IETF Logo Mail Archive

Re: [Spasm] Spasm Digest, Vol 13, Issue 21

Nico Williams <nico@cryptonector.com> Fri, 28 April 2017 22:24 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2F81293FD for <spasm@ietfa.amsl.com>; Fri, 28 Apr 2017 15:24:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.8
X-Spam-Level:
X-Spam-Status: No, score=-4.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSQMVii0oVN5 for <spasm@ietfa.amsl.com>; Fri, 28 Apr 2017 15:24:52 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 961D9129488 for <spasm@ietf.org>; Fri, 28 Apr 2017 15:22:04 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id EA686A003A0B; Fri, 28 Apr 2017 15:22:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=4Z62qNyhcLA9BwKadTB50j0QSSQ =; b=JaZr8s27lzUc9BE9skdbYiy8uWKZ9y/edOrA1tMOh+5wO94uODTPsb7q5ag dYxnJeVrk3YDeuecG9ZuFsRbTNiVoaGIrywooCebDQqn9GtyvLyTXxFsb+nmAt/E ksnCqk5Cv47wMHDCiNgvMrcTSyLV+gQWBCWxBNzQHOOftjFU=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPSA id A9851A003A0A; Fri, 28 Apr 2017 15:22:03 -0700 (PDT)
Date: Fri, 28 Apr 2017 17:21:59 -0500
From: Nico Williams <nico@cryptonector.com>
To: spasm@ietf.org
Message-ID: <20170428222158.GA10188@localhost>
References: <A0D2106A-AF9F-4803-90FB-05565B7148B8@dukhovni.org> <BC920F8A-5624-4616-9DBD-CB11E4F29FC1@vigilsec.com> <20170427190314.GJ2856@localhost> <E3616585-D562-4D43-9AC2-CBCD86338DC9@vigilsec.com> <20170427214016.GK2856@localhost> <67321AE0-A036-4E86-BDA3-157C4340A84A@vigilsec.com> <20170427222534.GL2856@localhost> <4B0879AB-0913-4232-AF06-C7E17538E74C@vigilsec.com> <CAAFsWK2+-tyUacwjAcrsBzb+9VxwquSYqTbLa8zo0ZJZYA_bhg@mail.gmail.com> <20170428165914.GC25754@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170428165914.GC25754@mournblade.imrryr.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kDThtd9fJjkCnaoBMAcmuuAbqSI>
Subject: Re: [Spasm] Spasm Digest, Vol 13, Issue 21
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2017 22:24:53 -0000

On Fri, Apr 28, 2017 at 04:59:14PM +0000, Viktor Dukhovni wrote:
> On Fri, Apr 28, 2017 at 06:57:17AM -0700, Wei Chuang wrote:
> > Option 3, while agreed it has some nice properties, causes a lot more
> > complexity and creates a lot more room for implementation and operational
> > errors.  You can see that complexity in the earlier draft -08 in the
> > example section where we tried to enumerate most of the cases:
> > https://tools.ietf.org/html/draft-ietf-lamps-eai-addresses-08
> > It called for special casing name constraints for backwards compatibility
> > by the SmtpUTF8Name aware issuer.  That draft also called for SmtpUTF8Name
> > aware path verifiers to help "police" those name constraint.
> 
> Actually, no!  The complexity in draft 8 is entirely due to using
> two types of *name constraints*.  There is no such complexity when
> using both types of SANs.
> 
> Both types of SANs need to be supported anyway, so what "option 3"
> does is make it possible to compare the reference identifier against
> the SAN *without* conversions.  That is, the certificate is populated
> with all the email identities that the sender intends to use, and the
> relying party performs no conversions!  

However, it doesn't do this.  The problem is that there may exist
certificates that have rfc822Name and not smtpUTF8Name that relying
parties should nonetheless support.

So I think option 3 is out because it adds no value even though it
should not cause any problems.

I believe only options 2 and 3 are acceptable, but option 3 is useless,
therefore only option 2 should be considered, and that's no option.

Nico
--

v2.23.0 | Report a Bug | By Email