IETF Logo Mail Archive

Re: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt

Eliot Lear <lear@cisco.com> Fri, 18 May 2018 18:56 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20C1012DA68; Fri, 18 May 2018 11:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyxvmxzUEE9V; Fri, 18 May 2018 11:56:09 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D929212DA22; Fri, 18 May 2018 11:56:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5183; q=dns/txt; s=iport; t=1526669769; x=1527879369; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=ErvRj9PWxXa8KswejZMXWD057Mnu84vWmLwHfJCDCvI=; b=hGpduneOJGIeXDBYwDxIPnD2JVnSgdSLOQ0EC6Bg0fHJQASuqK+XvRj9 DCxwQPoC3W0jXJ0JRg6otRS7M2/XuNJeo8+lrEdgvzrqmbBiR/IOL1wMA 2wkZE5z7oyNcY5vNFDD2gMzXM+k3nzEbfP4blOzDff+z8MCQToKTlBAG4 M=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.49,415,1520899200"; d="asc'?scan'208,217";a="3938910"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 May 2018 18:56:07 +0000
Received: from [10.61.236.142] ([10.61.236.142]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w4IIu6cN016105; Fri, 18 May 2018 18:56:06 GMT
To: Eric Rescorla <ekr@rtfm.com>, Joe Clarke <jclarke@cisco.com>
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, IESG <iesg@ietf.org>
References: <152657039204.7694.840577957694607451.idtracker@ietfa.amsl.com> <8bafe1e0-12af-6526-d16e-6d39fded3bf3@cisco.com> <0dc704d2-73a2-977f-08c8-8e0b01c3b57c@cisco.com> <CABcZeBPgiSi7rxPwj9XPECcD1SimZ1B=Xnym5tXoUkASFD2TGg@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
Message-ID: <998ca370-69b1-cd29-15d8-25d2e55459e1@cisco.com>
Date: Fri, 18 May 2018 20:56:05 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBPgiSi7rxPwj9XPECcD1SimZ1B=Xnym5tXoUkASFD2TGg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="zCRBSsEytXU22jxplfuAqLkqWIhv8X8ZU"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/EoQGzdFeYJcCPDVNICLTUWELqX8>
Subject: Re: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2018 18:56:11 -0000

Hi EKR,


On 18.05.18 19:57, Eric Rescorla wrote:
> Eliot, > > The certificate part seems basically right (I think you should
require specific KeyUsage bits).
It's in there:
> It is expected that the Key Usage extension would contain "Digital
> Signature" and that the extended key usage would include either "code
> signing" or "email protection".

This leaves a little a little flexibility.  I think this is sufficient,
and compatible with existing CAs.


> > Maybe I missed it, but I didn't see anything about the level of trust
you should have in cases where you can't reliably tie the endpoint's
transmissions to its certificate.
It's there but could be clearer:

OLD:
> A
> MUD manager MUST cease processing of that file it cannot validate the
> chain of trust to a known trust anchor until an administrator has
> given approval.

NEW:

> A
> MUD manager MUST cease processing of that file it cannot validate the
> chain of trust to a known trust anchor or the MUDsigner until an
> administrator has
> given approval.

That is- throw an exception and let the admin sort it out.

Eliot

v2.23.0 | Report a Bug | By Email