Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 03 February 2022 06:50 UTC

IronPort-PHdr: A9a23:SmK4ixKt+uTCjB4zodmcuWEyDhhOgF28FgIW659yjbVIf+zj+pn5J0XQ6L1ri0OBRoTU7f9Iyo+0+6DtUGAN+9CN5XYFdpEfWxoMk85DmQsmDYaMAlH6K/i/aSs8EYxCWVZp8mv9P1JSHZP1ZkbZpTu56jtBcig=
IronPort-Data: A9a23:RFMIOKlGtW5wHZ7TBE5y0+Po5gwsJERdPkR7XQ2eYbSJt1+Wr1GztxIZWTvVOP2JYTD3c9wnO4qzp0IB6sXVn4RrTAVq+3o1RFtH+JHPbTi7wugcHM8zwvUuxyuL1u1GAjX7BJ1yHi+0SiuFaOC79yEmjfjQH9IQNcadUsxPbV48IMseoUoLd94R2uaEsPDha++/kYqaT/73YDdJ7wVJ3lc8sMpvnv/AUMPa41v0tnRmDRxCUcS3e3M9VPrzLonpR5f0rxU9IwK0ewrD5OnREmLx5RwhDJaulaz2NxdMSb/JNg/IgX1TM0SgqkEd/WppjeBqb7xFNBw/Zzahx7idzP1Aq422QgQkFqbNg+8aFRJfFkmSOIUXqOWceybg4Jf7I0ruNiGEL+9VJF03OMsY/eJzDGtD+P8wJDECbxuOnf7wy7W+IsFsgdk4KMT6FJ0etXBk1jzSS/0hRPjrT7/D68Md3TosiIVKFPPGfI8CYD93aBnbSxxCJllRD4gx9M+sj3znaHhTqFuUv7Ef4mXPwkp2yreFGMHNc8ePbcRYgkjeoXjJl0z4DwoVHN2S1TTD9Wij7sfDnizTVoMcCL248eRxjViawCoVBQF+aLcRiZFVkWakUN5ZbkcT4Cdr9+459VegSZ/2WBjQnZJNhTZEM/I4LgHwwFvlJnLo3juk
IronPort-HdrOrdr: A9a23:ZB4G36kh6eJOEMZNFWx6A8NmdfvpDfN8iWdD5ihNYBxZY6Wkfp+V/cjzhCWbtN9OYh4dcIi7Sda9qXO1z+8T3WGIVY3SHDUOy1HYUr2KirGSgAEIeheOt9K1sJ0BT0EQMqyKMbEXt7ee3OD8Kadd/DDlytHruQ699QYWcegCUcgJhG0VZnf5Yy9LrUt9dOcE/fGnl6x6Tk+bCAwqh7OAdwA4tob41rn2vaOjRSRDKw8s6QGIgz/twqX9CQKk0hAXVC4K6as+8EDe+jaJo5mLgrWe8FvxxmXT55NZlJ/K0d1YHvGBjcATN3HFlhuoXoJ8QLeP1QpF5N1HqWxa1+UkkS1QZvib2EmhJl1dZiGdgDUI5QxerUMKD2Xo20cL7/aJGQ7SQPAx9L6xOiGpm3bI+usMjJ6iGwmixsRq5dSqplWj2zGAbWAZqqL/y0BS4tI7njhRV5ATZ6RWqpFa9ERJEI0YFCa/84w/FvJyZfusqMq+XGnqJUwxhFMfjeBEn05DaCuuUwwHoIiYwjJWlHd2ww8Rw9EehG4J8NY4R4Nf7+rJP6x0nPUWJ/VmI55VFaMEW4+6G2bNSRXDPCabJknmDrgOPzbIp4Ts6Ls46em2cNgDzYc0mp7GTFRE3FRCNH7GGImLxtlG4xrNSGKyUXDkzdxf/YFwvvnmSL/iIUS4ORsTegub0r0i6+HgKoKO0aNtcrbexDHVaPN0NiXFKu5vFUU=
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, The IESG <iesg@ietf.org>
CC: "spasm@ietf.org" <spasm@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "draft-ietf-lamps-samples@ietf.org" <draft-ietf-lamps-samples@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>, "tim.hollebeek@digicert.com" <tim.hollebeek@digicert.com>
Thread-Topic: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
Thread-Index: AQHYGHeIZeQ3//hHUUqf58Yq8LPs+6yBdH4A
Date: Thu, 03 Feb 2022 06:50:31 +0000
Message-ID: <8B42E5BF-4317-4FDA-A932-FCC4AA082DC7@cisco.com>
References: <164121362047.8756.3046187711723091521@ietfa.amsl.com> <87iltxm232.fsf@fifthhorseman.net>
In-Reply-To: <87iltxm232.fsf@fifthhorseman.net>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
user-agent: Microsoft-MacOutlook/16.57.22011101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2OIWxaHYg7Dp9/WhzAkCEJAUELtWzmrjqMH9TLO6xYJdrT0IoL7PtNPtgKe7/d7RxGZn86lRvlajTFH2saAuGnxlgVWx57WvMkUmPZyZtzX9XanAiVHZB3VBv2oHnW3ExdVp7/g1Hj9HJHV1mzMYQ9TXl+wV/Ps7h/UmQmWLUD6b+PtQK+dnk/DwHQiPzX5IDoEKaVqfPoExRSHfHbkEtXr9v9+OJGKg6L2viryiRtq9yA5uz84BEGP0rvJarDWbsWujKmrm5PuySw2CoBPnKJ6axhAjsVuKBDc9I1Zvwu+ecEDGFZM+VrvZgEoG5S/072zgVycBHcYqEAufAF1F9z8RfxMsxLkcgNAWw57CE365BoOkD+GC+KugEUarToujWgQ6CYdWhzz27dg5L0Mvw5INDjS7qLGmGmGH4hyePWoe79pZ6fDfz4UzUAXo5uRTkabySdZiu2PRmldBfWIq4RXPc7fKj8lKELZIQJ8ZP6hy8yJuk3dvtKMOmyyw7FdSn+uyYmMDQJsaJVmgGp8JYokhwmZtM+uiDTPsQV9TusvD75TzmFvnk/9wMriO9ZcGWba50foJahRty+bflbnUsB18+qo9lysWfgUbaMDb3Ooneb74wvvbGjTCjbf8po1S7nMjiIj7AM7VFPoqKyAT1NF59Hkd5oyHZdYCqMtRsPEfvf/m4X7kDuqleUauHoGwjx8Y+kwT2OebgWdeMM2HNtPZkxfgegzW5PzJt7gusrG6ZXwFFEk/gneJskTG5S00cyaFNKOAsXAqkQnCRmHyXfCPgeJC3wWkOJu9hKmwqjzlbOWWS60CX/j2oOwZdB2dXEYpCZGFxE4p645nmYAPVp4imP4Z5z21XWk4gyRrH3JbxjG9VFhQUJ6cilDMOg/5lxmYvq1q9TOyOoyk0Lpeb0aq6qcaAuTfW7PxAzBAIbtBA5E9Zrnrpg3WpEteCkm7TEF39ZKTroBZyueifTBCwHTrQ1j8Ll+Ga8bANmIz/Vaa6lIPlmretAIck+2HMGWj2/mVuwgjKpjVzo7K8Fr+c0R45o5XsMTmZ+kUCyKVNLCy00Ib2H1XlGdSV3Xz20AMO27N3H7vBUinBDgO/QvVo9rmdWnDOz4+9jHvtSpSBrD0chl9L1VS4JyK4SoEbDzrKOXsWDUt+EptnpeCOl0/3XZxnp3ve01dK3g3V5SrCFuJe6OcKvgH1amO+FlsIgS78tvtNs3gKbpht0yU+BA92CfmnDb2o13wP1BnfHa2cWzxwRl1kvOHjSRKig6qpN8pM70cgwVelqwTmmCNHKmftIJEWUC1BYseTG6kc33PKKCp6M2qw/DhnW9mvHjqOc6YpJSgsedrdK6m4YuseaeyFpW6yNodJDB+HnITR3Ncie8SBwcZIuXTRauD1a37EOzZReiJy10C0TIG6DjOnlja1/OUMziVRZJfSVIxoztQLCQdwsTV7bTnctf93HIt6G5tPGzg+5TVaR3tlCzd+M2nvVTziTBxnxkaIABgM5LnUII//pgYPIu5T25XfRmwi0apDHA7xkSLKMl1YXMsSxlmW0Ztv433eZFnhWy3OVNU3TPXW1iZYv8G2AFiG9TXtvF6b2kcLYr/GvRBvb4od/qhax7px6ssFn631tLRlrwqATJ98O70Fdg9lhu1jUYTlqJNEY+/3QHiMuSdff89ITahRzHhi75BAZuCdGIkdjAp5UY=
Content-Type: text/plain; charset="utf-8"
Content-ID: <4D7D1F84A66FE140A8D640A1BDF3B50D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 54839f34-5bae-4283-f7eb-08d9e6e17886
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2022 06:50:31.2527 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MLjZcpVhBNZCsiASW39/hacVi1xPkwfHace0YTZrr4UrOyVPlAe5cqzntMDoW/r1hWA5HqV/aV2xrbAjg6g4RA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3417
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/UM88pzqnJq8HLIqWWo7j9_h6gfk>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-samples-07: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2022 06:50:52 -0000

Daniel

Thank you for your reply, it is indeed sensible not to have dozens of invalid certs

Regards

-éric


On 02/02/2022, 21:57, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:

    Hi Éric--

    On Mon 2022-01-03 04:40:20 -0800, Éric Vyncke via Datatracker wrote:
    > -- Section 2.2 & 2.3 --
    > Would it be useful to include expired certificates ? 

    This is a great question, and the LAMPS WG did consider it during
    discussion of the draft.  The conclusion that we came to (which i helped
    to drive, as editor) is that there are *many* ways that a certificate
    can be invalid (in general, or for use with S/MIME in particular), and a
    draft that hosts a zoo of invalid certificates would be much larger and
    more complex than this simple document.

    Expiration is one flavor of invalidity, but why not also test missing
    subjectAltName?  or subtly wrong keyUsage or eKU?  or a malformed public
    key?  and so on…  It's kind of like Anna Karenina 😛

    Rather than try to decide (and fight over) what sort of invalid
    certificates to supply in the draft, we decided to stick with just valid
    certs here.

    The certs should be valid for about three decades, so hopefully in that
    time they'll be useful for a lot of different projects.

    > And/or a CRL for those examples ? Would providing those additional
    > examples make possible more extensive testing?

    The certs are expected to be used for testing, and to be used without
    having to maintain any online infrastructure for this testing.

    §2.3 specifically says "none of the certificates include either an OCSP
    indicator or a CRL indicator", so i think including a CRL would just add
    to the confusion.

    If we want to produce samples that expire or can be revoked, i think
    that would be a separate project, similar to the "multiple forms of
    invalidity" described above.

    > -- Section 4 --
    > <joke>Please s/Alice Lovelace/Ada Lovelace/ ;-) </joke> (to be ignored of
    > course but I could not resist) Alas not applicable to Charles/Bob Babbage or
    > Alan/Carlos Turing or Grace/Dana Hopper :-)

    we each nod to the legends in our own peculiar ways :)

       --dkg

[lamps] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
Re: [lamps] Éric Vyncke's No Objection on draft-i… Daniel Kahn Gillmor
Re: [lamps] Éric Vyncke's No Objection on draft-i… Blumenthal, Uri - 0553 - MITLL
Re: [lamps] Éric Vyncke's No Objection on draft-i… Russ Housley
Re: [lamps] Éric Vyncke's No Objection on draft-i… Blumenthal, Uri - 0553 - MITLL
Re: [lamps] Éric Vyncke's No Objection on draft-i… Russ Housley
Re: [lamps] Éric Vyncke's No Objection on draft-i… Daniel Kahn Gillmor
Re: [lamps] Éric Vyncke's No Objection on draft-i… Blumenthal, Uri - 0553 - MITLL
Re: [lamps] Éric Vyncke's No Objection on draft-i… Daniel Kahn Gillmor
Re: [lamps] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
Re: [lamps] Éric Vyncke's No Objection on draft-i… Brown, Wendy (10421)
Re: [lamps] Éric Vyncke's No Objection on draft-i… Blumenthal, Uri - 0553 - MITLL