IETF Logo Mail Archive

Re: [Curdle] Key examples in draft-ietf-curdle-pkix-03

Benjamin Kaduk <kaduk@mit.edu> Sat, 17 December 2016 03:27 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 953AF1294E8 for <curdle@ietfa.amsl.com>; Fri, 16 Dec 2016 19:27:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82k8Uh3F7JnZ for <curdle@ietfa.amsl.com>; Fri, 16 Dec 2016 19:27:04 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1951E129489 for <curdle@ietf.org>; Fri, 16 Dec 2016 19:27:03 -0800 (PST)
X-AuditID: 1209190c-b5fff700000004b7-8a-5854b0854781
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E2.87.01207.580B4585; Fri, 16 Dec 2016 22:27:02 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id uBH3R15A021293; Fri, 16 Dec 2016 22:27:01 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uBH3QwIS017198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 16 Dec 2016 22:27:00 -0500
Date: Fri, 16 Dec 2016 21:26:58 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: "curdle@ietf.org" <curdle@ietf.org>
Message-ID: <20161217032657.GU8460@kduck.kaduk.org>
References: <20161214105434.418FAADD1C@smtp.postman.i2p> <20161214121515.GA10791@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaCWAx8Vp67VZz4G5DQpTGf5DX-sMN+1i40acgCYT8_NVA@mail.gmail.com> <002501d25760$a75c0bb0$f6142310$@augustcellars.com> <808d6563f5f54acfb1a795769dc84402@usma1ex-dag1mb1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <808d6563f5f54acfb1a795769dc84402@usma1ex-dag1mb1.msg.corp.akamai.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpkleLIzCtJLcpLzFFi42IRYrdT123bEBJhsHI3h8XWhbOYLXZ/NXVg 8pjdcJHFY8mSn0wBTFFcNimpOZllqUX6dglcGe9+vmYrWMVT8flbE0sD4wfOLkZODgkBE4lV D34wdTFycQgJtDFJLFp9hhUkISSwkVHiyMJ0iMRVJonve/vZQRIsAqoS965OYAOx2QRUJBq6 LzOD2CIC6hInDu0AaubgYBbQk3j1RRMkLCxgL/F63zFGEJtXwFii5VkXO8TMPUwS/6d8YYNI CEqcnPmEBcRmBprzZ94lZog50hLL/3FAhOUlmrfOBlvFKRAscf/EbyYQW1RAWaJhxgPmCYyC s5BMmoVk0iyESbOQTFrAyLKKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11AvN7NELzWldBMjKKQ5 JXl2MJ5543WIUYCDUYmH98Cf4Agh1sSy4srcQ4ySHExKorxT1oZECPEl5adUZiQWZ8QXleak Fh9ilOBgVhLhDVwNlONNSaysSi3Kh0lJc7AoifNeynSPEBJITyxJzU5NLUgtgsnKcHAoSfC+ XgfUKFiUmp5akZaZU4KQZuLgBBnOAzS8DmQxb3FBYm5xZjpE/hSjopQ47x2QZgGQREZpHlwv KOVIZO+vecUoDvSKMO/u9UBVPMB0Bdf9CmgwE9Bgi3nBIINLEhFSUg2Mc+YL+5+6G/si4NiS ZVeP9u+UM6l6lcBwSENL6v3RS78blH/vd0nfn/8k+4aUxMy40Nr7rF5O2ldStuYFLo1OWy0y wVtwxz+l6+lbpF1+TNL7pLaHSeies97pOdIFD4O6767UXvvl6qSQWRfq+9MzFeTOGyhfO1Z/ sbbcN0Lxa7N0eN+t6iWCSizFGYmGWsxFxYkAqp5JTBQDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/PMMZijJ2Ub9LPvyo_onSW3h6bJ8>
Cc: 'David Benjamin' <davidben@chromium.org>
Subject: Re: [Curdle] Key examples in draft-ietf-curdle-pkix-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2016 03:27:05 -0000

On Fri, Dec 16, 2016 at 01:06:01PM +0000, Salz, Rich wrote:
> > I believe that the OpenSSL people would be sad if we changed this at this
> > time.  I did some interop testing with their developers before the last version
> > was released and the OCTET STRING wrapper on the private key is what we
> > were doing at the time.
> 
> Speaking as an individual, yes.  Please don’t change this.

It's a fairly frustrating feeling for a protocol designer to be hedged
in to a particular behavior because an implementation of a draft version
escaped into the wild and the change is not worth the pain of breaking
interoperability.  This happens all over the place, not just here, of course,
which leads to the question of what can we do to avoid getting locked into
the draft interfaces.  It's easy to point fingers and say that the
software authors should know to have a transition strategy if they ship
a protocol that is explicitly a work in progress, but that doesn't really
seem very productive.  The TLS 1.3 story seems fairly reasonable, with
a scheme to indicate support for a specific draft version as opposed to
having to squat on the version number for the final protcol, but that
seems to have evolved semi-organically as I understand it, with informal
contact among the early implementors.  Should all drafts burn a set of
codepoints and map them to the given draft versions?  Probably not.
Should they think about it?  Maybe.  Are there other techniques that
we can use to help software authors avoid shooting the ecosystem in the foot?

-Ben

v2.23.0 | Report a Bug | By Email