Re: [dispatch] please dispatch draft-bhjl-x509-srv-02.xml
Eric Rescorla <ekr@rtfm.com> Sun, 21 August 2016 18:14 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E115212B02C for <dispatch@ietfa.amsl.com>; Sun, 21 Aug 2016 11:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BgKrBdUSb-l for <dispatch@ietfa.amsl.com>; Sun, 21 Aug 2016 11:14:15 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225DD12D10D for <dispatch@ietf.org>; Sun, 21 Aug 2016 11:14:15 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id a88so4690186ybi.0 for <dispatch@ietf.org>; Sun, 21 Aug 2016 11:14:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FpNHVKBIzCjtz2JtOPUdFNYGLxkZZrv63LjDZPN9BdY=; b=DA+AGumdUShqPmIZ45CLXV+hTnMh3AcBT6p8yqOgamTmWW2QNQiDKhO6E4wdbKv0j4 Wq94f6ReAsvlhSDIc5CQAGhIRL0rOXDFir9Oq76itpJyoemHNk+QCHTwGO8MCHG2QCi/ AJzYevvZkpkftoAcupNM5Jaz7K3y2LdlLb5zBBEw/neziOvy918O1yt8pZYSky2imsDF Hrlru2qm2PMV573G/cwgdZIkMUY+5w/bVG0EMD0N3vFb1kjiHOxLLUFl0XQ94r+fdcer 0O791i2E6c9xT2/2amM7komgL8tpFJuT4zmc1PRHkvnsh6jny3Le0b+YnHF8GtneDFMG QSJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FpNHVKBIzCjtz2JtOPUdFNYGLxkZZrv63LjDZPN9BdY=; b=DSxUQUsQDomHlVZ1gdqBaSmHGDTDaGyiJHiXWzI6bVJxMPBfGT5pxc3SMhv+4TWyd0 dsLTdKcScrfIciX6QvQlOPMoYVBWAQcoYff29qfdaYRo5N0Xa24bBp7QT393u2AqYrlz w/Sahu6mTOZG1srREfsAf2TPFA+xB2oUBsH4SALkmTA4hqqT+uh6VjFOvQ+SXpJ6Wz5O Ti3vUbj16LVRTlGrcOxrqagL7ZawAkWpE+LbhRyf4myXaA6Q8KGqKaBbWseTndXH3gqa Fe04WMbMecaniqADrWhBz4FI6dazovtabREUN6ZLb9DVXmbvkMIg1TJDWkqZhAJZysz8 DIDw==
X-Gm-Message-State: AEkoouvGqLVvEPnNo8mDCGtLyHjeNAcgywYTBpi68SgZGbZj57mchc1jXdmB/5hoy49admjbav+NsafltOQ0tQ==
X-Received: by 10.37.3.198 with SMTP id 189mr14061432ybd.57.1471803254281; Sun, 21 Aug 2016 11:14:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.48.193 with HTTP; Sun, 21 Aug 2016 11:13:33 -0700 (PDT)
In-Reply-To: <20160821175145.26541.qmail@ary.lan>
References: <CABcZeBOvc0pO9=+SM3P5cc3JPs9i9O3Peaf2wwKbLGoQQvpsvA@mail.gmail.com> <20160821175145.26541.qmail@ary.lan>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 21 Aug 2016 11:13:33 -0700
Message-ID: <CABcZeBPrrG2LAuBaf26KaSykM0mCpJ9TssvbD8h_YA0058R-vQ@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a11c02dda26c8ae053a98e6b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/InBXX6T0kZ7QvsEv--BvgnNpcIg>
Cc: DISPATCH <dispatch@ietf.org>
Subject: Re: [dispatch] please dispatch draft-bhjl-x509-srv-02.xml
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Aug 2016 18:14:17 -0000
On Sun, Aug 21, 2016 at 10:51 AM, John Levine <johnl@taugh.com> wrote: > >Yeah, that seems like it might be OK in some sort of informational > document > >describing common practice, but this document is asking for Standards > >Track, and in that situation it seems like actually specifying one class > of > >behavior is the superior direction. > > Sure, if that were feasible. I see no chance at all of getting a > sufficient agreement that domains are authorititative, or that they > aren't. From what I've seen so far, few people have even thought > about it, and fewer still outside the context of whatever mail system > they personally are running. People at gmail said they're interested > in this, so I can ask if they've thought about it in the context of > a very large public mail system. > This seems like a potential indicator that this technology is not yet ready for standardization. >> Good point, MUST for https seems obvious. > > > >I don't just mean MUST for HTTP, but also encouraging the use of valid > >certs. > > OK. > > >> Again, this is out of RFC 4387. I was under the impression that the > >> client could look at the certs and see what chained to what. > > > >The text in 4387 is not maximally clear. It appears that perhaps the idea > >is that this is just EE certs. If it's a mix of multiple EE and chain > >certs, it's not reasonable to expect the RP to make sense of it. In any > >case, this text should be clear. > > I am not a great pkix expert, so pointers and suggestions are welcone. OK. I think the high order bit here is that there are two basic kinds of certs in play: - EE certs (i.e., the ones that allegedly correspond to the user in question) - Intermediate CA certs that somehow could be used to construct a chain to the EE. It's pretty common, at least on the Web, to have situations where there is 1 or more intermediate between the trust anchor and the EE cert (e.g., in the case where CAs are cross-signed), which is why you need the second bucket. Unfortunately, sad experience with the Web indicates that it's not really possible to construct a chain which is verifiable to all clients, so it's probably best to just have this be a "you might be interested in" class. As I said previously, I kind of suspect that 4387 just meant that the certs were all alternative EEs, but then you probably want some other way to get the intermediates for the reason listed above, but in any case you shouldn't just have them all in the same bucket. So, what's probably best is to concretize this by saying that this bucket is just for EE and then define some other mechanism for getting intermediates. -Ekr
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Cullen Jennings (fluffy)
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Martin Thomson
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Martin Thomson
- [dispatch] please dispatch draft-bhjl-x509-srv-02… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Cullen Jennings (fluffy)
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Cullen Jennings (fluffy)
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Eric Rescorla
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Eric Rescorla
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Eric Rescorla
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Cullen Jennings
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Wei Chuang
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… Stephen Farrell
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… John R Levine
- Re: [dispatch] please dispatch draft-bhjl-x509-sr… A. Schulze