IETF Logo Mail Archive

Re: [Iotops] [Uta] How should we change draft-ietf-use-san?

Eliot Lear <lear@cisco.com> Thu, 22 April 2021 14:25 UTC

Return-Path: <lear@cisco.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C293D3A0E6A; Thu, 22 Apr 2021 07:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rKvLNiM2x6w; Thu, 22 Apr 2021 07:25:54 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D08663A0E63; Thu, 22 Apr 2021 07:25:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3963; q=dns/txt; s=iport; t=1619101554; x=1620311154; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=EI4YVqek96I2qfUm233Mfh2Ubo2n2XNAQqtf3nfQnVc=; b=TOx5qGawXaOIqHzzj1NSoL7Qm4WhXytqpEtbz6F++hip2Z1BwzLObag3 IhNGlCyXRz8ag/tmun28YpXf8SRJ4RS3yBZnHdpS3ehHtvqjF8/xuLd5x vIqZ8vqVsD7KzESSqhUB5Svm5sTKOd5ZdoSd5jKf/Fr6ZAfSCYmamBBsP A=;
X-Files: signature.asc : 488
X-IPAS-Result: A0AMAADKhoFg/xbLJq1QAQkbAQEBAQEBAQEFAQEBEgEBAQMDAQEBgX4GAQEBCwGBIoJVAScShHSIJGCIaogBjE2GJBSBaAQHAQEBCgMBATQEAQGEUAKBeSY0CQ4CAwEBAQMCAwEBAQEBBQEBAQIBBgRxE4VdhkUGI1YQCwQBPQICVwaDBAGDB6gseoEygQGEWIRkEIE6AYFShS8BhlRDgguBEycMEIJfPoQNAQcBCgGDODaCKwSCQAYIYIFYGmWRbItAgSmdD4MYg0GBRpgSBCGUPZBQtGmEBQIEBgUCFoFUOmlwMxoIGxVlAYI/PRIZDpxuPwNnAgYBCQEBAwmNDwEB
IronPort-HdrOrdr: A9a23:ct7euK43RwwNHjNnjgPXwErXdLJzesId70hD6mlaQ3VuA6+lvu qpm+kW0gKxtSYJVBgb9eyoFaGcTRrnlKJdzpIWOd6ZNjXOmGztF4166Jun/juIIU3D38pQz7 1pfaQ7KNCYNzVHpOL75AX9LNo62tmA98mT6tv29HtmQQF0Z6wI1W4QYTqzKUF4SBJLApA0Dv Onl696jgC9cncaZNnTPBc4dtXEzue79q7OUFojDx4j5BLmt0LN1JfKVz6FwxwZTzRDhZAl/G StqX2e2oyT99em1xTby2jfq65zpeKk4N5CCMuQ4/JlTQnRtg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,242,1613433600"; d="asc'?scan'208,217";a="32877358"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Apr 2021 14:25:52 +0000
Received: from [10.61.144.111] ([10.61.144.111]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 13MEPplQ032206 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 22 Apr 2021 14:25:51 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <B9193ABC-3E17-4110-B1B4-207383CCCD8F@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_2F08B112-EBCB-493C-A56B-C0E20477ABD9"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Thu, 22 Apr 2021 16:25:50 +0200
In-Reply-To: <CAFewVt4eB5de2eJKupBCk_DbtSaAUGGoRETSXZrDWVxfTFcWBQ@mail.gmail.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org
To: Brian Smith <brian@briansmith.org>
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com> <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com> <CAFewVt57M=o=2FOsCi4s_wZ-KQbZFZQiBCQZAEgtZB4HtFvtnw@mail.gmail.com> <CA66BC31-B56B-4E4C-A3D6-F5C36FD54B38@cisco.com> <CAFewVt4XcBd0MWmtcM4kZzqQ3EQVM=t8-eqqpDMtfgNmV92u1Q@mail.gmail.com> <4233FD89-F22D-4D09-8280-8D43453E6BD7@cisco.com> <CAFewVt4eB5de2eJKupBCk_DbtSaAUGGoRETSXZrDWVxfTFcWBQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.111, [10.61.144.111]
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/ux3MQqxclb30wqvdCi8htkTdjA4>
Subject: Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 14:25:59 -0000

Actually, according to 802.1AR-2009, the subject MUST contain requires a DN with serial number, and it may contain a SAN (e.g., don’t count on it).  That’s the major concern.  To me, the rest is really negotiable.

Here’s the text:
The DevID subject field shall uniquely identify the device associated with the particular DevID credential within the issuer’s domain of significance. The formatting of this field shall contain a unique X.500 Distinguished Name (DN). This may include the unique device serial number assigned by the manufacturer or any other suitable unique DN value that the issuer prefers. In the case of a third-party CA or a standards certification agency, this can contain the manufacturer’s identity information.

That’s a pretty broad range.

I don’t claim that this is the only use of subjects, but it is one such use.

Email

v2.23.0 | Report a Bug | By Email