Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
Brian Smith <brian@briansmith.org> Wed, 21 April 2021 20:31 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 884B53A35A3 for <iotops@ietfa.amsl.com>; Wed, 21 Apr 2021 13:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zU5DvoPTUpuQ for <iotops@ietfa.amsl.com>; Wed, 21 Apr 2021 13:31:27 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30A8F3A15C2 for <iotops@ietf.org>; Wed, 21 Apr 2021 13:31:27 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id a12so29984459pfc.7 for <iotops@ietf.org>; Wed, 21 Apr 2021 13:31:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zc7J+V7ezzkeN86IBsiLov1+PkBmIjdYaw3fuHBwl9E=; b=H9cwx+lvd6ca7Ev27DInrbuUkGLLSBdTEB32NWZODKkkipLb5vzThD1JUeY/tpuLHR ccebDyN3U1erN5PmmM/5y8kOpAiOxul9EfScgTYiZBNf26k4b9Xao1YsTv9NlVjaq+W0 h4L9CcZ710az+RrL2yrwImohJgFDI1bcB61dIleaLWoIMHfd0bc57qcyhKGrK1YzikPB J8ZGLs0MM6YuBrNJm8laGpoJ68SiK9r0EK7BKdB1VE/CKibU7s1hZjcaHssb2WgWBnyl kHkCT0Nw9VrOwUj5pAoWAoOAEHILN9hB3yx27b1tKHbitNrnEGehNHcFBY5oQoCXw/P9 +plg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zc7J+V7ezzkeN86IBsiLov1+PkBmIjdYaw3fuHBwl9E=; b=Scm9IJL41+M1ozJEt8//zQr4jTDwPiDjiNd+vxFFSohn7ZuTMdD9E/SuR3cSCwt3IZ 8fx25qpjd/EdkCrPLF6zCVphzbSUrwcNaokjiW1neCL1PkZiymc6g7zsrFB68COv3Dfl +rFbcmrb8Xw41OHhOLIY1juzdOaPFjaPZAvOnLUz+TYkRb9s6zsygxt66o8K3l3jBHLY lR2zIL9YsLn9tBnMSsw5nDqT9MnRszn+PVe2sppJBeA6MXGX9Vkg1RxJAl+aSfgHdfhR lWED6FG6kq5wNbWeVH78WZFWyf7Ox6xcgZb3SaGmMIwayFoMgJUrwr5zIdfTNnk9EU8T ReGg==
X-Gm-Message-State: AOAM533cPDWh9kJUi2azzxMd/KH5QLxXxKgor4sD+UfSRWwkGkBLylvs kpZUMzw4DXwC4mK0ycmgu2A0P8jmw5djI2ba2xdZaQ==
X-Google-Smtp-Source: ABdhPJy6BZ+l/PP2clS0uMLGd/63jtsCwFScQNEh0VJ03dTG5e3BPfv9+aO49GY3ru5Mrqri36nfixnmkne4HFDbI5c=
X-Received: by 2002:a17:90b:120b:: with SMTP id gl11mr13276112pjb.143.1619037085862; Wed, 21 Apr 2021 13:31:25 -0700 (PDT)
MIME-Version: 1.0
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com> <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com> <CAFewVt57M=o=2FOsCi4s_wZ-KQbZFZQiBCQZAEgtZB4HtFvtnw@mail.gmail.com> <CA66BC31-B56B-4E4C-A3D6-F5C36FD54B38@cisco.com> <CAFewVt4XcBd0MWmtcM4kZzqQ3EQVM=t8-eqqpDMtfgNmV92u1Q@mail.gmail.com> <4233FD89-F22D-4D09-8280-8D43453E6BD7@cisco.com>
In-Reply-To: <4233FD89-F22D-4D09-8280-8D43453E6BD7@cisco.com>
From: Brian Smith <brian@briansmith.org>
Date: Wed, 21 Apr 2021 13:31:13 -0700
Message-ID: <CAFewVt4eB5de2eJKupBCk_DbtSaAUGGoRETSXZrDWVxfTFcWBQ@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000619d0605c0817241"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/s-HA4Gri-8N6X7mPZK8aTQ41IEY>
Subject: Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 20:31:33 -0000
Eliot Lear <lear@cisco.com> wrote: > On 21 Apr 2021, at 20:25, Brian Smith <brian@briansmith.org> wrote: > > otherName [0] OtherName, > rfc822Name [1] IA5String, > dNSName [2] IA5String, > x400Address [3] ORAddress, > directoryName [4] Name, > ediPartyName [5] EDIPartyName, > uniformResourceIdentifier [6] IA5String, > iPAddress [7] OCTET STRING, > registeredID > > The principle here is long-lived names. I can’t imagine [2] and [7] being > at issue. [1] and [4] are definitely in use in long-lived environment. I > don’t know about the rest. > OK, [2] is dNSName, and [7] is iPAddress. Those are the primary two types of identifiers that I'm targeting: I want the spec to say that certificate verifiers must not look for IP addresses or DNS names in the Common Name sub-field of the Subject field of a certificate. Regarding [4] directoryName, I don't think anybody is encoding an entire directoryName into the Common Name field of the subject field, so that's a non-issue. Regarding [1] rfc822Name, are you saying that you are worried about certificates with a subject like : CN="foo@example.com" without an accompanying subjectAltName rfc822Name="foo@example.com"? If so, is your concern about using these certificates in email applications? I would love for us to get to the point where we say email applications also must use only email addresses (rfc822Names) in the subjectAltName extension and not look in the CN of the subject field. For non-email applications, aren't they just using the subject field as a directoryName that's somewhat incomplete? Regardless, non-email address uses of CN=foo@example.com would be (or could be made) out of scope of the revised spec. Cheers, Brian -- https://briansmith.org/
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Salz, Rich
- [Iotops] BRSKI and IDevID (non-!)issues with draf… Michael Richardson
- Re: [Iotops] [Uta] How should we change draft-iet… Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Spencer Dawkins at IETF