IETF Logo Mail Archive

Re: [Iotops] [Uta] How should we change draft-ietf-use-san?

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 14 May 2021 00:39 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC573A1AC4; Thu, 13 May 2021 17:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQHzR_zmTaju; Thu, 13 May 2021 17:39:16 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5143A1ABD; Thu, 13 May 2021 17:39:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 53B4538980; Thu, 13 May 2021 20:48:21 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id MVBINPpgjufy; Thu, 13 May 2021 20:48:17 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id B370039089; Thu, 13 May 2021 20:48:17 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2F774688; Thu, 13 May 2021 20:39:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Brian Smith <brian@briansmith.org>, Jim Fenton <fenton@bluepopcorn.net>, "Salz, Rich" <rsalz@akamai.com>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org
In-Reply-To: <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com>
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com> <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 13 May 2021 20:39:11 -0400
Message-ID: <19314.1620952751@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/r7UEZfbOGJLXeuMaQaIO9YrufPk>
Subject: Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2021 00:39:21 -0000

Sorry that this email is three weeks old.
I felt that it deserved a proper reply.

Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote:
    > The issue for me is library support.  If libraries take the doc too
    > seriously, it screws the apps that really need to do the right thing
    > for their use cases.

I partly agree.
There are two parties here:
  1) the validating end
  2) the long-lived certificate end

The long-lived certificate end might have a SAN-less (an "insane certificate"?)
certificate, but it does not typically validate that.

So, the thing that we are worried about is the validating end that is subject
to regular updates.  It might be built decades after the certificate end.
Note that it needs a trust anchor to be able to validate the long-lived-certificate,
or nothing works.
Can we agree that this is therefore *not* a simple call to "libcurl"?
I've been through this on Android and iOS and once you need to introduce the
new trust anchor, you get into the much more harry aspects of the API.

The parts of the API where you actually have to say how to you are validating.

It seems extremely unlikely that it would be validating with CN-ID in that
case.  (Many of us in IoTSF ManySecured WG are trying to find a way to easily
validate via current DNS-ID rules)

What I'm saying is that I think that your strawman does not hold water.
(Is that the right idiom?)

    > Let's turn the question around, because perhaps I am missing something.
    > Bearing in mind that there are literally hundreds of millions of
    > devices with long-lived certificates fielded today, what advice would
    > you give to those who support applications that have to interact with
    > them?  What harm comes to any use case for there to be a non-default
    > library flag, as Victor mentioned there is with OpenSSL?

The default is that you get the stock verification function.
The non-default case is that you provide your own verification function.
There actually isn't really anything else in between.

    > Causing the app developers to write their own X.509 validation code –

It's where they already are.

    > To Jim’s point, maybe it would be possible to say that the flag should
    > be unavailable for certs issued after a certain date, but that date
    > would have to be well into the future, and coordinated at least with
    > IEEE.  That seems like a lot of work for something that, as Rich
    > rightly alludes, is really a vendor decision to intelligently make.

Should some of these non-DNS-ID (and also non-CN-ID) verifications become
common place, I can see that one might want to have a policy OID in a CA
certificate that informed a library how it "ought" to verify.  Perhaps that
is already a thing.... probably...
(I remember drinking a lot during pki4ipsec WG, but not much else about it)

Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote:
    > Actually, according to 802.1AR-2009, the subject MUST contain requires
    > a DN with serial number, and it may contain a SAN (e.g., don’t count on
    > it).  That’s the major concern.  To me, the rest is really negotiable.

I have built IDevID certificates with SANs, with via public anchors,
but they aren't long-lived.

So the only way we get into trouble is when the application specifies a
private trust anchor, asks for CN-ID/DNS-ID validation, and the certificate
is long-lived.
CABFORUM trust anchors are supposed to be limited to 13 months now
(if issues after September 2020),  and I believe that this duration is now
getting baked into browsers, and I assume some libraries.
(someone will correct me if I'm wrong)

So, *today* in order to combine:
    a) long-lived IDevID signed by private-CA
    b) CN-ID verification
    c) private-trust anchor

The application developer already needed to tweak flags.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email