IETF Logo Mail Archive

Re: [Anima] rfc822Name use in Autonomic Control Plane document

Benjamin Kaduk <kaduk@mit.edu> Wed, 17 June 2020 02:44 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3ED3A0DD5 for <anima@ietfa.amsl.com>; Tue, 16 Jun 2020 19:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VR0SXCL7W9bZ for <anima@ietfa.amsl.com>; Tue, 16 Jun 2020 19:44:20 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B29C03A0DD3 for <anima@ietf.org>; Tue, 16 Jun 2020 19:44:19 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 05H2iDCT023380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Jun 2020 22:44:15 -0400
Date: Tue, 16 Jun 2020 19:44:12 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org, Russ Housley <housley@vigilsec.com>, sean+ietf@sn3rd.com
Message-ID: <20200617024412.GA11992@kduck.mit.edu>
References: <11428.1592266833@localhost> <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/vJLndL8MUT31h44O74XglJGSRBE>
Subject: Re: [Anima] rfc822Name use in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 02:44:22 -0000

Hi Brian, Michael,

On Tue, Jun 16, 2020 at 02:14:24PM +1200, Brian E Carpenter wrote:
> On 16-Jun-20 12:20, Michael Richardson wrote:
> > 
> > Hi, I have had a few conversations with Toerless who is trying to deal with
> > the feedback on the ACP document.
> > 
> > An item that has come up is the use, or claimed abuse of the rfc822Name SAN.
> > 
> > We already had this debate.
> > Some time ago.  The WG decided.

With all due respect, this is not the sole decision of the ANIMA WG to
make.  If WGs had such authority then why bother with cross-area review?

> > Three or four years ago, I think.
> 
> Yes, this is relitigating an issue that was resolved a long time ago in discussing Ben's DISCUSS:

I'm not sure I understand why you use the word "resolved" here:

> https://mailarchive.ietf.org/arch/msg/anima/lnZ-ykqas487qih86sYNVsUGbsc

In this message, I say that "I still feel like this is not the best
architectural choice" and that I will provide a sketch of an alternative in
my (then-)forthcoming ballot position; that ballot position retains the
Discuss-level concern about rfc822Name usage along with the promised
alternative.

> The explanation is at https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-24#page-26

I appreciate that the attempted justification is clearly written; however,
I do not find it compelling.  Russ did not, either, and I just heard back
from Sean Turner a few days ago to confirm that he supports Russ's
comments.  (There should be a few other editorial-ish comments that came
out of that review that are still pending.)

> I believe it is incorrect IETF process to rediscuss this point yet again.

(I'm not sure if the "yet again" refers to "after the WG decided" or "after
the (alleged) resolution of my first Discuss point".)

If you believe the technical answer is clear and that I am in error to
continue to hold my Discuss point for it, are there not also clear IETF
processes to follow?  E.g., asking for the "Single Discuss" ballot procedure
described at https://www.ietf.org/standards/process/iesg-ballots/?  I
believe I have mentioned this option to Toerless previously; my apologies
if that is not the case.  While I'm willing to continue discussing the
topic and pull in additional PKIX experts to weigh in, there is perhaps
some consideration to matters of expediency.

> > 
> > I sure wish that we could use something else.
> > But, CAs and CA software make that very difficult.
> > 
> > Given that the era of publically anchored Enterprise CAs is dead, there are
> > only two ways an (Enterprise) ACP Registrar is going to occur.
> > 
> > 1) by running a private CA.
> >    Sure anything is possible if you are writing your own code, but
> >    most will not be doing that. (I've supported otherName in my code for
> >    other purposes, and it's not that difficult, but it's not trivial either)
> >    My experience with COTS CA systems it that it's really hard to
> >    get them to do it.    Please prove me wrong.

(Sadly, I have zero experience with COTS CA systems; I know too much about
openssl at this point and would presumably be writing my own, in this
position.)

> >    The most popular Enterprise CA software is the Microsoft CA.
> > 
> > 2) by using ACME to speak to a hosted CA.  Maybe WebPKI, maybe not.
> >    Either way, getting otherName supported is even harder, because
> >    nobody else uses it.

Is the concern the ACME protocol support or just getting the hosted CA to
cope with it?  The former seems like something that we could make happen in
the IETF, and the latter seems to have high overlap with point (1).

> > If we can't depend upon otherName being filled in, then we have to look for
> > two things.  That means more code paths (two more) to test, more test
> > vectors, and what exactly does an end point do when both are present, BUT
> > THEY DO NOT MATCH?  So three more pages of text there.
> > Remember, that just rejecting the certificate means that we have to send out
> > a truck, which is what ACP aims to avoid, so that won't be popular.
> > And of course, there could also be bugs (maybe even CVEs) in the code that
> > tries to deal with the tie.

To be honest, this argument feels like a stronger one to me than the bits
in the -24.  I'm still not willing to accept into the RFC Series a document
that violates the rules set down by the specification for the technology
it's making use of, but the refocus on the "running code" aspect is
appreciated.

-Ben

v2.23.0 | Report a Bug | By Email