Re: [lamps] Proposed recharter text
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 11 February 2021 19:03 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2423A12FD for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmcCkYLGsUM8 for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB9E03A12BA for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
Received: by mail-pf1-f172.google.com with SMTP id b145so4281258pfb.4 for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vg4Q9fLZDOYWGU+iTApybc1wwJxdg99GyqI/u0GmYXM=; b=BT2c41jFpg3e3/p3gDhLLtxIh3Syx/IURGKWaiH7i2Mn7z0MZK/dWR9kL6DBoD4KQ3 K6TGqswkETrgRTker6F6Lo/9+gOshfnz375BfJyXof9MHG3sIs6aAvNOAJMVd6DPoaDO 5YpHiL+6/OvpkRgTMdWHXurHQEht+J+c6SQNc9D11t9R/kSzL4dvN7vkHpczQ+oirC/S +83vTj8ovQ/+lI4rODHmIg8sBkbDOi6HnTJg60PW7ADFjh+IhpexkHMt11dMx/DlQFPu PEPJohzoGhd8Hz7A0WC3nuAuYDz1wZCB9lWB+eroGhKON/MbzOzWYX0oyjfU0sgCL6VJ KvrA==
X-Gm-Message-State: AOAM533VMq9K7MLQ5vC1G/SOu27KDlVx2f8bidOSS9UNszBdE3b6vEvC tA+h8qBNq+dGVdh3+MosVr3sYXqplh8=
X-Google-Smtp-Source: ABdhPJzkmIrpO9iaXMb6zd7jYh12v4PPG/h1R+1d+BYZk2v+I45m+GN10XgU61t73YVMGBvslDEZNQ==
X-Received: by 2002:a63:fc1c:: with SMTP id j28mr9329162pgi.281.1613070206952; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com. [209.85.216.46]) by smtp.gmail.com with ESMTPSA id j73sm6624307pfd.170.2021.02.11.11.03.26 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 11 Feb 2021 11:03:26 -0800 (PST)
Received: by mail-pj1-f46.google.com with SMTP id gx20so3962075pjb.1 for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
X-Received: by 2002:a17:90a:ee8a:: with SMTP id i10mr5176843pjz.103.1613070206045; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <A7402F4B-33D3-4064-9E14-345B1303B1FD@akamai.com> <F94F3EAD-30C7-4B39-A00F-600234E120ED@vigilsec.com> <7F1A001A-C6D4-4F6C-B2D6-1FA43E4900B8@akamai.com> <CAErg=HH9j3duJnS8PQvrHef9hw8qdck4fPyc=iB1ENyPrReW=g@mail.gmail.com> <1D13C815-387F-4FAD-A71F-79C3DEC11A22@akamai.com>
In-Reply-To: <1D13C815-387F-4FAD-A71F-79C3DEC11A22@akamai.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 11 Feb 2021 14:03:15 -0500
X-Gmail-Original-Message-ID: <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
Message-ID: <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a114ad05bb142ca5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-kMZhOEQLpNGEKTRLJiuaq982bg>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:03:30 -0000
On Thu, Feb 11, 2021 at 11:09 AM Salz, Rich <rsalz@akamai.com> wrote: > > - Are there even two interoperable implementations of 5280? > > > > No, I think things will need to be stripped out. > I agree, but I also worry it will open re-litigation of things that are de-facto, but not standardized, despite efforts to the contrary. As a concrete example, the handling of extendedKeyUsage within intermediates is one of those issues that comes up every few years, but to not much progress. This debate goes back (as far as I can tell) to even the RFC 2459 work, where rough consensus and running code (at the time, and at the present) implemented something different. This is something that affects (2) with respect to the process of determining validity. As an example of (3), consider the use of StringPrep with regards to DN handling/comparison, which itself was a concession to the failed flag-days of UTFString that earlier drafts had. Few implementations support it, even fewer support it as specified (due to the evolution of StringPrep and the Unicode tables). However, removing the normalization of DNs prior to comparison creates backwards compat issues that previous drafts prioritized avoiding, hence the complexity in the first place. > > - I do mean that in full seriousness - and it seems practically > unlikely that (2) or (3) can be satisfied... > > On the other hand, it seems silly to not make 5280 a standard, seems de > facto anyway. > In the abstract, yes. However, I worry that the necessity of trying to address (2) and (3) will limit a lot of practical progress. I think one of the most challenging aspects is that, for better or for worse, we didn't end up with The Directory, nor did we end up with an IETF-anchored, protocol-agnostic PKI, nor did work like NADF's work on RFC 1255 lead to region-specific authorities. The consequence is that we have many PKIs - for different applications, protocols, and use cases - and so answering the questions for (2) and (3) requires defining the scope of the problem. When 5280 first began (~2005), there was still a widespread belief in the federated directory model, as shown by the contemporary efforts like OASIS PKIA TC. Do we still pretend that is the case - that folks will be using LDAP to discover certificates ala the Public File - in order to avoid upsetting the 5280 applecart? Or do we have to also revisit the scope and context of 5280, so that we can have some basis to measure against (2) and (3)? Am I suggesting these are things I want to do, or suggesting we should do them? Not at all. Yet I also don't see how we might make progress in assessing (2) and (3), and thus, progress on 5280-et-al to Standards track, without having to touch on the very scope of 5280, which we know emerged from a time in which several of the technical assumptions and concessions predicted did not, in actuality, pan out. Again, to offer a concrete example of this challenge: policyConstraints and their handling are an example of something that can be useful, but not widely supported (and even less widely used, save in "private" PKIs), and less-widely still interoperable. They were and are a product of assumptions about how "The PKI" would be administered and federated, which we know in practice did not manifest. Are they relics to be excised, ala (3)? Are they things to revisit to add clarity ala (2)? Do we have good criteria to quantify (1)? The answer is very much "it depends".
- [lamps] Proposed re-charter text for hybrid and d… Mike Ounsworth
- Re: [lamps] Proposed re-charter text for hybrid a… Sean Turner
- Re: [lamps] [EXTERNAL] Re: Proposed re-charter te… Mike Ounsworth
- Re: [lamps] Proposed re-charter text for hybrid a… Russ Housley
- Re: [lamps] Proposed re-charter text for hybrid a… Michael Richardson
- Re: [lamps] Proposed re-charter text for hybrid a… Michael Jenkins
- Re: [lamps] Proposed re-charter text for hybrid a… Michael Richardson
- Re: [lamps] Proposed re-charter text for hybrid a… Russ Housley
- [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Salz, Rich
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Salz, Rich
- Re: [lamps] Proposed recharter text Ryan Sleevi
- Re: [lamps] Proposed recharter text Salz, Rich
- Re: [lamps] Proposed recharter text Brockhaus, Hendrik
- Re: [lamps] Proposed recharter text Ryan Sleevi
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Ryan Sleevi
- Re: [lamps] Proposed recharter text Michael Richardson
- Re: [lamps] Proposed recharter text Michael Richardson
- Re: [lamps] Proposed recharter text Tadahiko Ito
- Re: [lamps] Proposed recharter text Ryan Sleevi
- Re: [lamps] Proposed recharter text Michael Richardson
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] [EXTERNAL] Proposed recharter text Mike Ounsworth
- Re: [lamps] [EXTERNAL] Proposed recharter text Russ Housley
- Re: [lamps] [EXTERNAL] Proposed recharter text Mike Ounsworth
- Re: [lamps] Proposed recharter text Panos Kampanakis (pkampana)
- Re: [lamps] [EXTERNAL] Proposed recharter text Brockhaus, Hendrik
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Panos Kampanakis (pkampana)
- Re: [lamps] Proposed recharter text Mike Ounsworth
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Russ Housley
- Re: [lamps] Proposed recharter text Roman Danyliw
- Re: [lamps] Proposed recharter text Mike Ounsworth
- Re: [lamps] Proposed recharter text Roman Danyliw
- Re: [lamps] Proposed recharter text Mike Ounsworth
- Re: [lamps] Proposed recharter text Salz, Rich
- Re: [lamps] Proposed recharter text Benjamin Kaduk
- Re: [lamps] Proposed recharter text Michael Richardson
- Re: [lamps] Proposed recharter text Roman Danyliw
- Re: [lamps] Proposed recharter text Mike Ounsworth
- Re: [lamps] Proposed recharter text Roman Danyliw