Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
"Alexey Melnikov" <aamelnikov@fastmail.fm> Fri, 19 July 2019 11:37 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190FB12001E; Fri, 19 Jul 2019 04:37:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=jLa14DCo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=f0s/4wiv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmwKFsw9D2Ht; Fri, 19 Jul 2019 04:37:23 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425CF1201B4; Fri, 19 Jul 2019 04:37:23 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 48AC04EF; Fri, 19 Jul 2019 07:37:22 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Fri, 19 Jul 2019 07:37:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=YWB7VSqVdeKA4hmx274cawt+bnTQTK4 aJsHFdWQHXP0=; b=jLa14DCoLIAYChCnZUi86BFFtio18SHBVvtasShKygaOoyU 9NE4xyrBbpaxgEG9GzNhSEfCChv1gKe1wv000T3S0Ih9BkZbpNU5tKcrJMqYRqVi 3rmrFdz1IJYT4c8ghldvfhwM6cAmZENFz4yqpBGfIL82QErhkGPkyeXNgF5LRaQx CewCOuqyJ3+QGVtMCjcmH+VsL21z0fRzQwulqQVrYciJpTghHKZ/EeZafp9X7+nq XleDQJGGOeiLmRFH7mt7Ce7KBTi8/asvAcmJAn3G5oEVWZ/RE4TFl8EjIoD/snfd roMtZC1iG5Tl8Du3roPuWI/9qdiG4R2Gx+vpC4A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=YWB7VS qVdeKA4hmx274cawt+bnTQTK4aJsHFdWQHXP0=; b=f0s/4wivRlizJTNtjebl/d gshF+DWax4sp7mIX+Ibqc95ovGlC4YsmTpOvHf7v97lv5f+dvgdCceXzg1OQymtT jZK8WM3k3i28sZu22HOFp2otlGckMVKsjbbOOsklHneXGacBm/d5gXtSUVqvQll1 NVEUE4Ha6TngMEOkwZSi1sP/zBSZeiD3s5iOp6XLOBebVv4fS+QzMetesAohR6WS CLCYOWyaywtn5MIvrXzRroi3a1KXHVV0udBzw1PW0uSFYLRMkLZRBMOwjX5yDz2P xz2fKkQFC7ts7dGcjz3Tt+YuPSpnBZXishc/xBvfq7COd0J82pmB3gAyJ+igrgdg ==
X-ME-Sender: <xms:casxXUMel45tWPO8Dn7itxvV9WsLtWi7NRc76_KLh4tSroxX1Xjk7A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrieejgdegfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedftehlvgig vgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfh hmqeenucffohhmrghinhepihhtuhdrihhnthenucfrrghrrghmpehmrghilhhfrhhomhep rggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfhhmnecuvehluhhsthgvrhfuihiivg eptd
X-ME-Proxy: <xmx:casxXVX8vBkh7k9cHIA8SMAE9hYHKgPc7lMxZyBYRrarABrSmnvVTQ> <xmx:casxXW1PYbDlORS9bPsUK0a00hMcW4n0gqab-Ax8M5jBB04SWiRMGg> <xmx:casxXWt65pL5PEkym-7HdzRiXDrINpWrmR_mQdsBVulb0joTb0dFjw> <xmx:casxXb1EI9o2apqvr7vUZ8XY-MSV88NCKY3z4okzb5qDKcTqrdDjiw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1398DC200A4; Fri, 19 Jul 2019 07:37:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-736-gdfb8e44-fmstable-20190718v2
Mime-Version: 1.0
Message-Id: <6d0cfaaf-2d1d-4120-85a2-2f613d0f696c@www.fastmail.com>
In-Reply-To: <9325.1563492610@localhost>
References: <156285123896.32459.15810474411321920381.idtracker@ietfa.amsl.com> <27800.1563297174@localhost> <b194301a-59f0-4edb-a387-d6cda1b3b599@www.fastmail.com> <9325.1563492610@localhost>
Date: Fri, 19 Jul 2019 12:36:45 +0100
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, tte+ietf@cs.fau.de, anima-chairs@ietf.org, The IESG <iesg@ietf.org>, anima@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/ltbMdhVz08629wF62mGHngpJFM4>
Subject: Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 11:37:25 -0000
On Fri, Jul 19, 2019, at 12:30 AM, Michael Richardson wrote: > > Alexey Melnikov <aamelnikov@fastmail.fm> wrote: > >> > o In the language of [RFC6125] this provides for a SERIALNUM-ID > > >> category of identifier that can be included in a certificate and > > >> therefore that can also be used for matching purposes. The > > >> SERIALNUM-ID whitelist is collated according to manufacturer trust > > >> anchor since serial numbers are not globally unique. > > > This is actually not helping. I was looking for something like: > > > DNS-ID = a subjectAltName entry of type dNSName > > > Basically I was asking for a definition of SERIALNUM-ID somewhere. > > It's a (subject)DN of serial number=123456, not a subjectAltName. > (not the CertificateSerialNumber) In this case, you need to use CN-ID as the base for the definition. The important part there is that the RDN can't be repeated multiple times in a DN. If it does, that would make the whole DN not suitable for use a la RFC 6125. > It's X.520.. via 802.1AR and RFC5280 section 4.1.2.4. > https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items > section 6.2.9. > > o Client authentication is automated using Initial Device Identity > (IDevID) as per the EST certificate based client authentication. > The subject field's DN encoding MUST include the "serialNumber" > - attribute with the device's unique serial number. > + attribute with the device's unique serial number as explained in > + Section 2.3.1 > > - o This extends the informal set of "identifer type" values defined > - in [RFC6125] to include a SERIALNUM-ID category of identifier that > - can be included in a certificate and therefore that can also be > - used for matching purposes. As noted in that document this is not
- [Anima] Alexey Melnikov's Discuss on draft-ietf-a… Alexey Melnikov via Datatracker
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- [Anima] a note on the rfcdiff for draft-ietf-anim… Michael Richardson
- Re: [Anima] a note on the rfcdiff for draft-ietf-… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson