[stir] stir-certs-01: Certificate Expiration
Eric Burger <eburger@standardstrack.com> Mon, 20 April 2020 17:33 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 259483A0BF0
for <stir@ietfa.amsl.com>; Mon, 20 Apr 2020 10:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.212
X-Spam-Level:
X-Spam-Status: No, score=0.212 tagged_above=-999 required=5
tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001,
T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral
reason="invalid (public key: not available)"
header.d=standardstrack.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id WWBfQbLURDjZ for <stir@ietfa.amsl.com>;
Mon, 20 Apr 2020 10:33:45 -0700 (PDT)
Received: from se2g-iad1.servconfig.com (se2g-iad1.servconfig.com
[173.231.248.13])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id F2EBB3A0E96
for <stir@ietf.org>; Mon, 20 Apr 2020 10:31:54 -0700 (PDT)
Received: from biz221.inmotionhosting.com ([192.145.239.201])
by se2-iad1.servconfig.com with esmtps
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
(envelope-from <eburger@standardstrack.com>) id 1jQaGn-000ekR-3j
for stir@ietf.org; Mon, 20 Apr 2020 13:31:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=standardstrack.com; s=default; h=To:Date:Message-Id:Subject:Mime-Version:
Content-Type:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=2Bb93DTNTtPBfYmCNByb8xeSCG2nRxGr9Wa7ktyNsFw=; b=W9tQjfGsHyB3h0mOfSdXiytZkW
oG8ipIK1EmHXOUAszHSO40INEKyHoq0XUDyIG1td8Xnxn7zShfxDRuMjWQCin0ywGyYP+UqNxxhmp
L+hF8JGOwRqReBCiZb3khGSXVci4SqneN841UJlvf9Vx0npG18fKyM5ttkFuDYMU0ErM=;
Received: from [68.100.101.142] (port=51056 helo=[192.168.10.31])
by biz221.inmotionhosting.com with esmtpsa (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93)
(envelope-from <eburger@standardstrack.com>) id 1jQaGk-000ISc-UP
for stir@ietf.org; Mon, 20 Apr 2020 10:31:44 -0700
From: Eric Burger <eburger@standardstrack.com>
Content-Type: multipart/signed;
boundary="Apple-Mail=_EADD6162-B061-428C-86BA-752469497BB4";
protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <B0185150-7C04-4CD1-B6CE-38993BCE8E3C@standardstrack.com>
Date: Mon, 20 Apr 2020 13:31:41 -0400
To: stir@ietf.org
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-OutGoing-Spam-Status: No, score=-1.0
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id:
eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Originating-IP: 192.145.239.201
X-SpamExperts-Domain: biz221.inmotionhosting.com
X-SpamExperts-Username: 192.145.239.201
Authentication-Results: servconfig.com; auth=pass
smtp.auth=192.145.239.201@biz221.inmotionhosting.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0c6d8zDasFm/nDPEg7mmhmypSDasLI4SayDByyq9LIhVlFEXgrEStfX3
O7SJW1BVWETNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGD+8X2eAtGOeP0Z7XEw4vpH7gN
zB/4Jkrw1eDLcif59fvNak4clHpAXAQWwuNmNXT1U7Tmz6iKnkQL9gqsxD3473Y3lsYPr3virg95
tZ609xdKJaSO6x9h2WTFfkPgGUz1Sq2swcqdmOMtvfhrEkAbG2Cjsbi5l0lDaVsRlTxZqaUnUiya
RmA46OGY+YsgOdbd3VAnSZlBxACg67tWDDh3WMpOFwbgZzA7SHJpgzfyrZMpuUU9pQmhp2NdRojj
VXAB3i4EXXSueZzMCpX2tfOqKM5soQ0R2jS4GxDcxPFGC79DsyPhMEwz2OC3hXjXYvpwQy17Ychx
ni5a2VYVYiL6p0zFIS4eFFedtqTPxkQeRTMManwrT2CVoVKwL3beb5/7R86t2EiC6GwMws7Gvvoz
wOxTyssp4L0plUGigax8zy4LpVxP5YFZg5fgueXLf6LKHDJ71JSXKkUqfqsTqwEEUOidX4Ts4xdG
+C13IyWeZaIsnM5ykhf/jnD1YHi0MYdEDLy6DJ/zlm3uOJ/yS9pxyKp/7UjvMo1sL33qOmBgl7IF
VVikJYXKyGo2lFnLPaHwOuqJPPu/Mw4caI9hNjB7gP3QzxUBjDlIxq/CY6GWA8+LBDMrD7q/cJog
wbqzsuoksATD6B4YJw/xkJTvi2DZT2gxaUBTIJceeww0VXdyJ0ndbXSgkufh1ojus/5BUx9UHgRE
GG2RjI4yf8UzQryvTjwJWw42swm4bO6gacpMpzJJAaQB6RGfbERqROM6OR63chyvPJpL6DooRBPw
XkYc1RNWLRL0zEKCV1rC6yEoKMXwY8LwTJ3glwd29LcBySVMm98OiyQ6+7o3FFiI0zRNn0gvzxVp
TGvrZrKdIxaZrH3oREI39Ng7w+jWwVgutjGnuuve+J5DMBKo4X0ih5QNkGE9sb8xJz7YLbS4YH6b
pqcEiBscwRdrth+1+oWTDTjsecoU4vapvCGSUh6RXSeW2w==
X-Report-Abuse-To: spam@se1-lax1.servconfig.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/JCCdgjIGf-M8BB55FpYSZRzkN0k>
Subject: [stir] stir-certs-01: Certificate Expiration
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>,
<mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>,
<mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 17:33:52 -0000
One would expect trust anchors to remove old entries, but there is no guarantee. Russ asked if IANA could purge expired trust anchors from the registry. It’s not straightforward, although possible. The current draft says, “IANA SHOULD remove a STIR trust anchor from the registry if the certificate expires." Options I see: 1. Leave this as a SHOULD and IANA works it out when and if they work it out. 2. Make it a MUST and specify how IANA does the purge. 3. ??? TO DO ===== 1. Put in a mechanism for removing / updating entries. Proposal: whomever (domain) put in the entry can delete or modify the entry. 2. Add language that registry users are URGED (VERY STRONG MAY) to validate the trust anchor, like making sure the trust anchor has not expired.
- [stir] stir-certs-01: Certificate Expiration Eric Burger
- Re: [stir] stir-certs-01: Certificate Expiration Brian Rosen