IETF Logo Mail Archive

Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 03 March 2021 18:11 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2493A17D0 for <secdispatch@ietfa.amsl.com>; Wed, 3 Mar 2021 10:11:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDtXTtRg3cX9 for <secdispatch@ietfa.amsl.com>; Wed, 3 Mar 2021 10:11:33 -0800 (PST)
Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com [209.85.219.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1F3F3A17CA for <secdispatch@ietf.org>; Wed, 3 Mar 2021 10:11:33 -0800 (PST)
Received: by mail-yb1-f173.google.com with SMTP id u3so25523911ybk.6 for <secdispatch@ietf.org>; Wed, 03 Mar 2021 10:11:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A/Dus6peZbLDdqErjMW/hY9biA+GBMITV5XGqaXkpSE=; b=QcbicDqg3MwXrQhy7ypCCvS9lPLBmm7nrFyQgeB6T1TQl0iAStZQ/cm3uYyIdgyqOz y7eYFL/YDtjh2MkauJQWj4A/Bys78djbw6DS9bms1G1y80MupSnPYiTbTUCzbU5qI2XR j4sCpYn+ywwF1OoWugXTChks/wfx2JR9dRQAcihWdYQ46kQZkb1pkH4FWunUjAu4KSoQ 9nRPZIsDuRYYx250U+jXD8mNQDL0QpYju3jQV1bZgJohTrdGYrMj8130ri0OJqk5FnOm U2Nmvwi3pT23OS815S11+wS1tolfXxpzfeOA3PbpdrHvWvtI/cyJebwXvrZl08AIhIXP GD1g==
X-Gm-Message-State: AOAM53329Y8G9QOw6hKsnvSzrCkHlpKZ76XfBLGF09M9UD6WqNYL+FlT LERTAKMNFFtAytVTljQsCoJ5QC5jfpiEZU7GHrRoINwN8ZQ2Mw==
X-Google-Smtp-Source: ABdhPJyjiHkh5HHd0J+LOi76pQY/aMi8TQC+kEQn7FjRFKLtlgz3Yqe49pjUD5bnLVjpSPiRqB4f2TNAfGny9lE+4NM=
X-Received: by 2002:a25:50d8:: with SMTP id e207mr721066ybb.56.1614795093033; Wed, 03 Mar 2021 10:11:33 -0800 (PST)
MIME-Version: 1.0
References: <619EB16E-48E6-459A-A63A-18A805F75D34@akamai.com>
In-Reply-To: <619EB16E-48E6-459A-A63A-18A805F75D34@akamai.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 03 Mar 2021 13:11:22 -0500
Message-ID: <CAMm+Lwi_uoHUjpaYzvhgf6zqOy9iAg1OeOfbSHRNxo6yKjRhBw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7c68305bca5c7da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/h6ZS-rj-26IHWDCMjaHB7ibgr8A>
Subject: Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 18:11:36 -0000

I did a quick look at what CABForum has on this. They are in the same state.

Given that CABForum has the ability to actually enforce a profile and given
that this has been in place since we EOLed RSA1024, it is highly unlikely
that there are any browsers currently in use that rely on the CN field.

These are the EV guidelines but I doubt anyone does different for DV.

This change should be synchronized with CABForum if people want this
properly dead.


https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf

Contents: If present, this field MUST contain a single Domain Name(s) owned
or controlled by the Subject and to be associated with the Subject’s
server. Such server MAY be owned and operated by the Subject or another
entity (e.g., a hosting service). Wildcard certificates are not allowed for
EV Certificates except as permitted under Appendix F.

On Thu, Feb 4, 2021 at 10:44 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> I would like to present
> https://datatracker.ietf.org/doc/draft-rsalz-use-san/
>
> This updates RFC 6125 to remove commonName as a way to identify the
> server; just use subjectAltName.  It also limits where the "*" can go in
> wildcard certificates. This is a simplification of widely implemented
> existing practice. It may even be de facto what's mostly done. Perhaps the
> wildcard limitation is controversial and I'd be willing to remove it.
>
> 6125 was AD-sponsored. I think this could also be, or perhaps it could go
> to UTA. I would not present any slides, and think 10-15 minutes would be
> enough time.
>
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email