IETF Logo Mail Archive

Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 02 February 2022 20:57 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846133A201F; Wed, 2 Feb 2022 12:57:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=DFF1jAhV; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=27J13TsZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E8fX4_8PSQS; Wed, 2 Feb 2022 12:57:43 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ECCC3A201C; Wed, 2 Feb 2022 12:57:43 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1643835459; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TBcWiPcoJmxwIkLhSfEtLZ46tYaEynfVM9HCPwHY6/I=; b=DFF1jAhVPJdyaEBaiLUwZKD1dkyFucbqrSlxLRBmYYdx7q3ZZBD8ipO8lSU6Pb74oeALy yaNaKQzI2ZY12k9BQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1643835459; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TBcWiPcoJmxwIkLhSfEtLZ46tYaEynfVM9HCPwHY6/I=; b=27J13TsZqJRh1t7cCRm5J+CZyq+sUxkLz69mXuWmS9aO+TVBAr+R+vXppwvWXDjfMOYDd 9FlS9aHM/JXpyMcUr0E4t+6k4g64tLHkb1O6b7r6/8q9sugC7Tt5cFG7kkTG8Ev4s8czFMM sWu3qFw+SUe/1SeP1t4WysVkiJcmOvAdYBOnZ19Zv+ZxWO7qUJ0LRlMMliUMduNw6W5jAT/ aAkIXYFxpKyO2aymx1qVxJd5wNkzcSL8Ys2Qm8m+JMRG9y4XC10wTNrDaqsmBN5wAdUuFBk uODD4MUDf3JXrw59cu2BrEputP2cXDU2cdxFvZ1HHgMf9ON64ODVzVHEyuzg==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 5D83AF9AA; Wed, 2 Feb 2022 15:57:39 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 32079203BB; Wed, 2 Feb 2022 15:43:30 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: spasm@ietf.org, lamps-chairs@ietf.org, draft-ietf-lamps-samples@ietf.org, housley@vigilsec.com, tim.hollebeek@digicert.com
In-Reply-To: <164121362047.8756.3046187711723091521@ietfa.amsl.com>
References: <164121362047.8756.3046187711723091521@ietfa.amsl.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Wed, 02 Feb 2022 15:43:29 -0500
Message-ID: <87iltxm232.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/7yajHMA0SRyeRW5dmKd5-1xNINs>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 20:57:49 -0000

Hi Éric--

On Mon 2022-01-03 04:40:20 -0800, Éric Vyncke via Datatracker wrote:
> -- Section 2.2 & 2.3 --
> Would it be useful to include expired certificates ? 

This is a great question, and the LAMPS WG did consider it during
discussion of the draft.  The conclusion that we came to (which i helped
to drive, as editor) is that there are *many* ways that a certificate
can be invalid (in general, or for use with S/MIME in particular), and a
draft that hosts a zoo of invalid certificates would be much larger and
more complex than this simple document.

Expiration is one flavor of invalidity, but why not also test missing
subjectAltName?  or subtly wrong keyUsage or eKU?  or a malformed public
key?  and so on…  It's kind of like Anna Karenina 😛

Rather than try to decide (and fight over) what sort of invalid
certificates to supply in the draft, we decided to stick with just valid
certs here.

The certs should be valid for about three decades, so hopefully in that
time they'll be useful for a lot of different projects.

> And/or a CRL for those examples ? Would providing those additional
> examples make possible more extensive testing?

The certs are expected to be used for testing, and to be used without
having to maintain any online infrastructure for this testing.

§2.3 specifically says "none of the certificates include either an OCSP
indicator or a CRL indicator", so i think including a CRL would just add
to the confusion.

If we want to produce samples that expire or can be revoked, i think
that would be a separate project, similar to the "multiple forms of
invalidity" described above.

> -- Section 4 --
> <joke>Please s/Alice Lovelace/Ada Lovelace/ ;-) </joke> (to be ignored of
> course but I could not resist) Alas not applicable to Charles/Bob Babbage or
> Alan/Carlos Turing or Grace/Dana Hopper :-)

we each nod to the legends in our own peculiar ways :)

   --dkg

v2.23.0 | Report a Bug | By Email