Re: [Spasm] Let's focus
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 26 May 2016 20:25 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D777612DB1A for <spasm@ietfa.amsl.com>; Thu, 26 May 2016 13:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id paoDGuQIel5l for <spasm@ietfa.amsl.com>; Thu, 26 May 2016 13:25:37 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7B612DB26 for <spasm@ietf.org>; Thu, 26 May 2016 13:23:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1D500BE7B; Thu, 26 May 2016 21:23:18 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1noQkHCfOVCm; Thu, 26 May 2016 21:23:16 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2F9F5BE75; Thu, 26 May 2016 21:23:16 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1464294196; bh=FV3SeAQzoqHK4F0gSkJt5P5ozsGcq0izEV2zd0ixErQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=heBZgpGFmtOU1Xp3FoBofDmCMU1GH4eZiy+dgnf9f4pPYfgtUK5IsWj4gr4nDCJCj bqTtcg1HCST87fQFQ3dEkRkdU/YZODmAEwuhIj27esT0viYUY8QOjjvAl9FPCZWSw6 KQcay59flSbZMIitU03MSRw1pjC4FdHO84S6Urm0=
To: Richard Barnes <rlb@ipv.sx>, spasm@ietf.org
References: <CAL02cgSHWvmmhCqv1Dz8wfiGsOqOXWNi150suR-5xqt3F8ppcw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <57475B33.3070201@cs.tcd.ie>
Date: Thu, 26 May 2016 21:23:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgSHWvmmhCqv1Dz8wfiGsOqOXWNi150suR-5xqt3F8ppcw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020908060607070306010607"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/_MawmceZuUOLwLElMMaUP9PE_ds>
Subject: Re: [Spasm] Let's focus
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2016 20:25:39 -0000
Hiya, On 26/05/16 21:04, Richard Barnes wrote: > Hey all, > > I'm concerned that the proposed scope [1] for this WG is (1) too broad, and > (2) inconsistent with the participation so far. > > The breadth concern is evident in the ambiguity of the name "Some?" This > group should identify some concrete, practical problems in the Internet > they need to solve, describe them, and demonstrate that they have the right > set of stakeholders to develop, implement, and deploy a solution. Well we can bikeshed names for sure but moving on... > > I'm personally most concerned about the "fix the EKUs" milestone, at least > as it's realized in [2]. Yeah, me too. The discussion around that has been eerily reminiscent of some of the less productive things from the "late" PKIX period. > From the perspective of someone who works a lot > in the Web PKI, this sounds like a request for a feature that has negative > value. The incremental value of the proposed feature would be to allow > "everything but X" CAs. Recent experience in the Web PKI has driven home > how harmful it can be to have divergent sets of RPs relying on the same > PKI, so allowing CAs to be more unconstrained is moving in the wrong > direction. Fair point. If the WG is chartered I think it'd have to decide if that's ok or not. (Stefan's 1-bit counter-proposal didn't have the same property though or am I wrong?) > I'm not dogmatic on this, but in order to be persuaded, I would > need to see active interest from some real CAs, and from the logs of this > list, I'm not seeing anyone who's a current participant in the Web PKI > (apologies if I've failed to recognize someone). It'd be good to see that kind of interest in the EKU work yes. Absent that, I would guess deployment won't happen. > > I'm also concerned about the "SRV for cert stores" milestone, though I > admit I'm not as deep in this space. Looking at the proposed doc, it seems > like the SRV adds any value over just looking stuff up at a well-known URI, > e.g., adding a "x5c" attribute to a WebFinger resource. Anything that > requires special DNS magic (and SRV counts) is going to face significant > deployment barriers. So I would be happier if this were a "define a simple > cert discovery mechanism for S/MIME" milestone, rather than being bound to > a specific mechanism. From my POV, that's yet another experiment in the public-key-retrieval- to-support-e2e-messaging-security set of experiments that included the openpgp-dane one recently approved. (And I'd be fine with more of those experiments too for reasons stated during the IETF LC of the dane work.) > > Overall, it seems like this group should focus on moving the ball forward > with regard to making S/MIME deployable in today's Internet -- fixing > papercuts around AEAD, i18n, and cert discovery. The PKIX stuff is > unrelated and addresses an entirely different constituency. I'm personally if the work here isn't all one effort but a small set of sorta-diverse efforts. So long as they're likely to be deployed that is. If that's not likely, then I'd be for dropping them from the charter. Cheers, S. > > --Richard > > > [1] https://datatracker.ietf.org/doc/charter-ietf-spasm/ > [2] https://tools.ietf.org/html/draft-housley-spasm-eku-constraints-01 > [3] https://tools.ietf.org/html/draft-bhjl-x509-srv-00 > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Wei Chuang
- Re: [Spasm] Let's focus Stephen Farrell
- Re: [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Stephen Farrell
- Re: [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Santosh Chokhani
- Re: [Spasm] Let's focus Richard Barnes