:8c63:dd5f:39c7]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::8492:8c63:dd5f:39c7%5]) with mapi id 15.20.3109.027; Tue, 23 Jun 2020 03:31:46 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
CC: Anima WG <anima@ietf.org>
Thread-Topic: [Anima] representing ACP info in X.509 certs
Thread-Index: AQHWR1+JNyfRR8kzFEir9HF7n/5jvajiRvyAgANGAmA=
Date: Tue, 23 Jun 2020 03:31:45 +0000
Message-ID: <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com>
In-Reply-To: <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [161.142.179.234]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5a177984-975e-4248-f73f-08d81725f4d0
x-ms-traffictypediagnostic: MN2PR11MB3856:
x-microsoft-antispam-prvs: <MN2PR11MB38569E70A483D57B9D85984DDB940@MN2PR11MB3856.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 04433051BF
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pFJh4hWZAX00UCivpppUrZ+R/ZnnheqZ99xaEQr52q18zms1cW+bTuh1DtHzpCgbQzaDuYZWlqGoxdklSHgrWKEdoCI3ze7dsQvXmL6AXKMYci+nsnQ8JD3E1lujYjDlEJDR+/1ch1DSwGdeH+SGVnrLmoUNm2AZOwpm30yc1CC0H8HIhBby5asOuQ0NoeeFiOcW6rPFHrJ7q2Jdoxa9D+UkrwyzvSwYtuSzvdLTr/bKQNm06CQ2iuq8YTUUNHW+ivZGLSPkVGdj/JLrpoLYHhJoG5ELMLXUs3ImJajSM5jpOz2pRVPNmp4x0E6U+ZRjNPaKZYxSoQMaHbYjHsXb4EHPl1twEpex3y7TltDopHpIUdaXpAjHlxeRaTjVVMU8lIdielmceQoeoPm6N3fPSw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3901.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(136003)(39860400002)(396003)(376002)(346002)(66476007)(7696005)(64756008)(66556008)(66946007)(8936002)(9686003)(66446008)(55016002)(316002)(166002)(8676002)(52536014)(6506007)(2906002)(53546011)(33656002)(110136005)(186003)(5660300002)(4326008)(966005)(76116006)(86362001)(71200400001)(478600001)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 1B2jDaedaD1v87eScUUJ/EZmUeLNvWr3b+sB5TCs7gCwtS01dtGrwspJ8AgCQyY0WTfM1l/33cTTfd/iPMwaojRKdAbXrGA3IYHIdlsBnm9Ez/HUCzPFdVmWeXRHmph5yTkrGF2McVidSfLRd/9bVBuZOOHGfZ78x1ssFHJKGKoZs61I86n7qIJ9ggUBA/wemip5y1KLH8kclyHpOJtUwUWwl21y9oOMPbr+45CWUJ6eLKuDJtU5kJ+u4CKOhysOax1whUVvrd32OCXzhpPXBIy8avFmYZZawHkc+EPc6z6TR9oIbXUVMYrnt1P7rFFJc0YZq2Avdopi64UCIa5g2bU/3mNkm691jaX/m9Rh0cTr2UbOkAbYQmOlBfmHAgN5tyogKZDhLjdHFzhiLeMKF/JtjUB8U1e1Bx6vjRQRHR+kgqt0iA+AKiC4I62f9uuiYe+qhuUb53Y3/U+dX6S0KxwYZMgv/Hhb0DEUZosI266YhqchhZlUAQU5UjDbju+Q
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB3901DD5D6176FEEA43EB9D72DB940MN2PR11MB3901namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a177984-975e-4248-f73f-08d81725f4d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2020 03:31:45.9830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5YIZgygBQjvnWWUftvkseAuZVgJjLtTP3yhvZ1RxWUfpnpqvMdHsVOVuR1ikA5zRI0Qo3W8O9f/uNmb8iNLcVw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3856
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/lYpO9vZNIHhJuXS4YF0dKhtQT5c>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 03:31:55 -0000
Being completely pedantic about the RFC5280 text, nowhere in the text does it say that rfc822name cannot be used for anything but email address. It does state multiple times that an email address must be represented as an rfc822name, but places no explicit restrictions on what an rfc822name may represent. The text as is does not explicitly preclude use of rfc822name for ACP. This may be the widespread understanding of what RFC5280 means, but its not strictly what it says… From: Anima <anima-bounces@ietf.org> On Behalf Of Eric Rescorla Sent: 21 June 2020 09:26 To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> Cc: Anima WG <anima@ietf.org> Subject: Re: [Anima] representing ACP info in X.509 certs This matches my understanding as well. One thing that's not clear to me: is the expectation that you will be using a public CA or that you will be using an enterprise-level one? -Ekr On Sat, Jun 20, 2020 at 5:03 PM Stephen Kent <stkent=40verizon.net@dmarc.ietf.org<mailto:40verizon.net@dmarc..ietf.org>> wrote: Folks, My perspective matches what Russ & Ben have suggested, i.e., use of rfc822Name is inappropriate for this context. RFC 5280 is very clear about the intended use of the rfc822Name field in a cert and the proposed use in the anima context is inconsistent with 5280 text. A reasonable, appropriate way forward is to define a new otherName type for the anima context. Steve _______________________________________________ Anima mailing list Anima@ietf.org<mailto:Anima@ietf.org> https://www.ietf.org/mailman/listinfo/anima
- [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Owen Friel (ofriel)
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Brian E Carpenter
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Michael Richardson
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eliot Lear
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Eric Rescorla
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert
- Re: [Anima] representing ACP info in X.509 certs Stephen Kent
- Re: [Anima] representing ACP info in X.509 certs Toerless Eckert