IETF Logo Mail Archive

Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

Russ Housley <housley@vigilsec.com> Wed, 02 February 2022 21:46 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C93703A2202 for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 13:46:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92fznHeK11Gs for <spasm@ietfa.amsl.com>; Wed, 2 Feb 2022 13:46:14 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEB493A21FF for <spasm@ietf.org>; Wed, 2 Feb 2022 13:46:14 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 5EAB91355B7; Wed, 2 Feb 2022 16:46:12 -0500 (EST)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 44D2C1351E9; Wed, 2 Feb 2022 16:46:12 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <84DFE375-B0F5-400E-A9B5-B262575288F4@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_95DC7441-EE71-42E7-88A2-1ADEBC235F22"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 02 Feb 2022 16:46:10 -0500
In-Reply-To: <BN0P110MB141942ABD162C393D21FAC2990279@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Eric Vyncke <evyncke@cisco.com>, LAMPS <spasm@ietf.org>
To: Uri Blumenthal <uri@ll.mit.edu>
References: <164121362047.8756.3046187711723091521@ietfa.amsl.com> <87iltxm232.fsf@fifthhorseman.net> <BN0P110MB141942ABD162C393D21FAC2990279@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/GaQF2VmiyZWfvAkXkCcUlycbIPA>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 21:46:20 -0000

Uri:

RFC 5280 encourages the rfc822name to be carried in the subjectAltName extension.  It does accommodate "legacy" implementations, as did RFC 2459 in 1999.

RFC 2459 said:

   In addition, legacy implementations exist where an RFC 822 name is
   embedded in the subject distinguished name as an EmailAddress
   attribute.  The attribute value for EmailAddress is of type IA5String
   to permit inclusion of the character '@', which is not part of the
   PrintableString character set.  EmailAddress attribute values are not
   case sensitive (e.g., "fanfeedback@redsox.com" is the same as
   "FANFEEDBACK@REDSOX.COM").

It it was "legacy" in 1999, it is probably well past time to require the email address to be in the subjectAltName extension.

Russ


> On Feb 2, 2022, at 4:11 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> 
> I’m not sure I’m happy to see an S/MIME cert declared invalid for absence of SAN attribute.
> 
> --
> Regards,
> Uri
> 
> There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
>                                                                                                                                      -  C. A. R. Hoare
> 
> 
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> on behalf of Daniel Kahn Gillmor <dkg@fifthhorseman.net <mailto:dkg@fifthhorseman.net>>
> Date: Wednesday, February 2, 2022 at 15:58
> To: Éric Vyncke <evyncke@cisco.com <mailto:evyncke@cisco.com>>, The IESG <iesg@ietf.org <mailto:iesg@ietf.org>>
> Cc: spasm@ietf.org <mailto:spasm@ietf.org> <spasm@ietf.org <mailto:spasm@ietf.org>>, lamps-chairs@ietf.org <mailto:lamps-chairs@ietf.org> <lamps-chairs@ietf.org <mailto:lamps-chairs@ietf.org>>, draft-ietf-lamps-samples@ietf.org <mailto:draft-ietf-lamps-samples@ietf.org> <draft-ietf-lamps-samples@ietf.org <mailto:draft-ietf-lamps-samples@ietf.org>>, housley@vigilsec.com <mailto:housley@vigilsec.com> <housley@vigilsec.com <mailto:housley@vigilsec.com>>, tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com>>
> Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
> 
> Hi Éric--
> 
> On Mon 2022-01-03 04:40:20 -0800, Éric Vyncke via Datatracker wrote:
> > -- Section 2.2 & 2.3 --
> > Would it be useful to include expired certificates ?
> 
> This is a great question, and the LAMPS WG did consider it during
> discussion of the draft.  The conclusion that we came to (which i helped
> to drive, as editor) is that there are *many* ways that a certificate
> can be invalid (in general, or for use with S/MIME in particular), and a
> draft that hosts a zoo of invalid certificates would be much larger and
> more complex than this simple document.
> 
> Expiration is one flavor of invalidity, but why not also test missing
> subjectAltName?  or subtly wrong keyUsage or eKU?  or a malformed public
> key?  and so on…  It's kind of like Anna Karenina 😛
> 
> Rather than try to decide (and fight over) what sort of invalid
> certificates to supply in the draft, we decided to stick with just valid
> certs here.
> 
> The certs should be valid for about three decades, so hopefully in that
> time they'll be useful for a lot of different projects.
> 
> > And/or a CRL for those examples ? Would providing those additional
> > examples make possible more extensive testing?
> 
> The certs are expected to be used for testing, and to be used without
> having to maintain any online infrastructure for this testing.
> 
> §2.3 specifically says "none of the certificates include either an OCSP
> indicator or a CRL indicator", so i think including a CRL would just add
> to the confusion.
> 
> If we want to produce samples that expire or can be revoked, i think
> that would be a separate project, similar to the "multiple forms of
> invalidity" described above.
> 
> > -- Section 4 --
> > <joke>Please s/Alice Lovelace/Ada Lovelace/ ;-) </joke> (to be ignored of
> > course but I could not resist) Alas not applicable to Charles/Bob Babbage or
> > Alan/Carlos Turing or Grace/Dana Hopper :-)
> 
> we each nod to the legends in our own peculiar ways :)
> 
>    --dkg
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

v2.23.0 | Report a Bug | By Email