Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 03 March 2021 16:09 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4231A3A15B6 for <secdispatch@ietfa.amsl.com>; Wed, 3 Mar 2021 08:09:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uALqKMCM1jaY for <secdispatch@ietfa.amsl.com>; Wed, 3 Mar 2021 08:09:37 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5EFE3A15B4 for <secdispatch@ietf.org>; Wed, 3 Mar 2021 08:09:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 93B67389A5; Wed, 3 Mar 2021 11:14:13 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QzrSXB2btuda; Wed, 3 Mar 2021 11:14:12 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B769838995; Wed, 3 Mar 2021 11:14:12 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 04072885; Wed, 3 Mar 2021 11:09:35 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Martin Thomson <mt@lowentropy.net>, secdispatch@ietf.org
In-Reply-To: <b8378d08-5ee9-43e1-8260-29803b0ac243@www.fastmail.com>
References: <619EB16E-48E6-459A-A63A-18A805F75D34@akamai.com> <b8378d08-5ee9-43e1-8260-29803b0ac243@www.fastmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Mar 2021 11:09:34 -0500
Message-ID: <32532.1614787774@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/c0UqlD4c2ai5UBO-brJTS3AM--c>
Subject: Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 16:09:40 -0000
Martin Thomson <mt@lowentropy.net> wrote: > What Rich is doing here is good. SAN is dead and we should ensure that > our documentation reflects that. (Even at the time of 6125 it was a > holdover from a previous era.) I agree. The question is: how do we hold the funeral and memorial service? That is, how long is the tail? https://datatracker.ietf.org/doc/draft-rsalz-use-san/ is short and sweet, and we could easily publish it pretty much as is, and we'd get somewhere. It seems that clients must take the first step here. The major browsers all auto-update, and so if this isn't out there already, could be out there within six months. Libcurl is in ubiquitous use out there operating m2m transfers of many kinds. **It is unclear to me if there is any work to do** Pretty much all these things already look at SAN, so the lack of CN shouldn't be an issue, except for some communications out there where there is a SAN missing. I suspect that this is mostly in the roll-your-own situation. I'd like the document to give an Implementation or Deployment overview. This would be particularly useful to re-assure managers about removing CN from their certificates. Let me say that it's really frustrated for embedded system builders to wind up in a situation where they can't get a security patch installed because moving to the next version has a disconnect like this. They may require that they update a long-installed system, and they can't get the server side updated with SAN, because that system is also on a long lifespan update cycle. I've watched this both from within a team and outside. Within the team, I've lost the battle of, "we need to be control our destiny" argument, i.e. that is "we need to build it all from source so we can backport patches". {That team still has Ubuntu Hardy devices in the field which have no updates in a decade. Fortunately, the hardware is dying, and some of the customers have replaced 1000 devices at a time with a competing solution} > Is now the time that we get to talk about other updates to RFC 6125? > Because there is no IP-ID reference identity in RFC 6125 and HTTP had > to define one just to document what happens in practice: > https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#https.ip-id > I don't want to get in the way of making actual progress here, but > knowing the difficulties with getting 6125 done, it might be safer to > do this work in a working group. I have no opinion regarding whether > it is a new one or UTA. Yeah, "better is the enemy of good enough" I suggest that we publish https://datatracker.ietf.org/doc/draft-rsalz-use-san/ as is. I think that it's short enough that AD sponsor is enough. I suggest that RFC6125 deserves to advance to Internet Standard, and it might require a revision to get there. I feel the same way about RFC5280. LAMPS seems like the right place to do this, but maybe there are other opinions. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Secdispatch] Requesting agenda time for draft-rs… Salz, Rich
- Re: [Secdispatch] Requesting agenda time for draf… Martin Thomson
- Re: [Secdispatch] Requesting agenda time for draf… Carrick Bartle
- Re: [Secdispatch] Requesting agenda time for draf… Benjamin Kaduk
- Re: [Secdispatch] Requesting agenda time for draf… John Mattsson
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] Requesting agenda time for draf… Nico Williams
- Re: [Secdispatch] Requesting agenda time for draf… Phillip Hallam-Baker
- Re: [Secdispatch] Requesting agenda time for draf… Martin Thomson
- Re: [Secdispatch] Requesting agenda time for draf… Martin Thomson