IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Russ Housley <housley@vigilsec.com> Thu, 11 February 2021 19:20 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FAB33A1884 for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:20:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BRGXsyPHaH9S for <spasm@ietfa.amsl.com>; Thu, 11 Feb 2021 11:20:11 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EB553A187E for <spasm@ietf.org>; Thu, 11 Feb 2021 11:20:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 91246300B9A for <spasm@ietf.org>; Thu, 11 Feb 2021 14:20:03 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ns_mQLmlgkLP for <spasm@ietf.org>; Thu, 11 Feb 2021 14:20:01 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id AD041300B0D; Thu, 11 Feb 2021 14:20:01 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <87F0EF4C-205C-4D5D-9849-ADD13BC0FB83@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D8F76999-C682-4C69-971A-9A9F6CC73B38"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Thu, 11 Feb 2021 14:20:03 -0500
In-Reply-To: <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
Cc: LAMPS <spasm@ietf.org>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <A7402F4B-33D3-4064-9E14-345B1303B1FD@akamai.com> <F94F3EAD-30C7-4B39-A00F-600234E120ED@vigilsec.com> <7F1A001A-C6D4-4F6C-B2D6-1FA43E4900B8@akamai.com> <CAErg=HH9j3duJnS8PQvrHef9hw8qdck4fPyc=iB1ENyPrReW=g@mail.gmail.com> <1D13C815-387F-4FAD-A71F-79C3DEC11A22@akamai.com> <CAErg=HGBzdG2a8GSbcYV5b3O1JW4Dn_tQ68MPUojPAtv8m4E4Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/gMxvArdk2j2pQ2YBku4b3XDUVr4>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:20:14 -0000

Ryan:

> Are there even two interoperable implementations of 5280?
> No, I think things will need to be stripped out.
> 
> 
> I agree, but I also worry it will open re-litigation of things that are de-facto, but not standardized, despite efforts to the contrary.
> 
> As a concrete example, the handling of extendedKeyUsage within intermediates is one of those issues that comes up every few years, but to not much progress. This debate goes back (as far as I can tell) to even the RFC 2459 work, where rough consensus and running code (at the time, and at the present) implemented something different. This is something that affects (2) with respect to the process of determining validity.
> 
> As an example of (3), consider the use of StringPrep with regards to DN handling/comparison, which itself was a concession to the failed flag-days of UTFString that earlier drafts had. Few implementations support it, even fewer support it as specified (due to the evolution of StringPrep and the Unicode tables). However, removing the normalization of DNs prior to comparison creates backwards compat issues that previous drafts prioritized avoiding, hence the complexity in the first place.

I do not agree with your characterization of the extendedKeyUsage concern, but I do agree that implementation in CA certificates does not match RFC 5280.  I proposed a solution to this situation some years ago, but implementers did not want to change.  In addition, RFC 5280 is a profile of X.509, so RFC 5280 should not specify a different behavior than X.509.  I continue to believe that a different OID should be used if a different behavior is desired.

Internationalization is hard. This was the outcome of many very long discussions. This is an area where RFC 5280 could be improved but stringPrep was the advice from the ART Area folks at the time.  

Russ

v2.23.0 | Report a Bug | By Email