Re: [sidr] Validation reconsidered and X.509v3 extension OIDs

Russ Housley <housley@vigilsec.com> Thu, 21 July 2016 08:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9959212DAE3 for <sidr@ietfa.amsl.com>; Thu, 21 Jul 2016 01:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLG4WUEekol6 for <sidr@ietfa.amsl.com>; Thu, 21 Jul 2016 01:56:24 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F303312B017 for <sidr@ietf.org>; Thu, 21 Jul 2016 01:56:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DCF3A300568 for <sidr@ietf.org>; Thu, 21 Jul 2016 04:56:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NhxSuOBwuYuD for <sidr@ietf.org>; Thu, 21 Jul 2016 04:56:20 -0400 (EDT)
Received: from [5.5.33.70] (vpn.snozzages.com [204.42.252.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 402E3300293 for <sidr@ietf.org>; Thu, 21 Jul 2016 04:56:19 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20160719131456.D0705412C916@minas-ithil.hactrn.net>
Date: Thu, 21 Jul 2016 04:56:12 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A76F3C48-64F0-48A3-938E-D2362A909664@vigilsec.com>
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net> <F64A0698-6461-489E-99B9-4A75421C04DA@vigilsec.com> <20160719131456.D0705412C916@minas-ithil.hactrn.net>
To: IETF SIDR <sidr@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/zcVGo1owvdOvB0u_6OwGIZS38aA>
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 08:56:26 -0000

On Jul 19, 2016, at 9:14 AM, Rob Austein <sra@hactrn.net> wrote:

> At Tue, 19 Jul 2016 08:43:00 -0400, Russ Housley wrote:
>> 
>> Does this apply to the Certificate Policy OID too?  If memory is
>> correct, the current CP has a normative pinter to RFC 3779.
> 
> Good catch.
> 
> Not sure a policy OID change is necessary, although might be simplest.
> If there's a reference, we either need to change the OID or change the
> definition of what the OID means.
> 
> IIRC, the OpenSSL library code doesn't do anything RFC-3779-specific
> for the policy OID, it just follows the usual rules; it's the RP code
> built on top of the library that demands that particular policy OID.
> So at least in the OpenSSL case, changing the policy OID may not have
> any noticeable effect on correctness of software behavior.

During the SIDR session today, there seemed to be some confusion about which OIDs we are taking about.

The first two are from RFC 3779.  They appear here in the IANA registry:
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1

The two OIDs are: 
	1.3.6.1.5.5.7.1.7	id-pe-ipAddrBlocks
	1.3.6.1.5.5.7.1.8	id-pe-autonomousSysIds	

In addition, RFC 6484 assigned an OID for the certificate policy.  It appears here in the IANA registry:
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.14

The OID is:
	1.3.6.1.5.5.7.14.2	id-cp-ipAddr-asNumber

I think this is a very good candidate for early IANA code point allocation.  I think that our AD can assist with that.

Russ