IETF Logo Mail Archive

Re: [lamps] RFC8994/8995 requirements for CSRattr

Dan Harkins <dharkins@lounge.org> Sun, 29 August 2021 23:31 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79AB53A1E50; Sun, 29 Aug 2021 16:31:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yidDumT0wBjC; Sun, 29 Aug 2021 16:31:37 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6F903A1E51; Sun, 29 Aug 2021 16:31:37 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QYM0KZ25K0PUI@wwwlocal.goatley.com>; Sun, 29 Aug 2021 18:31:37 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QYM00A4EJU3H1@trixy.bergandi.net>; Sun, 29 Aug 2021 16:27:40 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Sun, 29 Aug 2021 16:27:40 -0700
Date: Sun, 29 Aug 2021 16:31:35 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <26149.1630260692@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org
Cc: Owen Friel <ofriel@cisco.com>, Peter van der Stok <stokcons@bbhmail.nl>, max pritikin <pritikin@cisco.com>, Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, spasm@ietf.org, Thomas Werner <thomas-werner@siemens.com>
Message-id: <1dec22e1-3856-4df7-21d6-4ad6c94e0ee2@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_AkEFfb6rIes/n4ldv/VKZg)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <26149.1630260692@localhost>
X-PMAS-Software: PreciseMail V3.3 [210826] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VpaRUlJQk9Ys28_hZ--Hv6dBhuQ>
Subject: Re: [lamps] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2021 23:31:44 -0000

   Hi Michael,

   Why can't the RA signal to the CA whatever things it things should
be included in the CA, in addition to the goo provided in the client's
CSR? If the Registrar knows the name then why can't it provide it to
the CA. It will be providing the CSR to the CA, on behalf of the client,
so why can't it say "oh by the way, add this name for the pledge...."

   Why don't you want to define _that_ signalling instead of overloading
a different protocol?

   Dan.

On 8/29/21 11:11 AM, Michael Richardson wrote:
> Hi, Toerless, Esko, Peter, Max, Thomas, Owen,
>
> Please be aware that there is a virtual interim meeting for LAMPS tomorrow (Monday).
> The details are at:
>     https://datatracker.ietf.org/doc/agenda-interim-2021-lamps-02-lamps-01/
>
> Use https://meetings.conf.meetecho.com/interim/?short=a4fd6373-c1d1-453c-9e2b-b17d9899d53e
> at: Monday 2021-08-30 17:30 UTC
>
> The topic is about the /csrattrs contents, and whether or not the Registrar
> can specify a specific value for an attribute, or if it can only specify the
> need for an attribute to be present.
>
> I've made some slides explaining the RFC8994 / RFC8995 needs.
> I believe that this probably affects acme-integrations as well, as only the
> Registrar knows what (DNS) name it will populate for the pledge, but RFC8555
> does not provide any out of band way for the a Registrar to specify SAN,
> except for CSR.
>
> I have made some slides, which will appear at the above link once the chairs
> approve.  I have placed them at
> http://www.sandelman.ca/tmp/csrattrs-requirements.pdf for the interim.
> (Sorry, Russ, that this is so late)
>
> Comments welcome.
>
> I put four options in the slides:
>
> 1. fix RFC7030 CSRattrs to reflect our understanding
>     (document to update 7030)
>
> 2. extend RFC7030 CSRattrs ASN.1 to create new mechansim to specify value
>     (document to update 7030)
>
> 3. obsolete ASN.1 CSRattrs, create new mechanism, based in CBOR and/or JSON
>     (new document in LAMPS)
>
> 4. have RFC8994/8995 ignore CSRattrs, create new BRSKI-specific mechanism to
>     specify SAN
>     (new document in ANIMA)
>
> Perhaps you can think of others.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email