Re: [Spasm] Let's focus
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 27 May 2016 13:44 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A845112DAAE for <spasm@ietfa.amsl.com>; Fri, 27 May 2016 06:44:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODTE1vMHNnWn for <spasm@ietfa.amsl.com>; Fri, 27 May 2016 06:44:01 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F04F212D672 for <spasm@ietf.org>; Fri, 27 May 2016 06:44:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B84B1BE7B; Fri, 27 May 2016 14:43:59 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4jnmG0QDayD; Fri, 27 May 2016 14:43:59 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2471ABE4D; Fri, 27 May 2016 14:43:59 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1464356639; bh=+138F34doig9TAvbN5XuIQIM1GHOqOVRoChi8UcbrZc=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=kw6vzKdMFjGEhPH95qLVCuNSWYMO3WodiYp9CH7lCYbPCG+ovv89mwH+XROzdBuF5 V1q3quJDD9QMDgGcS+JIVqbFsxZhu8BIdWgARt9cBmtyI3des53I6Y6QhTcv47QJP5 kOw4CcRSQvgSK1LtRtHm4s4gOFp6WMbk+riDYF+s=
To: Richard Barnes <rlb@ipv.sx>
References: <CAL02cgSHWvmmhCqv1Dz8wfiGsOqOXWNi150suR-5xqt3F8ppcw@mail.gmail.com> <57475B33.3070201@cs.tcd.ie> <CAL02cgQD_xF8tTF_e_X7P3RxQ7tO2QLW=72ismrna4jSNKo8aQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <57484F1F.3030809@cs.tcd.ie>
Date: Fri, 27 May 2016 14:43:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgQD_xF8tTF_e_X7P3RxQ7tO2QLW=72ismrna4jSNKo8aQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010903000906040700090205"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/f77bDCfv5WmuCChRCewGa00N7-U>
Cc: spasm@ietf.org
Subject: Re: [Spasm] Let's focus
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2016 13:44:03 -0000
Hiya, On 27/05/16 14:04, Richard Barnes wrote: > On Thu, May 26, 2016 at 4:23 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> Hiya, >> >> On 26/05/16 21:04, Richard Barnes wrote: >>> Hey all, >>> >>> I'm concerned that the proposed scope [1] for this WG is (1) too broad, >> and >>> (2) inconsistent with the participation so far. >>> >>> The breadth concern is evident in the ambiguity of the name "Some?" This >>> group should identify some concrete, practical problems in the Internet >>> they need to solve, describe them, and demonstrate that they have the >> right >>> set of stakeholders to develop, implement, and deploy a solution. >> >> Well we can bikeshed names for sure but moving on... >> >>> >>> I'm personally most concerned about the "fix the EKUs" milestone, at >> least >>> as it's realized in [2]. >> >> Yeah, me too. The discussion around that has been eerily reminiscent of >> some of the less productive things from the "late" PKIX period. >> >>> From the perspective of someone who works a lot >>> in the Web PKI, this sounds like a request for a feature that has >> negative >>> value. The incremental value of the proposed feature would be to allow >>> "everything but X" CAs. Recent experience in the Web PKI has driven home >>> how harmful it can be to have divergent sets of RPs relying on the same >>> PKI, so allowing CAs to be more unconstrained is moving in the wrong >>> direction. >> >> Fair point. If the WG is chartered I think it'd have to decide if >> that's ok or not. > > > You've kinda got the cart before the horse here. If this use case isn't > good, then there's no point to having the milestone. Sorry, I wasn't clear. What I meant was that if this use-case is included in a charter, then the WG will need to figure out if "everything but X" CAs is a good/bad idea to support when trying to solve for the use case. > > > >> (Stefan's 1-bit counter-proposal didn't have the >> same property though or am I wrong?) >> >>> I'm not dogmatic on this, but in order to be persuaded, I would >>> need to see active interest from some real CAs, and from the logs of this >>> list, I'm not seeing anyone who's a current participant in the Web PKI >>> (apologies if I've failed to recognize someone). >> >> It'd be good to see that kind of interest in the EKU work yes. Absent >> that, I would guess deployment won't happen. >> > > Again, I think demonstrating interest from the relevant community is needed > *before* chartering. The underlying principal of BoFs, etc., is that spec > here get developed by the people that are going to use them / be affected > by them. If those people aren't here, we shouldn't charter work. Fully agree. Earlier though we did say on this list that we only want to charter work where we do think it'll likely be implemented and likely deployed. If there's a proposed work item in the current charter text where we do not think that applies, then it ought be deleted. (Which is what I think Russ was saying in his mail too.) So for item#2 in the current draft charter, can people say if they think the results of that work is/is-not likely to be deployed? Cheers, S. > > --Richard > > >>> >>> I'm also concerned about the "SRV for cert stores" milestone, though I >>> admit I'm not as deep in this space. Looking at the proposed doc, it >> seems >>> like the SRV adds any value over just looking stuff up at a well-known >> URI, >>> e.g., adding a "x5c" attribute to a WebFinger resource. Anything that >>> requires special DNS magic (and SRV counts) is going to face significant >>> deployment barriers. So I would be happier if this were a "define a >> simple >>> cert discovery mechanism for S/MIME" milestone, rather than being bound >> to >>> a specific mechanism. >> >> From my POV, that's yet another experiment in the public-key-retrieval- >> to-support-e2e-messaging-security set of experiments that included the >> openpgp-dane one recently approved. (And I'd be fine with more of those >> experiments too for reasons stated during the IETF LC of the dane work.) >> >>> >>> Overall, it seems like this group should focus on moving the ball forward >>> with regard to making S/MIME deployable in today's Internet -- fixing >>> papercuts around AEAD, i18n, and cert discovery. The PKIX stuff is >>> unrelated and addresses an entirely different constituency. >> >> I'm personally if the work here isn't all one effort but a small set of >> sorta-diverse efforts. So long as they're likely to be deployed that is. >> If that's not likely, then I'd be for dropping them from the charter. >> >> Cheers, >> S. >> >>> >>> --Richard >>> >>> >>> [1] https://datatracker.ietf.org/doc/charter-ietf-spasm/ >>> [2] https://tools.ietf.org/html/draft-housley-spasm-eku-constraints-01 >>> [3] https://tools.ietf.org/html/draft-bhjl-x509-srv-00 >>> >>> >>> >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org >>> https://www.ietf.org/mailman/listinfo/spasm >>> >> >> > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Wei Chuang
- Re: [Spasm] Let's focus Stephen Farrell
- Re: [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Stephen Farrell
- Re: [Spasm] Let's focus Richard Barnes
- Re: [Spasm] Let's focus Santosh Chokhani
- Re: [Spasm] Let's focus Richard Barnes