Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
Brian Smith <brian@briansmith.org> Thu, 22 April 2021 16:58 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE6F3A0A34 for <iotops@ietfa.amsl.com>; Thu, 22 Apr 2021 09:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLc_hF5L7EeP for <iotops@ietfa.amsl.com>; Thu, 22 Apr 2021 09:58:17 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D083A0A2C for <iotops@ietf.org>; Thu, 22 Apr 2021 09:58:17 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id p2so17809198pgh.4 for <iotops@ietf.org>; Thu, 22 Apr 2021 09:58:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pRzXP/wBYod4B7BSKKlgaOpaaoE0372iWicxeAV+Ncw=; b=shBye6uOTBzqDjhQpfkeXY5H5koiQenVcdBOMiWJM2CA2kMweq0Qy0eICTwS+1Wfe6 0WWV9GEmW0imS/d2uwaUN5cWMtn2INVPUm81vK8IemY/TdK5Hx9HvkNXbOrOs/2GG3RL A3mD593eCREiobAo8Q7RyreHQ/tZl7xW3olAx2MNb76gme9/I69B8fZ2PS1dic0aCcMP WjFLjxAnkCLdFj5H8QX9UQYviKqaQnaOOV2racvGCrGwqITdagc15VHaItU7yZGWyznA M+Vq3H7Ymrt6M+73EzDtur7Ajz6n2BqBe/NFOhps4rKvycqOeksU9mydfuMe9QjDzjKR 7how==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pRzXP/wBYod4B7BSKKlgaOpaaoE0372iWicxeAV+Ncw=; b=Rx0bYeeYI+z36OBAj/yZJiWwyJ+cK0sPLp8O02+KeL34yXzm7vBJsvqz4OrhWq2Jkq XPU9ltgIkzDv+LuHN7oyI1Pxll6qoIiGjZY7IWdDhyAqDWvg6TI4A+UktTyXtJuxiLbA 25bqlVlSYBEh+0Yv5fDps9yvsL38IQxivsOuLAGf9ANZ2/BPmMKAsDPrvF0LwnZ4rRMj w/IzN6MgNZtYio89PT7lUktclEKuRFeBCBHhMtin8VhNgQE7JV/P5H0XsEnI+Ca97mCe vjBXikWrc/z39Hb+qTCHpSXjVhiWFnqPK/CIVW0PjAs+bc5d0BMbWTFoTGJSORfGzTu4 L+6w==
X-Gm-Message-State: AOAM5308+zvmdDn8nm3Ee81UCH9yqOhyBzoYNoaipLU0B49uKF0k8vNY w7dfLD0W5IhCk2lmo0zHC06vPxWQNoVJLILzxSN93A==
X-Google-Smtp-Source: ABdhPJyr2oucFajQdQWaiUEvTV8aBwQrnKnnTAHZ3veZU0ICVcy99E5uRiiMuVa01SpswF3jdfeeZPgq0xKZw1GYTcY=
X-Received: by 2002:a62:ac08:0:b029:25d:642e:8201 with SMTP id v8-20020a62ac080000b029025d642e8201mr1470468pfe.59.1619110696236; Thu, 22 Apr 2021 09:58:16 -0700 (PDT)
MIME-Version: 1.0
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com> <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com> <CAFewVt57M=o=2FOsCi4s_wZ-KQbZFZQiBCQZAEgtZB4HtFvtnw@mail.gmail.com> <CA66BC31-B56B-4E4C-A3D6-F5C36FD54B38@cisco.com> <CAFewVt4XcBd0MWmtcM4kZzqQ3EQVM=t8-eqqpDMtfgNmV92u1Q@mail.gmail.com> <4233FD89-F22D-4D09-8280-8D43453E6BD7@cisco.com> <CAFewVt4eB5de2eJKupBCk_DbtSaAUGGoRETSXZrDWVxfTFcWBQ@mail.gmail.com> <B9193ABC-3E17-4110-B1B4-207383CCCD8F@cisco.com>
In-Reply-To: <B9193ABC-3E17-4110-B1B4-207383CCCD8F@cisco.com>
From: Brian Smith <brian@briansmith.org>
Date: Thu, 22 Apr 2021 09:58:05 -0700
Message-ID: <CAFewVt7=Lh7sunDEcYJESZHOLsYSyOycmwWmAeYBYDED8sCavg@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e6cab405c092950d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/_Ktd7ZWYASZCfcgjS4AB3tZF9EM>
Subject: Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 16:58:23 -0000
Eliot Lear <lear@cisco.com> wrote: > Actually, according to 802.1AR-2009, the subject MUST contain requires a > DN with serial number, and it may contain a SAN (e.g., don’t count on it). > That’s the major concern. To me, the rest is really negotiable. > OK, great. I don't think what Rich or what I'm proposing is in conflict with that at all. The idea here is to tell certificate verifiers (relying parties): * If you're looking for a DNS name in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. * If you're looking for an IP address in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. That's it. In the case of 802.1AR-2009, the verifier is to look for a distinguished name (either the Subject or a directoryName subjectAltName), not a DNS name or an IP address, so the proposed guidance wouldn't apply. Note that RFC 6125 punted in IP addresses because they weren't commonly used in certificates in the working groups' judgement at the time, but now I think it is clear that an update to RFC 6125 should address IP addresses too. Cheers, Brian
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Salz, Rich
- [Iotops] BRSKI and IDevID (non-!)issues with draf… Michael Richardson
- Re: [Iotops] [Uta] How should we change draft-iet… Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Spencer Dawkins at IETF