IETF Logo Mail Archive

[lamps] RFC8994/8995 requirements for CSRattr

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 29 August 2021 18:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544DC3A0870; Sun, 29 Aug 2021 11:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-9GC4NADHfb; Sun, 29 Aug 2021 11:11:43 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF20A3A086C; Sun, 29 Aug 2021 11:11:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3ABE338F63; Sun, 29 Aug 2021 14:17:26 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id kESVcFan1hZo; Sun, 29 Aug 2021 14:17:20 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0883D38F4C; Sun, 29 Aug 2021 14:17:20 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3DFF12CC; Sun, 29 Aug 2021 14:11:32 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
cc: Toerless Eckert <tte@cs.fau.de>, max pritikin <pritikin@cisco.com>, Esko Dijk <esko.dijk@iotconsultancy.nl>, Peter van der Stok <stokcons@bbhmail.nl>, Owen Friel <ofriel@cisco.com>, Thomas Werner <thomas-werner@siemens.com>, spasm@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 29 Aug 2021 14:11:32 -0400
Message-ID: <26149.1630260692@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hK2CUQzGRldo0muQwDRzKQZcCOU>
Subject: [lamps] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2021 18:11:49 -0000

Hi, Toerless, Esko, Peter, Max, Thomas, Owen,

Please be aware that there is a virtual interim meeting for LAMPS tomorrow (Monday).
The details are at:
   https://datatracker.ietf.org/doc/agenda-interim-2021-lamps-02-lamps-01/

Use https://meetings.conf.meetecho.com/interim/?short=a4fd6373-c1d1-453c-9e2b-b17d9899d53e
at: Monday 2021-08-30 17:30 UTC

The topic is about the /csrattrs contents, and whether or not the Registrar
can specify a specific value for an attribute, or if it can only specify the
need for an attribute to be present.

I've made some slides explaining the RFC8994 / RFC8995 needs.
I believe that this probably affects acme-integrations as well, as only the
Registrar knows what (DNS) name it will populate for the pledge, but RFC8555
does not provide any out of band way for the a Registrar to specify SAN,
except for CSR.

I have made some slides, which will appear at the above link once the chairs
approve.  I have placed them at
http://www.sandelman.ca/tmp/csrattrs-requirements.pdf for the interim.
(Sorry, Russ, that this is so late)

Comments welcome.

I put four options in the slides:

1. fix RFC7030 CSRattrs to reflect our understanding
   (document to update 7030)

2. extend RFC7030 CSRattrs ASN.1 to create new mechansim to specify value
   (document to update 7030)

3. obsolete ASN.1 CSRattrs, create new mechanism, based in CBOR and/or JSON
   (new document in LAMPS)

4. have RFC8994/8995 ignore CSRattrs, create new BRSKI-specific mechanism to
   specify SAN
   (new document in ANIMA)

Perhaps you can think of others.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email