IETF Logo Mail Archive

Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san

Benjamin Kaduk <kaduk@mit.edu> Wed, 03 March 2021 05:55 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557E83A1A02 for <secdispatch@ietfa.amsl.com>; Tue, 2 Mar 2021 21:55:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8j35-YR3exv for <secdispatch@ietfa.amsl.com>; Tue, 2 Mar 2021 21:55:08 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0493A1A01 for <secdispatch@ietf.org>; Tue, 2 Mar 2021 21:55:07 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1235t1pE023671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 3 Mar 2021 00:55:06 -0500
Date: Tue, 02 Mar 2021 21:55:00 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Thomson <mt@lowentropy.net>
Cc: secdispatch@ietf.org
Message-ID: <20210303055500.GB56617@kduck.mit.edu>
References: <619EB16E-48E6-459A-A63A-18A805F75D34@akamai.com> <b8378d08-5ee9-43e1-8260-29803b0ac243@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <b8378d08-5ee9-43e1-8260-29803b0ac243@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/sZ0qxQ6AW2oOUI7w2dgpJeQiK70>
Subject: Re: [Secdispatch] Requesting agenda time for draft-rsalz-use-san
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 05:55:10 -0000

On Wed, Mar 03, 2021 at 03:56:25PM +1100, Martin Thomson wrote:
> What Rich is doing here is good.  ~~SAN~~CN is dead and we should ensure that our documentation reflects that.  (Even at the time of 6125 it was a holdover from a previous era.)
> 
> Is now the time that we get to talk about other updates to RFC 6125?  Because there is no IP-ID reference identity in RFC 6125 and HTTP had to define one just to document what happens in practice: https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#https.ip-id

I do have a longstanding item in my list of things to do for updating 6125
in this manner.  (Note that
https://tools.ietf.org/html/draft-ietf-dtn-tcpclv4-25#section-4.4.1 has
also had to define an IPADDR-ID.)

I *also* have a longstanding item in my list for doing something analogous
to 6125 but for client authentication.  That, however, is a much more
open-ended question that should be a separate effort.

> I don't want to get in the way of making actual progress here, but knowing the difficulties with getting 6125 done, it might be safer to do this work in a working group.  I have no opinion regarding whether it is a new one or UTA.

I am hopeful that the UTA chairs can provide some thoughts here.

-Ben

> On Fri, Feb 5, 2021, at 02:43, Salz, Rich wrote:
> > I would like to present https://datatracker.ietf.org/doc/draft-rsalz-use-san/
> > 
> > This updates RFC 6125 to remove commonName as a way to identify the 
> > server; just use subjectAltName.  It also limits where the "*" can go 
> > in wildcard certificates. This is a simplification of widely 
> > implemented existing practice. It may even be de facto what's mostly 
> > done. Perhaps the wildcard limitation is controversial and I'd be 
> > willing to remove it.
> > 
> > 6125 was AD-sponsored. I think this could also be, or perhaps it could 
> > go to UTA. I would not present any slides, and think 10-15 minutes 
> > would be enough time.
> >  
> > 
> > _______________________________________________
> > Secdispatch mailing list
> > Secdispatch@ietf.org
> > https://www.ietf.org/mailman/listinfo/secdispatch
> >
> 
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email