IETF Logo Mail Archive

Re: [saag] IETF 93 Agenda Request - Key Discovery

Richard Barnes <rlb@ipv.sx> Thu, 23 July 2015 12:53 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3A31A0141 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 05:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQQT0dgJWMF6 for <saag@ietfa.amsl.com>; Thu, 23 Jul 2015 05:53:51 -0700 (PDT)
Received: from mail-vn0-f53.google.com (mail-vn0-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F0B41A1A2F for <saag@ietf.org>; Thu, 23 Jul 2015 05:53:05 -0700 (PDT)
Received: by vnk197 with SMTP id 197so59893601vnk.3 for <saag@ietf.org>; Thu, 23 Jul 2015 05:53:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=XFLvOMqxwWlfX3NWgmIRnjgiXJIQQKDJ0yKRKfU4+pw=; b=QI6PPrheSdo5So6gqzk2jAH6Fym739co2/twBswyXOziO1uKDjnay3izjTKetPjujm jj94l1ngeP+kfqD/Fq/AiU0dLw4e8B6mfGsy1XYHFr8PwmHx5yq0oh16S9GfmNgMvvzA 5YSqqiAuxLE/RhJI4qS6iWUhSQZ+u/JZ5ndQinnsY1y4187ZSbKLnUY8B7nbdQ05Mj+c szr2THhLdMDKW6g2dg2O0ngRiIr1iDnRY+Fv42Oh8R5/30bM/vo9uYwnH6QzlcsyfKdo t6KuUx6ld37pUM0yHFK6Tkslr8nRUP2tx+Y5Q/Bz6E0vknN4gsNDBeK4FSCYs4JeOIb1 /7fw==
X-Gm-Message-State: ALoCoQlg+2RZ56svmOM9m92HoLNe58KprPOU79GZpPI9iswXDymuNn561cA4sQLqlWLnE059p2Xb
MIME-Version: 1.0
X-Received: by 10.52.255.233 with SMTP id at9mr9365167vdd.38.1437655984625; Thu, 23 Jul 2015 05:53:04 -0700 (PDT)
Received: by 10.31.164.207 with HTTP; Thu, 23 Jul 2015 05:53:04 -0700 (PDT)
In-Reply-To: <6AD1B77A-E9CC-4A86-A9C3-74A777B53CBB@vigilsec.com>
References: <55A7F601.9040902@cisco.com> <20150721222308.GU28047@mournblade.imrryr.org> <55AF43B7.60502@cisco.com> <20150722202821.GL4347@mournblade.imrryr.org> <CAL02cgSC7SkpEL-17_d6bwwFLhnza2bOwiECtgD=4kVWPzF3EA@mail.gmail.com> <6AD1B77A-E9CC-4A86-A9C3-74A777B53CBB@vigilsec.com>
Date: Thu, 23 Jul 2015 14:53:04 +0200
Message-ID: <CAL02cgTi=3pzv7xfemG-aQdLLG32T5ta9peKB7-+RSgAFsbeXg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/yqJznIa3dSWftRXQMKdB3lCbkX0>
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 12:53:52 -0000

On Thu, Jul 23, 2015 at 2:45 PM, Russ Housley <housley@vigilsec.com> wrote:
>
>>>> However, do not confuse RFC 7565 "acct:" URIs for email addresses.
>>>> Yes, they look a lot like an email address, as a "xmpp:" or "sip:" URI
>>>> can look a lot like an email address.  The "acct:" URI is for a
>>>> generic account identifier; it could be a placeholder to email, IM,
>>>> VoIP, filesharing, etc.
>>>>
>>>> My draft is intended for more than email.
>>>
>>> A major difficulty is that email addresses and "accounts", are not
>>> necessarily in one to one correspondence or even "few to one"
>>> correspondence.
>>
>> This doesn't actually matter.  WebFinger lets you put any URI in the
>> "resource" field.  So just use a "mailto" URI if you're sad about
>> "acct".  The document should probably say that, and probably say you
>> should return the same thing in either case.
>
> RFC 4387 provides a means to find an X.509 certificate using HTTP.  It seems pretty straightforward.  Do we have any running code for it?

With that "uri" attribute, it would probably be OK.  It would need
some more definition.

I suspect, though, that you're going to have applications that don't
want a cert, they want a key.  I think JWK strikes the right balance
here by providing the cert as metadata attached to the key.

--Richard


>
> Russ
>
>

v2.23.0 | Report a Bug | By Email