IETF Logo Mail Archive

Re: [lamps] WG Last Call: draft-ietf-lamps-x509-policy-graph-01

Michael StJohns <msj@nthpermutation.com> Fri, 08 December 2023 22:49 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0CDC47A23F for <spasm@ietfa.amsl.com>; Fri, 8 Dec 2023 14:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2Bgdz792Fxr for <spasm@ietfa.amsl.com>; Fri, 8 Dec 2023 14:49:26 -0800 (PST)
Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2C4C47A210 for <spasm@ietf.org>; Fri, 8 Dec 2023 14:49:26 -0800 (PST)
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-1efabc436e4so1549330fac.1 for <spasm@ietf.org>; Fri, 08 Dec 2023 14:49:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1702075765; x=1702680565; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=zBdGbi6c0/BwzQ8fxGj6ySO/go+4kGutM+1sGJnwsxo=; b=thxA05+l6//IofTcZAwVe4mzd4NSlXbxHKBOrVDvgUF+T2SXX6czvQ0T3S9ZBuzswh BSeb84OLjkUDXNQepTg01z8m6IBTuOj9r4hhwG5hO9bSjAPNaoluTDDcDVCKCnduUuhm g/+zAm7MMd/j/eK1iDqRl9BSrncpt30Z4FyAnKyHeid0JPgoj/iM1zHTOSea32AiD/vk 9AGlqJKm5axEd14/c3FDJ74uO7cQtoBz6Id8rvhvb49eq9QOjwwD8sVW9eapUcSoxSKd WQvO39un0WU12K/gJVvORWN1OBCivbECSqQUs7fzRrnKtIAkcBc6/NEEuWneFSAZAR7f 3Srw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702075765; x=1702680565; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zBdGbi6c0/BwzQ8fxGj6ySO/go+4kGutM+1sGJnwsxo=; b=A8+v3a6PbyC4WpIUqru77RriftUJu54k6dgRItFAz/3VKkeZZQqScP0qbFNuVCWJb8 ZLLsF44wjpAK6fspMR39fEVelWNGL5L+X3IBedV6m2P96WbWOppuoFv0wmlz+0ZN+Jul Us4EeRu3xgnfSJwzeT9JASi/87Wvr4TsfznHdaMFgKUIEG44ozWGPN9W1tWuuIYpnKFg hv1LpY6c3ufAx2P3uVMYI1l6p+CdTidDBDKygc71f7y21BWcVwrdFjHAdLz83A8ujH8G IRd1eXPNUhyQGDFzzoAhwFzP35JRnfmYhaxF05//Idnyhmd6Xto+oje0WBv0N7CZ/11h +SYA==
X-Gm-Message-State: AOJu0Yz2LmH57eus5Q0Z+gl9K4LVODSUgoLNw2C3+TJ5HmXuJFtsCNxm bYGgeOI5ksb7xPtyUhcGMz2uM4GzAS4v5cgYMQ4=
X-Google-Smtp-Source: AGHT+IHeSqpgbNmvZJ6Fl+uSEk5OSUMtT6Yy3DFYXBvNzOur2VeHw44iPQiC1v5Vj5NIUrdRUL+vuw==
X-Received: by 2002:a05:6870:224f:b0:1fb:75a:c449 with SMTP id j15-20020a056870224f00b001fb075ac449mr867123oaf.114.1702075765462; Fri, 08 Dec 2023 14:49:25 -0800 (PST)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id s14-20020ad4524e000000b0067a422fb1d2sm1140215qvq.115.2023.12.08.14.49.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 08 Dec 2023 14:49:24 -0800 (PST)
Message-ID: <3ae04ff9-7ad5-40fb-8552-832a3a43847b@nthpermutation.com>
Date: Fri, 08 Dec 2023 17:49:24 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
References: <99DEDEBF-35D7-4EE5-BABF-63A9F6D02C29@vigilsec.com> <3EEC4C31-31E2-462C-BB82-010F17E996A0@vigilsec.com> <3931a166-c465-4861-8101-50ebadb99a21@nthpermutation.com> <4CEF723E-614F-446A-8D80-EC63AF07C8F5@vigilsec.com> <d66f65e1-0119-46a0-8764-29fc65f63e75@nthpermutation.com> <801C3122-0410-426E-BFB8-F269CA1DA9D9@vigilsec.com> <73092f78-ba01-4709-9e39-7658e300e788@nthpermutation.com> <FBBC550B-257A-4189-84AA-E6493EC008F2@vigilsec.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <FBBC550B-257A-4189-84AA-E6493EC008F2@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dQ6xesfXux5jP1gFxXFfF8IAd7Q>
Subject: Re: [lamps] WG Last Call: draft-ietf-lamps-x509-policy-graph-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2023 22:49:30 -0000

On 12/8/2023 2:56 PM, Russ Housley wrote:
> Mike:
>
> I understand the issue you are raising, and I understand that there comes a point where too many OLD/NEW updates can lead to an incomprehensible document.  I do not think that we have reached that point.
>
> Recall that the IESG agreed to publish draft-ietf-lamps-cmp-updates only if the LAMPS WG worked on a bis document for RFC 4211.  The IESG judged that the number of updates had reached that point.  I doubt that they will do the same here, but they could.  Or, the next update could be the one that gets there.

I didn't actually notice that one at the time - now RFC 9480. But what a 
mess.   I see that there is a RFC4210bis  document in progress 
(https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc4210bis/) and not 
one for 4211 - is that the one you meant?  I also see that the 4210bis 
document is missing an Obsoletes RFC9480 tag, except it can't have one 
because RFC9480 updates multiple documents... I'm not seeing this as a 
shining example of what to do....  the only saving grace is that the 
referenced document here  is only cutting and pasting  a single upstream 
document.

>
> I have included the following in the Shepherd Writeup:
>
> ~~~
> 3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
>     so, please summarize the areas of conflict in separate email messages to the
>     responsible Area Director. (It should be in a separate email because this
>     questionnaire is publicly available.)
>
>     No one has threatened an appeal; however, one concern was raised during
>     WG Last Call that should be highlighted.  As written, this document is not
>     stand alone.  It makes changes to the certification path validation algorithm
>     in RFC 5280.  There is a concern that future updates to RFC 5280 will conflict
>     with these updates.  The peron raising these concerns would prefer an update
>     to RFC 5280 that completely replaces Section 6.  The person that raised this
>     concern was able to convince one other LAMPS WG participant, but the LAMPS WG
>     Chairs determined that they were in the rough.
> ~~~
>
> Russ

Change peron -> person.  Add after "stand alone" -> "and is written as a 
set of editing instructions to be made against Section 6 of RFC5280"

You may find it useful to point to the discussion for 9480/4210 as 
additional context in the shepherd writeup.

Later, Mike

v2.23.0 | Report a Bug | By Email