Re: [stir] I-D Action: draft-ietf-stir-certificates-17.txt
Russ Housley <housley@vigilsec.com> Fri, 15 December 2017 21:45 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFAF127011 for <stir@ietfa.amsl.com>; Fri, 15 Dec 2017 13:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ERIz0Z_JI10e for <stir@ietfa.amsl.com>; Fri, 15 Dec 2017 13:45:04 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBE9F1241FC for <stir@ietf.org>; Fri, 15 Dec 2017 13:45:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 62BF93005D8 for <stir@ietf.org>; Fri, 15 Dec 2017 16:45:03 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KGeDPTYzz2nB for <stir@ietf.org>; Fri, 15 Dec 2017 16:45:02 -0500 (EST)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 4E854300293; Fri, 15 Dec 2017 16:45:02 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <c03d5092-5646-0807-3e16-864aeeb3e413@alum.mit.edu>
Date: Fri, 15 Dec 2017 16:45:01 -0500
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <333F2A6D-6CAF-4480-A448-06B76E1B397E@vigilsec.com>
References: <151326691971.6099.4107849780973461328@ietfa.amsl.com> <7E30739D-C21C-466E-8C3A-8395171C253D@sn3rd.com> <CABkgnnXCizOyLkJzSR-MHo97O2feOiGXfOVFZeQPoNzj4m452g@mail.gmail.com> <07AB7CB1-E5A2-45EE-B90E-B11E6A04C018@sn3rd.com> <1AF855C9-7129-4098-A137-2CF6099A3A1C@vigilsec.com> <c03d5092-5646-0807-3e16-864aeeb3e413@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/RX7T3No9V3Zq0HRLZEVSE1cdzrU>
Subject: Re: [stir] I-D Action: draft-ietf-stir-certificates-17.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 21:45:06 -0000
> On Dec 14, 2017, at 5:03 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote: > > On 12/14/17 4:19 PM, Russ Housley wrote: >>> On Dec 14, 2017, at 12:59 PM, Sean Turner <sean@sn3rd.com> wrote: >>> >>> Bit to quick in my response, to address the 2nd point: >>> >>>> On Dec 14, 2017, at 11:42, Martin Thomson <martin.thomson@gmail.com> wrote: >>>> >>>> "123"+900 is now equivalent to "123"+876, which means that you have >>>> two ways to represent the same thing. Don't we try to avoid that in >>>> certificates? (I mean otherwise we'd use BER...) >>> >>> As far encoding something the same way: I’d be worried if “123”+900 and “123”+876 resulted in the same DER code, but it doesn’t. >> No, this bits on the wire are different, but they specify the same block of telephone numbers. Why do we want more than one way to specify the same block of numbers? > > I agree that "123"+900 seems like a bad idea. > > But even without that there are multiple ways to specify the same range of numbers: a single range, two or more smaller ranges that collectively cover the range, or a complete list of individual numbers. To be clear, there is not a security issue here. "123" + 900 and "123" + 876 specify the same block of numbers. If a certificate issuer says "123" + 900, do we really want to reject the certificate as badly formed? Does anyone have language to make "123" + 876 the preferred encoding? Russ
- [stir] I-D Action: draft-ietf-stir-certificates-1… internet-drafts
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Sean Turner
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Martin Thomson
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Sean Turner
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Sean Turner
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Martin Thomson
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Russ Housley
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Paul Kyzivat
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Russ Housley
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Martin Thomson
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Russ Housley
- Re: [stir] I-D Action: draft-ietf-stir-certificat… Russ Housley