Re: [lamps] RFC8994/8995 requirements for CSRattr
David von Oheimb <nl0@von-Oheimb.de> Wed, 01 September 2021 13:20 UTC
Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21BA93A1167; Wed, 1 Sep 2021 06:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYVSaodNHqIP; Wed, 1 Sep 2021 06:20:12 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8283A1164; Wed, 1 Sep 2021 06:20:10 -0700 (PDT)
Received: from [100.87.62.43] (ip-109-42-2-11.web.vodafone.de [109.42.2.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 453C742184F; Wed, 1 Sep 2021 15:20:02 +0200 (CEST)
To: Eliot Lear <lear@lear.ch>, Dan Harkins <dharkins@lounge.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Owen Friel <ofriel@cisco.com>, Peter van der Stok <stokcons@bbhmail.nl>, max pritikin <pritikin@cisco.com>, Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, spasm@ietf.org, anima@ietf.org, Thomas Werner <thomas-werner@siemens.com>
References: <26149.1630260692@localhost> <1dec22e1-3856-4df7-21d6-4ad6c94e0ee2@lounge.org> <13498.1630308106@localhost> <0a744c63-464b-9801-2a46-9853af1efb0c@lounge.org> <479b3595-cb44-8ece-aa80-4f30a2cdafce@lear.ch>
From: David von Oheimb <nl0@von-Oheimb.de>
Message-ID: <285e354a-8b5f-7ab4-0e03-20d06328d897@von-Oheimb.de>
Date: Wed, 01 Sep 2021 15:20:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <479b3595-cb44-8ece-aa80-4f30a2cdafce@lear.ch>
Content-Type: multipart/alternative; boundary="------------E9C5B338AE94C4AB72C59FF4"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zPZ_F6GmlaSQYGwBxjj6Ps3lsrw>
X-Mailman-Approved-At: Fri, 03 Sep 2021 09:53:09 -0700
Subject: Re: [lamps] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 13:20:37 -0000
In my view, the idea recently brought up here (namely, to open a further channel between RA(s) and CA(s) besides the regular enrollment protocol just to be able to convey some extra data to insert in the certificate) is not good at all. It would be needlessly cumbersome and most likely would not become generally accepted. Instead, the extra data should be communicated as part of the (possibly corrected/extended) existing enrollment protocol. As far as EST is concerned, I'm glad to see that it has been decided to update/correct the CSRattrs mechanism of RFC 7030. David On 30.08.21 09:40, Eliot Lear wrote: > > I would suggest that it helps in these cases to back up to the > scenarios we care to address, and the likelihood of success. In some > cases, it will be possible to coordinate development with the > endpoints and sometimes with the CAs. The CAs may not be strongly > motivated to standardize an out-of-band/underlay RA/CA interface- some > already have proprietary versions, and may like that with the hope of > locking in the endpoints along the way. > > Eliot > On 30.08.21 01:31, Dan Harkins wrote: > > Hi Michael, > > Why can't the RA signal to the CA whatever things it things should > be included in the CA, in addition to the goo provided in the client's > CSR? If the Registrar knows the name then why can't it provide it to > the CA. It will be providing the CSR to the CA, on behalf of the client, > so why can't it say "oh by the way, add this name for the pledge...." > > Why don't you want to define _that_ signalling instead of overloading > a different protocol? > > Dan.
- [lamps] RFC8994/8995 requirements for CSRattr Michael Richardson
- Re: [lamps] RFC8994/8995 requirements for CSRattr Dan Harkins
- Re: [lamps] RFC8994/8995 requirements for CSRattr Michael Richardson
- Re: [lamps] RFC8994/8995 requirements for CSRattr Dan Harkins
- Re: [lamps] RFC8994/8995 requirements for CSRattr Eliot Lear
- Re: [lamps] RFC8994/8995 requirements for CSRattr Michael Richardson
- Re: [lamps] RFC8994/8995 requirements for CSRattr David von Oheimb
- Re: [lamps] RFC8994/8995 requirements for CSRattr Eliot Lear
- Re: [lamps] RFC8994/8995 requirements for CSRattr David von Oheimb
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Eliot Lear
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Michael Richardson
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Dan Harkins
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Michael Richardson
- Re: [lamps] [Anima] RFC8994/8995 requirements for… David von Oheimb
- Re: [lamps] [Anima] RFC8994/8995 requirements for… David von Oheimb
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Tomas Gustavsson
- Re: [lamps] [Anima] RFC8994/8995 requirements for… Michael Richardson