IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 11 February 2021 19:03 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2423A12FD for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmcCkYLGsUM8 for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB9E03A12BA for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
Received: by mail-pf1-f172.google.com with SMTP id b145so4281258pfb.4 for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vg4Q9fLZDOYWGU+iTApybc1wwJxdg99GyqI/u0GmYXM=; b=BT2c41jFpg3e3/p3gDhLLtxIh3Syx/IURGKWaiH7i2Mn7z0MZK/dWR9kL6DBoD4KQ3 K6TGqswkETrgRTker6F6Lo/9+gOshfnz375BfJyXof9MHG3sIs6aAvNOAJMVd6DPoaDO 5YpHiL+6/OvpkRgTMdWHXurHQEht+J+c6SQNc9D11t9R/kSzL4dvN7vkHpczQ+oirC/S +83vTj8ovQ/+lI4rODHmIg8sBkbDOi6HnTJg60PW7ADFjh+IhpexkHMt11dMx/DlQFPu PEPJohzoGhd8Hz7A0WC3nuAuYDz1wZCB9lWB+eroGhKON/MbzOzWYX0oyjfU0sgCL6VJ KvrA==
X-Gm-Message-State: AOAM533VMq9K7MLQ5vC1G/SOu27KDlVx2f8bidOSS9UNszBdE3b6vEvC tA+h8qBNq+dGVdh3+MosVr3sYXqplh8=
X-Google-Smtp-Source: ABdhPJzkmIrpO9iaXMb6zd7jYh12v4PPG/h1R+1d+BYZk2v+I45m+GN10XgU61t73YVMGBvslDEZNQ==
X-Received: by 2002:a63:fc1c:: with SMTP id j28mr9329162pgi.281.1613070206952; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com. [209.85.216.46]) by smtp.gmail.com with ESMTPSA id j73sm6624307pfd.170.2021.02.11.11.03.26 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 11 Feb 2021 11:03:26 -0800 (PST)
Received: by mail-pj1-f46.google.com with SMTP id gx20so3962075pjb.1 for <spasm@ietf.org>; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
X-Received: by 2002:a17:90a:ee8a:: with SMTP id i10mr5176843pjz.103.1613070206045; Thu, 11 Feb 2021 11:03:26 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <A7402F4B-33D3-4064-9E14-345B1303B1FD@akamai.com> <F94F3EAD-30C7-4B39-A00F-600234E120ED@vigilsec.com> <7F1A001A-C6D4-4F6C-B2D6-1FA43E4900B8@akamai.com> <CAErg=HH9j3duJnS8PQvrHef9hw8qdck4fPyc=iB1ENyPrReW=g@mail.gmail.com> <1D13C815-387F-4FAD-A71F-79C3DEC11A22@akamai.com>
In-Reply-To: <1D13C815-387F-4FAD-A71F-79C3DEC11A22@akamai.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 11 Feb 2021 14:03:15 -0500
X-Gmail-Original-Message-ID: <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
Message-ID: <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a114ad05bb142ca5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-kMZhOEQLpNGEKTRLJiuaq982bg>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:03:30 -0000

On Thu, Feb 11, 2021 at 11:09 AM Salz, Rich <rsalz@akamai.com> wrote:

>
>    - Are there even two interoperable implementations of 5280?
>
>
>
> No, I think things will need to be stripped out.
>

I agree, but I also worry it will open re-litigation of things that are
de-facto, but not standardized, despite efforts to the contrary.

As a concrete example, the handling of extendedKeyUsage within
intermediates is one of those issues that comes up every few years, but to
not much progress. This debate goes back (as far as I can tell) to even the
RFC 2459 work, where rough consensus and running code (at the time, and at
the present) implemented something different. This is something that
affects (2) with respect to the process of determining validity.

As an example of (3), consider the use of StringPrep with regards to DN
handling/comparison, which itself was a concession to the failed flag-days
of UTFString that earlier drafts had. Few implementations support it, even
fewer support it as specified (due to the evolution of StringPrep and the
Unicode tables). However, removing the normalization of DNs prior to
comparison creates backwards compat issues that previous drafts prioritized
avoiding, hence the complexity in the first place.


>
>    - I do mean that in full seriousness - and it seems practically
>    unlikely that (2) or (3) can be satisfied...
>
> On the other hand, it seems silly to not make 5280 a standard, seems de
> facto anyway.
>

In the abstract, yes. However, I worry that the necessity of trying to
address (2) and (3) will limit a lot of practical progress.

I think one of the most challenging aspects is that, for better or for
worse, we didn't end up with The Directory, nor did we end up with an
IETF-anchored, protocol-agnostic PKI, nor did work like NADF's work on RFC
1255 lead to region-specific authorities. The consequence is that we have
many PKIs - for different applications, protocols, and use cases - and so
answering the questions for (2) and (3) requires defining the scope of the
problem. When 5280 first began (~2005), there was still a widespread belief
in the federated directory model, as shown by the contemporary efforts like
OASIS PKIA TC. Do we still pretend that is the case - that folks will be
using LDAP to discover certificates ala the Public File - in order to avoid
upsetting the 5280 applecart? Or do we have to also revisit the scope and
context of 5280, so that we can have some basis to measure against (2) and
(3)?

Am I suggesting these are things I want to do, or suggesting we should do
them? Not at all. Yet I also don't see how we might make progress in
assessing (2) and (3), and thus, progress on 5280-et-al to Standards track,
without having to touch on the very scope of 5280, which we know emerged
from a time in which several of the technical assumptions and concessions
predicted did not, in actuality, pan out.

Again, to offer a concrete example of this challenge: policyConstraints and
their handling are an example of something that can be useful, but not
widely supported (and even less widely used, save in "private" PKIs), and
less-widely still interoperable. They were and are a product of assumptions
about how "The PKI" would be administered and federated, which we know in
practice did not manifest. Are they relics to be excised, ala (3)? Are they
things to revisit to add clarity ala (2)? Do we have good criteria to
quantify (1)? The answer is very much "it depends".

v2.23.0 | Report a Bug | By Email