IETF Logo Mail Archive

[Spasm] Let's focus

Richard Barnes <rlb@ipv.sx> Thu, 26 May 2016 20:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C1812D5C2 for <spasm@ietfa.amsl.com>; Thu, 26 May 2016 13:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HD_fFaanKhid for <spasm@ietfa.amsl.com>; Thu, 26 May 2016 13:04:46 -0700 (PDT)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B43912B069 for <spasm@ietf.org>; Thu, 26 May 2016 13:04:46 -0700 (PDT)
Received: by mail-vk0-x22f.google.com with SMTP id f66so117078590vkh.2 for <spasm@ietf.org>; Thu, 26 May 2016 13:04:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=Ofa/3vsGdYiDouofaOaDwYt4WvXuw/+KhQRVfpGoybM=; b=F3nCyvXWbid/MYkRYQX0RPc1e9O6b0auzgbbwTPA+WR9eLRrJz8PK/qezzACeUOc7a AqXZzCnRa1hUdW+3AgicWhozp3OrWIvPvgrb46tXc5hzKr4X6Bmx7PNNQVHjQjFgD2wC pvRKnqblfWEOrt4CTaykckJ4qUgcswn8tjedBPJkPT5MT6R3rtAnMOcu130/It8zfn3W mbxnlYAzVNmjnoDWeushlcWal9z0DEbC1CbkRnboEbmo5SRrukf7QxsNbsx2sZUF38oU gDm2/EjavGMFxYUcDF3+t0RwBFZvLx05gE7WB6BFqmJrCD9emA9X/x3+zGo9YXH98Yw0 pnZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=Ofa/3vsGdYiDouofaOaDwYt4WvXuw/+KhQRVfpGoybM=; b=JnIWzkkUyUlIA/Fh71rteetEK16gjPZu9RqiAh1UtIanpazlxUU/11DOJ98hla28TJ cU1i8xvwu0bAIgB+xCVwS7ybAryv+bxGPnZLsmPw4XXBcxTKEUv5RUduU5OWdjD5xnsw 3S0T2DMhpNKqj0/+SfGnaYrfU42Xs8q9IdH3DlfbhYYAhqEJMN9YfXmp3dLaIR148+gn TVB91PlXJRF5fIplwtCECMIkhh8R5kUJXPHa4p+QeDdoqnwl4xD+c+oguOhbIsgdVcZk RaQG99L7cCMYzCfqA8wYeMMiEno3J4SX2jXS96jGvPNeK43vB1sWKTSDNCsttELgfnPf 3t9A==
X-Gm-Message-State: ALyK8tKl2hLCNHbVFdwICOzEC/4vQDprsHA51pScf6fMnvgxKxQuQXMp8/W0UioM7OsKsqT5ZTebuJ3ZaQ0R8A==
MIME-Version: 1.0
X-Received: by 10.176.7.70 with SMTP id h64mr6447228uah.97.1464293085536; Thu, 26 May 2016 13:04:45 -0700 (PDT)
Received: by 10.31.48.71 with HTTP; Thu, 26 May 2016 13:04:45 -0700 (PDT)
Date: Thu, 26 May 2016 16:04:45 -0400
Message-ID: <CAL02cgSHWvmmhCqv1Dz8wfiGsOqOXWNi150suR-5xqt3F8ppcw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: spasm@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c12339a3608540533c44d14"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/3zZzKa2lcT3gGJOskVrnODPBgM0>
Subject: [Spasm] Let's focus
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2016 20:04:52 -0000

Hey all,

I'm concerned that the proposed scope [1] for this WG is (1) too broad, and
(2) inconsistent with the participation so far.

The breadth concern is evident in the ambiguity of the name "Some?"  This
group should identify some concrete, practical problems in the Internet
they need to solve, describe them, and demonstrate that they have the right
set of stakeholders to develop, implement, and deploy a solution.

I'm personally most concerned about the "fix the EKUs" milestone, at least
as it's realized in [2].  From the perspective of someone who works a lot
in the Web PKI, this sounds like a request for a feature that has negative
value.  The incremental value of the proposed feature would be to allow
"everything but X" CAs.  Recent experience in the Web PKI has driven home
how harmful it can be to have divergent sets of RPs relying on the same
PKI, so allowing CAs to be more unconstrained is moving in the wrong
direction.  I'm not dogmatic on this, but in order to be persuaded, I would
need to see active interest from some real CAs, and from the logs of this
list, I'm not seeing anyone who's a current participant in the Web PKI
(apologies if I've failed to recognize someone).

I'm also concerned about the "SRV for cert stores" milestone, though I
admit I'm not as deep in this space.  Looking at the proposed doc, it seems
like the SRV adds any value over just looking stuff up at a well-known URI,
e.g., adding a "x5c" attribute to a WebFinger resource.  Anything that
requires special DNS magic (and SRV counts) is going to face significant
deployment barriers.  So I would be happier if this were a "define a simple
cert discovery mechanism for S/MIME" milestone, rather than being bound to
a specific mechanism.

Overall, it seems like this group should focus on moving the ball forward
with regard to making S/MIME deployable in today's Internet -- fixing
papercuts around AEAD, i18n, and cert discovery.  The PKIX stuff is
unrelated and addresses an entirely different constituency.

--Richard


[1] https://datatracker.ietf.org/doc/charter-ietf-spasm/
[2] https://tools.ietf.org/html/draft-housley-spasm-eku-constraints-01
[3] https://tools.ietf.org/html/draft-bhjl-x509-srv-00

v2.23.0 | Report a Bug | By Email