Re: [Anima] representing ACP info in X.509 certs

Stephen Kent <stkent@verizon.net> Sat, 27 June 2020 16:35 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F7B3A082C for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 09:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yXgJx10K24KV for <anima@ietfa.amsl.com>; Sat, 27 Jun 2020 09:35:40 -0700 (PDT)
Received: from sonic303-2.consmr.mail.bf2.yahoo.com (sonic303-2.consmr.mail.bf2.yahoo.com [74.6.131.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 341D13A0810 for <anima@ietf.org>; Sat, 27 Jun 2020 09:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1593275739; bh=3KVYJY39+YiJ1/aCBX31yAcNLo6x6JdRcb0/cywQVMc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=G03qbXcs8Iv15bZRa49Sz5E3vKgKAJv2AuiHlsn/C7v+RPwzWqfB/RxAWL3C0Hut10cmI9dXJlmHARjbj/zUnJjUs3AXoSHpnlRWtauY84VHSz3Fz/QWc+Ar6kWOZZwv+23bNzGwQcwvb5234qAL9yDqYuOicgaMewt1PPFIq1aSgKfyZtpBXjcinKz4K8N+UsqhQlCWZBdywR3nRjxJQ1mpEuz2Z9ICP4Hpegqx9lrkIT1H6fid00PkHgdFDjsm53mXDWlSGIMT8Fde0R1eNqxHTLn08AYbm38XO+mdcN9rFqib70HG9+y/9z7ulw3Tze0k6Gdxbp4PyzjoRbcfAQ==
X-YMail-OSG: 7h_bsg0VM1lHFiPrA81YGj43xU99haCmFa.dOgqmlRS5e7Q7nzy1cQy2XID3I5. ._2YHV.ZB.nD2geiLa3bv8c5MdSLjtt72Gjq_3t64fRlIAOdV8zWRc95SS0QxrtY9lAgKokBr65t R2B4WObb54yAckZLK2KXcESDQXP17Lcg5MBjL3oVbcny33SaACMt39_ySMnlUW73PDPak4Vl8vyw nz03exIYuynrsSb3DcKC4z9_04TWVifjnmH6jaderVyABg3rOFbuAT3OkmSt1dtw7r7HmLBca67S sMcvWDsEdfFCwnOeqAPOd1BAqi4WTnytG9wlnwlzzk6DaKko2_VJCA1gYwJUF688rn.2bEbn2Ot4 67wTnGvqdrZx03I_r23ipdX8H9jca5w26QkHQaFCklUrQ5dLaqSiKljOwu4HTg2UWpcYX4Gyu43o cPpnMOeG9GMGwG4eTP0GJvZdYfyPK6bwWxW2jsiDEchnOAGEPjAMZUsjScX_4dFkb9a9v_bxNPed WFQEioSl8sBtMeTtOy0M2iVkeXhtVO9tw1sBLwUBciMZ5fEOWQ_9grOfYKr38rnvc_2monOADHaz gaRDvI46Tn7DP.OX9b3a71r2qgb5CM32JMh.RJM6PR9vi7hwaURlhLePK0cfjdKzRu2ZymmeSOeK gNVxHz5m8CWokm.DR54v3O84uYWtemnwcxHg3x.41ooL1BqwAHaWnbNBbW7ZJ.on_enkjJ48X9jJ 4CleEAbT9tll4CNE_HPlbCq6hZsA..KTclJrhZJQT6NpdlHMUjymrrUzWq3C64JuGVDwkpwzliSJ QrGEMCQWpn.jXXd4SX_.KS55Jxw8pB7087bGpNdo0yMSuwni8yTcyLddOauS0FZMapNhYXfrzDBf iq4Wgw9xqybrWMdsOskADppkq5Ew7UgsgN35P1Zns0FvB.2mSyZdbVFTB.rCxjgVJnXFkSfCiz27 4.5xsgxagaSg1.hsSD6WBjVOJLacE2mLKUtWeU1GsVesaxZJ56GjhuwIUHQZsHW6ZzsT2H4V8mJN ThM1jBW9FYbbUSs6i3hKFMcWbBktUA7VUeHF_Mqvr0AP4XcPv4xad6WmOWiFki4oprHeuh5QTtgR YEbF4y71b5AOohbxqnLy7orJr0OSGG6kv.NgNlCuFa7fGSLugKPx3_iRCBeIv7aMkIisi380pKHl 7dR3b.FOe2gXjxIKll2gPMdssrHyN6UxS4DmdLd7Qf3SF3GWoN9Ta5o8k5QC9rZnDrvutX_.hWBV CoRYrFuhb3ym.MK2IbPLqh3SfiXgd1HhWzib0EC.OvFSn.7QSV2zOpeFmQdvTQnOP96c.KForpx_ jT9qykEZs9ts38fS8TPHkoqEPA0jWjmGO3eOxFTRumSHQJP4oQMr_H5q8hiF6LlHXZp7jnvUayHG hepgwPtWj0Svd5.byTyBrMBM8ZR8447kK
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Sat, 27 Jun 2020 16:35:39 +0000
Received: by smtp428.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 552f1781b1a3f480221e2376e59b1bfb; Sat, 27 Jun 2020 16:35:36 +0000 (UTC)
To: Toerless Eckert <tte@cs.fau.de>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Eric Rescorla <ekr@rtfm.com>, rfcSELF+fd89b714F3db00000200000064000000+area51.research@acp.example.com, Anima WG <anima@ietf.org>
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <MN2PR11MB3901DD5D6176FEEA43EB9D72DB940@MN2PR11MB3901.namprd11.prod.outlook.com> <6981a76f-76f1-e9b2-319d-473c7a4bc847@verizon.net> <6c4e402f-cce6-daff-aa16-6159340f0802@gmail.com> <9c09debe-3463-a574-46cf-cee86a2c68af@verizon.net> <20200627141911.GA49753@faui48f.informatik.uni-erlangen.de>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <e6a46fb5-491e-61cf-1dde-ffaca5988d0b@verizon.net>
Date: Sat, 27 Jun 2020 12:35:35 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <20200627141911.GA49753@faui48f.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Mailer: WebService/1.1.16138 hermes_aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uzL-qglyc0aEQx4-Y0l0DkR1BCs>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 16:35:42 -0000

Toerless,
> Dear Stephen,
>
> Thank you very much for your thoughts, but i do not think we can move
> the discussion ahead when it stops with non-technical opinion dropping
> statements like "lets not play games" (you) or "i do not think this
> is the right thing to do" (Ben/Russ).
>
> Could you please explain your assertion with technical arguments ?

The ID goes to great lengths to justify the use of the rfc822Name field 
for this context, rather than defining a new data type.  If this was the 
obvious "right" thing to do, there would not need to be so much text 
justifying the choice ("The lady doth protest too much, methinks").

I am not an AD;  I don't have a vote on this. If PKIX were still an 
active WG, and if someone came to me and asked about the choice of 
identifier in the ACP context, I would say that it was a questionable 
choice, given 25+ years of experience with PKI standards and technologies.

As I noted in a prior message, when Netscape elected to shove a DNS name 
into the common name field, it was a questionable choice, and we have 
had to live with the result for 20+ years. Elliot Lear's messages  
suggest that this choice was motivated , at least in part, by 
expediency, but he believes that sometimes expediency is an OK 
justification in these matters. Personally, I don't, but, ...

Steve