IETF Logo Mail Archive

Re: [lamps] RFC8994/8995 requirements for CSRattr

Eliot Lear <lear@lear.ch> Wed, 01 September 2021 13:30 UTC

Return-Path: <lear@lear.ch>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D227E3A1164; Wed, 1 Sep 2021 06:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.891
X-Spam-Level:
X-Spam-Status: No, score=-0.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPXd-8-Kr3sO; Wed, 1 Sep 2021 06:30:09 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DDA63A114C; Wed, 1 Sep 2021 06:30:07 -0700 (PDT)
Received: from [IPv6:2001:420:c0c0:1011::2] ([IPv6:2001:420:c0c0:1011:0:0:0:2]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 181DTdSC125570 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 1 Sep 2021 15:29:40 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1630502980; bh=DaWev9yZlXtD30A6hLKnfHPA9pEphGPSl1NtkxQjkgQ=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=iBVqwTWZLFN9Zu15WFqIDs06caJ8xkGEM5yTOJMvvaQXgFKMJgnH7w7Idy3Xm4noe WdlqjLSX7CNgiI7Si6w4LIv2pZNa2exOI+hYTVSkVO/Qr5BltezSgVPIDvml1JoEpj bO+NLUL+nnekeVd7Q5OJ6+f/rp7Ze048n8BelJsQ=
To: David von Oheimb <nl0@von-Oheimb.de>, Dan Harkins <dharkins@lounge.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Owen Friel <ofriel@cisco.com>, Peter van der Stok <stokcons@bbhmail.nl>, max pritikin <pritikin@cisco.com>, Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, spasm@ietf.org, anima@ietf.org, Thomas Werner <thomas-werner@siemens.com>
References: <26149.1630260692@localhost> <1dec22e1-3856-4df7-21d6-4ad6c94e0ee2@lounge.org> <13498.1630308106@localhost> <0a744c63-464b-9801-2a46-9853af1efb0c@lounge.org> <479b3595-cb44-8ece-aa80-4f30a2cdafce@lear.ch> <285e354a-8b5f-7ab4-0e03-20d06328d897@von-Oheimb.de>
From: Eliot Lear <lear@lear.ch>
Message-ID: <da2ce36c-3756-f4c0-7907-a5976d492a82@lear.ch>
Date: Wed, 01 Sep 2021 15:29:35 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <285e354a-8b5f-7ab4-0e03-20d06328d897@von-Oheimb.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="YdZWAEEXrthzgAcap1QT70k5wdg9xaEEj"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zMKntm0FU9vbhOyUgG65DlRSJug>
X-Mailman-Approved-At: Fri, 03 Sep 2021 09:53:10 -0700
Subject: Re: [lamps] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 13:30:16 -0000

David,

I mention that point because we already done this in one case with a CA, 
and my concern is that our code will bloat as we have to customize to 
other CAs.  It's a matter of whether you think you can influence the end 
devices or the CAs, and there are a lot more of the former than the 
latter.  I really don't have a crystal ball here.  If we can get code 
implemented on clients, keeping this to the RAs and endpoints would be 
great.  But that means that the client interfaces all need the code.  
And today, it's simply not there for many of them.  They have either 
ruby or python or go and a bit of devkit to match.

Eliot


On 01.09.21 15:20, David von Oheimb wrote:
>
> In my view, the idea recently brought up here (namely, to open a 
> further channel between RA(s) and CA(s)
> besides the regular enrollment protocol just to be able to convey some 
> extra data to insert in the certificate)
> is not good at all. It would be needlessly cumbersome and most likely 
> would not become generally accepted.
>
> Instead, the extra data should be communicated as part of the 
> (possibly corrected/extended) existing enrollment protocol.
> As far as EST is concerned, I'm glad to see that it has been decided 
> to update/correct the CSRattrs mechanism of RFC 7030.
>
>     David
>
> On 30.08.21 09:40, Eliot Lear wrote:
>>
>> I would suggest that it helps in these cases to back up to the 
>> scenarios we care to address, and the likelihood of success.  In some 
>> cases, it will be possible to coordinate development with the 
>> endpoints and sometimes with the CAs. The CAs may not be strongly 
>> motivated to standardize an out-of-band/underlay RA/CA interface- 
>> some already have proprietary versions, and may like that with the 
>> hope of locking in the endpoints along the way.
>>
>> Eliot
>>
>
> On 30.08.21 01:31, Dan Harkins wrote:
>>
>>   Hi Michael,
>>
>>   Why can't the RA signal to the CA whatever things it things should
>> be included in the CA, in addition to the goo provided in the client's
>> CSR? If the Registrar knows the name then why can't it provide it to
>> the CA. It will be providing the CSR to the CA, on behalf of the client,
>> so why can't it say "oh by the way, add this name for the pledge...."
>>
>>   Why don't you want to define _that_ signalling instead of overloading
>> a different protocol?
>>
>>   Dan.
>
>

v2.23.0 | Report a Bug | By Email