IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 15 February 2021 22:43 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03A993A1283 for <spasm@ietfa.amsl.com>; Mon, 15 Feb 2021 14:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.503
X-Spam-Level:
X-Spam-Status: No, score=0.503 tagged_above=-999 required=5 tests=[FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZMhD8E5mWRd for <spasm@ietfa.amsl.com>; Mon, 15 Feb 2021 14:43:33 -0800 (PST)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714123A13BE for <spasm@ietf.org>; Mon, 15 Feb 2021 14:43:18 -0800 (PST)
Received: by mail-pj1-f42.google.com with SMTP id d2so4738854pjs.4 for <spasm@ietf.org>; Mon, 15 Feb 2021 14:43:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6xltiyPeTcFAy/zapzxloVyJe/YmNzZrqqh+NMMPHdI=; b=KG19eSfNj4TIO/9UsgnJLP1HyCTDPKlGikb9FNJNFgwmygh4DxZZoUepnzILVQAnJR PI8H1+OK+3hLaQmxoQyCKtn9F+wvYfbls6V+c4fcY271UbrAK2iOet3VL0h/wj3QdSIG dDOF8kP3rgpc280cyzPyCAt+VOIdeVbLbxC8GKcrsEpgS7J+QWcxKZcDgT23UcfNRbcF 4MgIMwFwV5Eq1PdP5oBD0jXFxGVH3tYU4eXUbmKa/Z8OjizcswF4uBfbPljXrWLsraup XI6/sAJLYcs7eQhDYo8RXZbzfDU7WLFg/CQvkzUGxTD3F8o7NgRIaP+VqZDqaztql+Lc prXQ==
X-Gm-Message-State: AOAM531zBFr7LFh+AHAUxt3CUG47RnlK3CjgXH+mIDX9IiBivHjMGJOD uDd78tWPaHoLRRAydUD7NnB6mo1rPkw=
X-Google-Smtp-Source: ABdhPJyQ5VxySQ3fSDGBCR9/o3KL3PwPtRyiEeIt1LgdhCFT2qsZrQws2U6qKRlryaV9yfwTj/PX7A==
X-Received: by 2002:a17:902:854c:b029:e3:1a18:6fa with SMTP id d12-20020a170902854cb02900e31a1806famr16933952plo.70.1613428997609; Mon, 15 Feb 2021 14:43:17 -0800 (PST)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com. [209.85.216.46]) by smtp.gmail.com with ESMTPSA id s1sm18746017pfe.151.2021.02.15.14.43.17 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Feb 2021 14:43:17 -0800 (PST)
Received: by mail-pj1-f46.google.com with SMTP id q72so4533045pjq.2 for <spasm@ietf.org>; Mon, 15 Feb 2021 14:43:17 -0800 (PST)
X-Received: by 2002:a17:90a:ee8a:: with SMTP id i10mr969621pjz.103.1613428997283; Mon, 15 Feb 2021 14:43:17 -0800 (PST)
MIME-Version: 1.0
References: <CAFTXyYAD00RPhokSAWmyVom=yGCeSBwfzk4moXbvtJ_GdBvOHQ@mail.gmail.com>
In-Reply-To: <CAFTXyYAD00RPhokSAWmyVom=yGCeSBwfzk4moXbvtJ_GdBvOHQ@mail.gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 15 Feb 2021 17:25:36 -0500
X-Gmail-Original-Message-ID: <CAErg=HFVqTNjKbNHQ4kD3UWY9pBmYsHa=qokgKLdoHKAF6bSEw@mail.gmail.com>
Message-ID: <CAErg=HFVqTNjKbNHQ4kD3UWY9pBmYsHa=qokgKLdoHKAF6bSEw@mail.gmail.com>
To: Tadahiko Ito <tadahiko.ito.public@gmail.com>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000040e68405bb67b6e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/GWLzSFPfWzFFWgcRhe-lcnWTKEY>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 22:43:35 -0000

On Mon, Feb 15, 2021 at 2:41 PM Tadahiko Ito <tadahiko.ito.public@gmail.com>
wrote:

> Hi Ryan
>
> As far as can I see, RFC5280 is based on the directory system which seems
> to be a general and ideal concept. As a result, 5280 seems to have become a
> general and ideal "profile" for certificates. Since 5280 is general and
> ideal (and too heavy), the actual implementations of PKI became a subset of
> RFC5280.
>
> I'm wondering if we can create some sort of a new Best Practice document
> which assumes more specific use cases (e.g. webPKI, PKI with trust list and
> without bridge, etc.) while making RFC5280 as an IS, which would fill in
> the gaps.
>
> (I am not sure if other forks will agree on such a document but ) doesn't
> it solve your concern?
>

I think, in the context of an Internet Standard, that approach wouldn’t
work unless we had sub-profiles that exercised all the bits that the
(other) sub-profiles excised. Otherwise, we’re still leaving unimplemented
dead weight in.

Don’t get me wrong, I think there is potential value in working to reflect
the rough consensus and running code, given the now three decades of X.509
experience, but my concern was and remains that the proposed charter
language doesn’t provide any guidance or prioritization on how to resolve
the questions necessary to advance to an Internet Standard, which we know
have been contentious and uninteroperbale.

We can:

A) accept it as-is, but lack an objective or reliable way to resolve these
disputes that (to this day) are unresolved among different communities

B) Try to find agreement on narrowing the community in the charter, such
that we have a rubric to evaluate options against

C) Attempt to progress to an Internet Standard, but not actually define the
interoperable profile that is robust and reliable. Instead, the goal is to
rather document the building blocks and semantics that communities are
expect to further profile down, including forbidding such features. The
distinction between A and C is largely that A attempts to exclude to “a
sensible, implemented set”, while C accepts all as valid for purposes of
documentation.

I don’t have strong opinions on these - they’re all a lot of work. And I am
certainly not trying to argue for an inherent superiority of Web PKI vs
other PKIs. My observation was and is merely that the “one size fits all”
attempt that 5280 captures/inherited from its ITU and IETF spec forbears
doesn’t really reflect the operational reality, in code or practice.  Such
dissonance means it would be a considerable work item to resolve, and we
should figure out early, during chartering, where the preferred path of the
WG is leaning to, so we can resolve concerns consistently and expeditiously.

v2.23.0 | Report a Bug | By Email