Re: [stir] stir-certs-01: Certificate Expiration
Brian Rosen <br@brianrosen.net> Mon, 20 April 2020 19:53 UTC
Return-Path: <br@brianrosen.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 14FB63A0E0F
for <stir@ietfa.amsl.com>; Mon, 20 Apr 2020 12:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001,
T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Dz694125EJiH for <stir@ietfa.amsl.com>;
Mon, 20 Apr 2020 12:53:46 -0700 (PDT)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com
[IPv6:2607:f8b0:4864:20::72f])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2FD873A0E7A
for <stir@ietf.org>; Mon, 20 Apr 2020 12:53:46 -0700 (PDT)
Received: by mail-qk1-x72f.google.com with SMTP id l25so12135096qkk.3
for <stir@ietf.org>; Mon, 20 Apr 2020 12:53:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=brianrosen-net.20150623.gappssmtp.com; s=20150623;
h=mime-version:subject:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to;
bh=BcCr2nhCs2S1N/bXf8Zp4Osmbq7uje7a4P9sPmOr1K4=;
b=JX13r6RwG2OL8FkqiIyQLoKrTjghh1ngIV3ofV0Va96OCzUD+PiDAw65lTmTmyoHxU
82Yv9K4Ed4Mx7NaWNg3za8pqwa5nDyLWggCTeyS5LtRWnD8wYrCCbWXos3mw3WwhBHKp
O3bx8uTuDsI1RV+R4mZXt/W/7JJ9OU54rd5QKjhI1M7JAr8FgBh/P/zaa7Y0V+YCA3sE
zV2a9w6FoVHbTUP3Q3L4vwMjWx2CGqmbs9h8QWvnjI98GV1a5yeQO8kGwesFWzUWoR6v
fiXnHf/fX8vA8+QEFEsQJXgMOyn4voNF4U4gVdXNLKLybG/GEjCgCrKgXDb9sPp5XP46
M/4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to;
bh=BcCr2nhCs2S1N/bXf8Zp4Osmbq7uje7a4P9sPmOr1K4=;
b=BSSY1kTxc3jkfW+mmQTOCMO2n3dSn1osBmmbg8inT2poEbdEFY3Ul+mvdMRIWa2gXz
l0yPJt6WgJ4Pi8QtEfs61WXfPim6cb9zQc6e+8ROrEt5pRdC6BJEA0cUqAmYGFR9IxjJ
J37E8GCffnUo23NDwpByVIqLE5yx5Uk2+VOJgQ8itra6jWWgo6Z5KtWseLERqG1GUC1l
lES31JsgT2DwDV9WOt/5XojvVVRZtmD2fsruJnCNKPa9N7g7rTny8YIAhpPWStQKiZ1b
J4imf+OF3zcVDSme25ifAQk15q/RmRY9EnvyWD71fzZnLe2etWvWgGNWWHiL1kmyMX2L
PH2Q==
X-Gm-Message-State: AGi0PuamykC/Omw+8rRlrPzmEXJrIq0eFs+5l2fYrfsvIe6E8t5qFw9x
rDOrL2NHJizUlra4qH5LfthKwadXlJo=
X-Google-Smtp-Source: APiQypKSBdu6jSVJZv5bx1CP8CaO1C6uiAcGqERwMVVgFAgfIKIeOX8uCY+dHCSp9OJAJj8Hc6Zmzw==
X-Received: by 2002:a05:620a:1396:: with SMTP id
k22mr17459239qki.424.1587412425106;
Mon, 20 Apr 2020 12:53:45 -0700 (PDT)
Received: from brians-mbp-2871.lan ([72.23.94.147])
by smtp.gmail.com with ESMTPSA id a17sm376444qka.37.2020.04.20.12.53.44
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 20 Apr 2020 12:53:44 -0700 (PDT)
Content-Type: text/plain;
charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <B0185150-7C04-4CD1-B6CE-38993BCE8E3C@standardstrack.com>
Date: Mon, 20 Apr 2020 15:53:43 -0400
Cc: stir@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <252556BD-E16B-4BFC-AEE1-8975589BD886@brianrosen.net>
References: <B0185150-7C04-4CD1-B6CE-38993BCE8E3C@standardstrack.com>
To: Eric Burger <eburger@standardstrack.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/K-_OKkHT4P2uqakd_lXYQ8VGrGk>
Subject: Re: [stir] stir-certs-01: Certificate Expiration
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>,
<mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>,
<mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 19:53:58 -0000
This is a mechanical check. We could give IANA a tool. But it’s also something that just isn’t much of an issue. Suppose it expired. Then what? Verification officially fails. Verifiers could choose to use the expired certificate if they wanted. Is removing the entry actually helpful? I think not. So I’d just delete the text, replacing it with "registrants MUST keep the registered data valid by updating it as needed". Brian > On Apr 20, 2020, at 1:31 PM, Eric Burger <eburger@standardstrack.com> wrote: > > One would expect trust anchors to remove old entries, but there is no guarantee. Russ asked if IANA could purge expired trust anchors from the registry. It’s not straightforward, although possible. > > The current draft says, “IANA SHOULD remove a STIR trust anchor from the registry if the certificate expires." > > Options I see: > 1. Leave this as a SHOULD and IANA works it out when and if they work it out. > 2. Make it a MUST and specify how IANA does the purge. > 3. ??? > > > > TO DO > ===== > 1. Put in a mechanism for removing / updating entries. Proposal: whomever (domain) put in the entry can delete or modify the entry. > > 2. Add language that registry users are URGED (VERY STRONG MAY) to validate the trust anchor, like making sure the trust anchor has not expired. > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir
- [stir] stir-certs-01: Certificate Expiration Eric Burger
- Re: [stir] stir-certs-01: Certificate Expiration Brian Rosen