Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
Eliot Lear <lear@cisco.com> Wed, 21 April 2021 07:30 UTC
Return-Path: <lear@cisco.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA75E3A1878; Wed, 21 Apr 2021 00:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egkz6Mc83oJ2; Wed, 21 Apr 2021 00:30:48 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5F233A1875; Wed, 21 Apr 2021 00:30:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7873; q=dns/txt; s=iport; t=1618990247; x=1620199847; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=rXxMftjgn1CroWFlj98pHnakAl0BQvxIrQn1517uHx0=; b=CrbNkONMhcAggaQOecCVpexjAq2P0hzUInZchomQ4Av2oMuloxFctQKr caBG7qEIjkv3W63CKEfisiGfxk3DtkNaqp1fGBAKCF5krrITWB06sF3op Lmc8ilu3EwMR7cDqXnzuefLcb3rLJ24jS48RKECVe2DRTiZpW7e+oXLj2 s=;
X-Files: signature.asc : 488
X-IPAS-Result: A0AFAACT039glxbLJq1aGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCAQEBAQEBAQsBgSJTggIBJxIxhEOJBIhLJQOHe4xNiCAEBwEBAQoDAQE0BAEBhFACgXUmNwYOAgMBAQEDAgMBAQEBAQUBAQECAQYEFAEBAQEBAQEBaIVdhkQBAQEBAgEjVgULCxgnAwICRhEGE4JxAYJmIadYeoEygQGEWIUQEIE6AYFShS4BhlNDgguBEigMEIJfPoJgBIR1NoIrBIFaZgYIYCINRAEBgSAbBxl3A5ENA4xLnQ2DF4M/gUaYCgQhg0+QapBMlzKcVlWEBAIEBgUCFoFqIoFbMxoIGxVlAYI+PhIZDo44jjY/Ay8CNgIGAQkBAQMJikstghcBAQ
IronPort-HdrOrdr: A9a23:R7/w8aGnuYn/UKGzpLqEG8eALOonbusQ8zAX/mp2TgFYddHdqt C2kJ0gpHzJoRsYRX1Io7y9EYaaR3e0z/BIyK0cJ62rUgWjmGbAFu5fxLDvyTHhBCHyn9Q1vc wLHpRWMsH6DlRxkK/BgDWQLtBI+ri62ZHtr/zZyDNASh4CUdADnmIJbnf9LmRGAC9bGJE+CJ 2Qou1AqjbIQwVvUu2LQl8YQuPEu9rH0KjDXCdDLRsm5A6S5AnYjoLHLw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,238,1613433600"; d="asc'?scan'208,217";a="35199518"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Apr 2021 07:30:44 +0000
Received: from [10.61.144.102] ([10.61.144.102]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 13L7UhOW003655 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 21 Apr 2021 07:30:43 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_44CE5AE1-1F8C-4744-BCE2-48C4025E48B9"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Wed, 21 Apr 2021 09:30:42 +0200
In-Reply-To: <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org
To: Brian Smith <brian@briansmith.org>
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.102, [10.61.144.102]
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/wfrBjTN2XOqOO_5r6cpdgmP3zaw>
Subject: Re: [Iotops] [Uta] How should we change draft-ietf-use-san?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 07:30:53 -0000
[+iotops] Brian, > On 21 Apr 2021, at 00:22, Brian Smith <brian@briansmith.org> wrote: > > Eliot Lear <lear=40cisco.com@dmarc.ietf.org <mailto:40cisco.com@dmarc.ietf.org>> wrote: >> The issue for me is library support. If libraries take the doc too seriously, it screws the apps that really need to do the right thing for their use cases. > > > What you're trying to prevent is the entire purpose of this, as I had originally proposed it. The goal is to have library developers feel comfortable removing the CN-ID support completely from their libraries. Thanks for being crisp in stating your intent. Let's turn the question around, because perhaps I am missing something. Bearing in mind that there are literally hundreds of millions of devices with long-lived certificates fielded today, what advice would you give to those who support applications that have to interact with them? What harm comes to any use case for there to be a non-default library flag, as Victor mentioned there is with OpenSSL? I would claim that there are three unacceptable outcomes: Causing the app developers to write their own X.509 validation code – they’ll get it wrong. Freezing app developers on old versions of the libraries – we want app developers to update. Library developers ignoring the IETF. Let’s not give advice they simply cannot follow. By the way, one reason many of these devices have long lived certs is that they might sit in inventory for long periods of time before they are ever taken out of the box. There are other reasons, as well. Burned in certs can be there as a base level anti-counterfeiting measure, for instance. And yes, there are lots of issues with burned in anything, but there are engineering tradeoffs to be made. To Jim’s point, maybe it would be possible to say that the flag should be unavailable for certs issued after a certain date, but that date would have to be well into the future, and coordinated at least with IEEE. That seems like a lot of work for something that, as Rich rightly alludes, is really a vendor decision to intelligently make. Eliot
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Salz, Rich
- [Iotops] BRSKI and IDevID (non-!)issues with draf… Michael Richardson
- Re: [Iotops] [Uta] How should we change draft-iet… Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Spencer Dawkins at IETF