IETF Logo Mail Archive

Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 02 February 2022 21:12 UTC

Return-Path: <prvs=00320a4907=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59DA63A20B8 for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 13:12:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFpRs_lmPS7V for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 13:11:58 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B649D3A20B6 for <spasm@ietf.org>; Wed, 2 Feb 2022 13:11:58 -0800 (PST)
Received: from LLEX2019-3.mitll.ad.local ([172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 212LBuII205818 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 2 Feb 2022 16:11:56 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Wg2wh3a0F+v+DeYA2YwThyIrrSoizs4PdmTVzWCo4Y+9I6hBqaxO/lF8sJz7EP9+b2Pp8/HcJpS1ius5ht8jcl0vN8+MCybxDs8beB0E3UzTl7zfh1MOzcI4WlSrOzkdl4H/00o1D6OC58dG0jDetSeBvtPiZkSIqtZVOak2azST0oSljDkyjIGIogAW/io4jsmB7KSMQ8fyKwSJ7IOm6aJNn2mjYxlofbznNxn2ketS7TYBkw8ND3L4RURD4QSD5uB2+7FBqqLkXSpxsPKCFETZo73HOBiUAKCCVPMiRMs/pKwmQ7ZXpIQzC0fNWqoxZkZtOYfxKUsVbulAMRQjGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IBMvw6IoQiwEAQQ1duKOVCn/sRq+jTixxKBIux/NY08=; b=oCuQUUogZ2H0WpAY66CogUkeYPPa0zQViXzh5x9Eby+tLBTYI2n5yvMrIlcta3bCE2V7bg0kwQBO6iTb+2N2sRpQQbnOI1cAyscYM2fIHS+1vZYFUJuYO6xneZSR+mBCT3l+v7b4NQKotffNjbQ5Bw5xtHJbJUbx6QPsKmLbuE58GJ3yQFgenMffAYgv/yWKiSNtTF5T2UAORfMOZW5eSOEDr3PfMeldIWOepLKE76lxWYRFsJOl/B0+LJKHCegMCSyIk8YxBDFMj4dM6bouQUMK9myaNnCIvMoGpLwVrYenMkat0oHviB2BFWVf2ErXV6j6wVuXTPIna49RsPw1zA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Éric Vyncke <evyncke@cisco.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
Thread-Index: AQHYGHelfhGIh3dgbEOjGMKkVz/vSKyAwYfM
Date: Wed, 02 Feb 2022 21:11:52 +0000
Message-ID: <BN0P110MB141942ABD162C393D21FAC2990279@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <164121362047.8756.3046187711723091521@ietfa.amsl.com> <87iltxm232.fsf@fifthhorseman.net>
In-Reply-To: <87iltxm232.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2e4a826d-008d-47e1-4ee0-08d9e690a2cc
x-ms-traffictypediagnostic: BN0P110MB1322:EE_
x-microsoft-antispam-prvs: <BN0P110MB1322649EC8E7D37F7078181290279@BN0P110MB1322.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X1XuFOfqnH/KI01a5pWjZUFRrceDE8WHV99vvsXVjAuPg7vOHHb21P7lPUXBptSc/DU2KUJxq00OOQJKY/aaMaazipKDeOCUFCg+B5lKCCIWXqsquoDy6YxEpUMPWXTi4PcQriuadkwyqfZUyA9HW1uVha/h/yfDqvEc/bfA5b51ufAchLeLGIt9DakD06uiMeB7hM8JyJOrV5HvBMqILHPzrIcihV7H9W7ovzl54D2hDa5uAI2aGf/NfkHYOIfC/zuZxZvJPNcjV3U5/Sf/PRYHGM6Gj0gYEDb4dPD/tN31l4N/MuAqhT73yvWaOITZd1dy9OR57qFp2arAgDknn+4LG8XRLp25fFZXoEl/T6R6M7nLpG+p6PGD7NwH9iyD44WG8RkF8Adv12HC6HKkfGkgZuDPPuHGDVQfI5vCpIlkKrz3qn0TguyAjROT8NqxGIFEpjtUpXkRu378tNiiHEgFXEAwxl5G9S97RrTI8Sde8XiNxRdQbvsMNE9DYhqyxElGu4Mt93RuBYFG/jaDPG9b/b3LPhrt2GeUc5iWGRqsCkhaEqN9MhGeMkBOu6/vefB/LvuBUNGgoyVWfVktlw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(7696005)(9686003)(6506007)(2906002)(53546011)(33656002)(5660300002)(186003)(99936003)(26005)(55016003)(38070700005)(52536014)(71200400001)(224303003)(66476007)(83380400001)(86362001)(122000001)(75432002)(38100700002)(66574015)(66446008)(64756008)(508600001)(8936002)(4326008)(66556008)(110136005)(316002)(76116006)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /fIHXY0hE+RAHgevPoWABXPrOeK/ArG32UwegG07VH/kc5wMjg/zQTtsgmsca/j+swRQyx1LI/m/vGJG2aoTFAZGrP/fyFVGDZKUzn/GsZLLkyFcsizuS8LlVTAFIDsVyTQ8exmBqbtO4L4UjTPQcw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_1476F9FD-E010-684D-9E9D-69C0D63E5F4D_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e4a826d-008d-47e1-4ee0-08d9e690a2cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2022 21:11:52.9363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1322
X-Proofpoint-ORIG-GUID: WMeP6KfMbevu1lxhLsLuienk303YHiGv
X-Proofpoint-GUID: WMeP6KfMbevu1lxhLsLuienk303YHiGv
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-02-02_10:2022-02-01, 2022-02-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=889 suspectscore=0 adultscore=0 malwarescore=0 bulkscore=0 phishscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202020115
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8sCvPR9qrqvMkQ0CrHhXaLB5rjg>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 21:12:04 -0000

I’m not sure I’m happy to see an S/MIME cert declared invalid for absence of SAN attribute.

 

--

Regards,                     

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Spasm <spasm-bounces@ietf.org> on behalf of Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wednesday, February 2, 2022 at 15:58
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: spasm@ietf.org <spasm@ietf.org>, lamps-chairs@ietf.org <lamps-chairs@ietf.org>, draft-ietf-lamps-samples@ietf.org <draft-ietf-lamps-samples@ietf.org>, housley@vigilsec.com <housley@vigilsec.com>, tim.hollebeek@digicert.com <tim.hollebeek@digicert.com>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

Hi Éric--

On Mon 2022-01-03 04:40:20 -0800, Éric Vyncke via Datatracker wrote:
> -- Section 2.2 & 2.3 --
> Would it be useful to include expired certificates ?

This is a great question, and the LAMPS WG did consider it during
discussion of the draft.  The conclusion that we came to (which i helped
to drive, as editor) is that there are *many* ways that a certificate
can be invalid (in general, or for use with S/MIME in particular), and a
draft that hosts a zoo of invalid certificates would be much larger and
more complex than this simple document.

Expiration is one flavor of invalidity, but why not also test missing
subjectAltName?  or subtly wrong keyUsage or eKU?  or a malformed public
key?  and so on…  It's kind of like Anna Karenina 😛

Rather than try to decide (and fight over) what sort of invalid
certificates to supply in the draft, we decided to stick with just valid
certs here.

The certs should be valid for about three decades, so hopefully in that
time they'll be useful for a lot of different projects.

> And/or a CRL for those examples ? Would providing those additional
> examples make possible more extensive testing?

The certs are expected to be used for testing, and to be used without
having to maintain any online infrastructure for this testing.

§2.3 specifically says "none of the certificates include either an OCSP
indicator or a CRL indicator", so i think including a CRL would just add
to the confusion.

If we want to produce samples that expire or can be revoked, i think
that would be a separate project, similar to the "multiple forms of
invalidity" described above.

> -- Section 4 --
> <joke>Please s/Alice Lovelace/Ada Lovelace/ ;-) </joke> (to be ignored of
> course but I could not resist) Alas not applicable to Charles/Bob Babbage or
> Alan/Carlos Turing or Grace/Dana Hopper :-)

we each nod to the legends in our own peculiar ways :)

   --dkg

v2.23.0 | Report a Bug | By Email