IETF Logo Mail Archive

Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 02 February 2022 22:04 UTC

Return-Path: <prvs=00320a4907=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE3F3A22C5 for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 14:04:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVWaOPXl-r41 for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 14:04:20 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B373A22C4 for <spasm@ietf.org>; Wed, 2 Feb 2022 14:04:20 -0800 (PST)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 212M4HkA253433 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 2 Feb 2022 17:04:17 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=u+VMfD3OL8nDGox8yub9quK8cRwAUn/Hq172X8CKRMs/gDU0CSHw9MXsiWZ2WkSsquk9D0Ul3dNbGHBSx/FrKghwPK05evP00oEyLpf5u9tqnxwx0MpQkh6biwwWlTPw0Iukr66tp5hkn0DnWwDaR+u6X6Iu8msTW17s5cJnvM8NwHo/RUjR1C6lTcTCKswCNHX0Yijq4oFA5tzFv1mMb8+RwBT9wd24RIkuvn3rH0j2ArnIXSdioQbbhc7ReytDIl8jA9bVTMmsGUrUl4yy6O1GZP63kzTactlKBwwgdaHnaOgt5WknWZa0zYe4+wNCQvJy+88N1tCi2U3MQuqvkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QWtK/EChx/95IGLtMdLJbvsTThgFMZNXzjjCh5WYQKU=; b=FZNmvuQqqcsYXwXzfD3rOo2M+4LNs7qoFwV3karECeArEyWciUhek4kwNDYggbGE/6ZCNL9jCk2CsnfzUvqNS6AegxYC+632X2Z0lniIXhBmhvJWSyO/dDHLJzV3QRQT2wLWo7q0JnIEKLD9VsGmfIWPrZdBcGyhphqnz2G3cgI0wEnyH/XjQprSAlGiKw8gD/Wi45iHNz30Mj3g4NyOd6mH/iZLhDshlGDbRVlb+UsDupURI+GJiWTva606igtrEJjnFVw7i3Kd9xUoAn6R121B6d4dwC7Ub5sKZMnz/KYtYWBgIDGZZVQBGPrUspDGb6yiFINDWTVQmQmtsoz0+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>, Eric Vyncke <evyncke@cisco.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Thread-Topic: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
Thread-Index: AQHYGHelfhGIh3dgbEOjGMKkVz/vSKyAwYfMgAAKHgCAAAK+rg==
Date: Wed, 02 Feb 2022 22:04:14 +0000
Message-ID: <BN0P110MB14193C8DDC7CA647B315580190279@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <164121362047.8756.3046187711723091521@ietfa.amsl.com> <87iltxm232.fsf@fifthhorseman.net> <BN0P110MB141942ABD162C393D21FAC2990279@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <84DFE375-B0F5-400E-A9B5-B262575288F4@vigilsec.com>
In-Reply-To: <84DFE375-B0F5-400E-A9B5-B262575288F4@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 43cffeb9-baa7-4072-bfc6-08d9e697f2fe
x-ms-traffictypediagnostic: BN0P110MB1227:EE_
x-microsoft-antispam-prvs: <BN0P110MB1227DA987BAD38838BBF241C90279@BN0P110MB1227.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: thP6AQAAA5187wz1PxFhwyE42RGA4NGSs/ZdhZ/EEDP+mFL3Z68qgFTrAT+qmdLtWRYPAs+SLdz/cq1F9ycOA/R02oJD4S5AjsMIUJHbC2YAUbvcSkzZRyHvdGVZ17i+G8RjSYHrOT51CIpoxNUXCeofy+ubUo/dQDBB1YcaQ1DRi7pLEOF1fZdZV5BCXGRAZzV6sAQwIOGAsQRiJZ03Ft6n4+Ne+MGBT9OGBMDbzTxl8HOFpebiUtM7uyC2Cp9SFfTRoDe0Wz3rA5cSBe0ZZ8kAXTPgp6eFdy7n287hsdpmzubVEghP44UP7/DXTbV3aj3Juhfs6xuc8jYzL9BvPPMZTxV7fBGPGFNU2auhg8nqRyzfn22PKkrdjcMUJoYYOUea2jBprIKyK5fHlV9BVJSqZ+nel0hku8qpUA0E6ZxRpZdG1FttA3ZC98Emm7m5F5kLsvlYKlwV1yrEp8MVsztg2Pd8ZMPW5HFqV3XpJ1B8aX6yt64KLSl8FiDxFBJB+jWgz8E9fvydyLvBR+X2pTxLQQB3SaPqHoKFKvlcYO/P+4gRhp1GGxWlvnYB7hQ2eBFDouihiTNVSQcV/3Wqe4/VPHJsI7J8vRBDzFW4YMpNkR/WvMUEC7s8nknagaZ40f35mldy/OiVsm4uTUr24Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(966005)(33656002)(6916009)(86362001)(186003)(2906002)(54906003)(45080400002)(66574015)(75432002)(26005)(508600001)(83380400001)(64756008)(66476007)(66556008)(316002)(8936002)(66946007)(38100700002)(66446008)(224303003)(52536014)(7696005)(4326008)(122000001)(53546011)(6506007)(166002)(99936003)(71200400001)(5660300002)(55016003)(76116006)(38070700005)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nz5BvDMj8nEPRrs1kwRwWiDVP7oHde2ixUpz1XGtzBVr0KkJlsQ/PAmRIDDFPQIo7qLcoe6pioTHGaOsO5f063NXEDx2ETj+Qzj740U//jNFsN7L8pLHu9TwfFQbvXxUgJE0HoO9g1Z5ahDo7lLRlw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_BC220A84-4F53-424B-AC2E-B7FEF9DA0B40_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 43cffeb9-baa7-4072-bfc6-08d9e697f2fe
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2022 22:04:14.0086 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1227
X-Proofpoint-ORIG-GUID: pJnfiVan_pj-KIk0uxVFHj12DLl3B_IG
X-Proofpoint-GUID: pJnfiVan_pj-KIk0uxVFHj12DLl3B_IG
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-02-02_11:2022-02-01, 2022-02-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 adultscore=0 malwarescore=0 bulkscore=0 phishscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202020118
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9q0zImJuwpFgdSKyUFm4ehAmZ1g>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 22:04:25 -0000

RFC 5280 encourages the rfc822name to be carried in the subjectAltName extension.  It does accommodate "legacy" implementations, as did RFC 2459 in 1999.

 

The problem with RFC 5280 is that in practice it facilitates “one cert <-> one email address”.

Originally, S/MIME was conceived to allow me to send email from an account/address, and prove that I’m the originator of it (I as the owner of the given certificate, not (necessarily) of the given email address.

 

It it was "legacy" in 1999, it is probably well past time to require the email address to be in the subjectAltName extension.

 

Among other things, it prevents me from signing (or decrypting) emails on more than one rfc822 address using hardware token.

 

In theory, it should be possible to either omit SAN altogether, because my purpose is proving authenticity of the sender, not sender’s address – or, if there’s insistence on addressed, add multiple SAN for multiple email addresses.

 

In practice, while CA would issue me a cert with either no SAN, or multiple SAN – most common corporate email clients (MS Outlook, Apple Mail, don’t recall offhand how Thunderbird behaves) would reject a cert with no SAN, and process only the first SAN if there’s more than one (though I do seem to recall that one of these clients failed a cert with multiple SAN altogether).

 

<Rant>I consider this SAN insistence as a big email screw-up.</Rant>

 

 

On Feb 2, 2022, at 4:11 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

 

I’m not sure I’m happy to see an S/MIME cert declared invalid for absence of SAN attribute.

 

--

Regards,                      

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Spasm <spasm-bounces@ietf.org> on behalf of Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wednesday, February 2, 2022 at 15:58
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: spasm@ietf.org <spasm@ietf.org>, lamps-chairs@ietf.org <lamps-chairs@ietf.org>, draft-ietf-lamps-samples@ietf.org <draft-ietf-lamps-samples@ietf.org>, housley@vigilsec.com <housley@vigilsec.com>, tim.hollebeek@digicert.com <tim.hollebeek@digicert.com>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

Hi Éric--

On Mon 2022-01-03 04:40:20 -0800, Éric Vyncke via Datatracker wrote:
> -- Section 2.2 & 2.3 --
> Would it be useful to include expired certificates ? 

This is a great question, and the LAMPS WG did consider it during
discussion of the draft.  The conclusion that we came to (which i helped
to drive, as editor) is that there are *many* ways that a certificate
can be invalid (in general, or for use with S/MIME in particular), and a
draft that hosts a zoo of invalid certificates would be much larger and
more complex than this simple document.

Expiration is one flavor of invalidity, but why not also test missing
subjectAltName?  or subtly wrong keyUsage or eKU?  or a malformed public
key?  and so on…  It's kind of like Anna Karenina 😛

Rather than try to decide (and fight over) what sort of invalid
certificates to supply in the draft, we decided to stick with just valid
certs here.

The certs should be valid for about three decades, so hopefully in that
time they'll be useful for a lot of different projects.

> And/or a CRL for those examples ? Would providing those additional
> examples make possible more extensive testing?

The certs are expected to be used for testing, and to be used without
having to maintain any online infrastructure for this testing.

§2.3 specifically says "none of the certificates include either an OCSP
indicator or a CRL indicator", so i think including a CRL would just add
to the confusion.

If we want to produce samples that expire or can be revoked, i think
that would be a separate project, similar to the "multiple forms of
invalidity" described above.

> -- Section 4 --
> <joke>Please s/Alice Lovelace/Ada Lovelace/ ;-) </joke> (to be ignored of
> course but I could not resist) Alas not applicable to Charles/Bob Babbage or
> Alan/Carlos Turing or Grace/Dana Hopper :-)

we each nod to the legends in our own peculiar ways :)

   --dkg

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm" rel="nofollow">https://www.ietf.org/mailman/listinfo/spasm

 

v2.23.0 | Report a Bug | By Email