Re: [Tm-rid] IPv6 address encoding in commonName
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 15 August 2019 00:03 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E366B120906 for <tm-rid@ietfa.amsl.com>; Wed, 14 Aug 2019 17:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJEIndNoTwwE for <tm-rid@ietfa.amsl.com>; Wed, 14 Aug 2019 17:03:51 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0050D1208E6 for <tm-rid@ietf.org>; Wed, 14 Aug 2019 17:03:50 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id D5D433818C; Wed, 14 Aug 2019 20:03:01 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EF246F2A; Wed, 14 Aug 2019 20:03:49 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Robert Moskowitz <rgm@htt-consult.com>, tm-rid@ietf.org
In-Reply-To: <1835423d-c59a-60b4-007f-afe4545089d9@htt-consult.com>
References: <d02be2b0-ab7b-9c66-617d-0625ebf8cb16@htt-consult.com> <335d070b-79e1-899c-2c0a-77a7afc1cbbf@wisemo.com> <1835423d-c59a-60b4-007f-afe4545089d9@htt-consult.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 14 Aug 2019 20:03:49 -0400
Message-ID: <2862.1565827429@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/fUoXwmYXKsH_8zYAIDp4uH4neyY>
Subject: Re: [Tm-rid] IPv6 address encoding in commonName
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Trustworthy Multipurpose RemoteID <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 00:03:53 -0000
{Bob, replying to tm-rid list from openssl list, since this is not about openssl}
Robert Moskowitz <rgm@htt-consult.com> wrote:
> I am working with a 2-tier pki. The root CA cert will have some sort of
> standard DN for subjectName, naming the owner of the pki. The intermediate
> signing CA certs are for the agencies that actually register and, to some
> degree, manage these devices. All these agencies will be 'named' by the HHIT
> (draft-moskowitz-hierarchical-hip) derived from the ed25519 key of their
> signing cert. Well they are named by their /64 per the draft. And perhaps
> that is better, as over the years there will be new signing certs with
> different keys, but the same HHIT prefix. Hmmm.
> Also size of the DN is important as it is the issuerName in the client cert
> which may get transmitted over a very constrained (e.g. BT4) link. The
> intermediate CA cert has ITS issuerName of the root cert that identifies the
> pki for this purpose. So the CN could simply be:
> CN=2001:24:28:24/64
In the 6tisch 802.15.4 space, where we are hoping to do EDHOC,
we are trying to find a way to send the IDevID (which may be largish due to
various extensions) by reference rather than value.
It seems that you have the same problem with the intermediate CAs as we do.
draft-hallambaker-mesh-udf-05
is one thing I've looked at, but it isn't clear how much of a win it is.
As your intermediates will be identified by HITT, could you store them in
reverse DNS?
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- Re: [Tm-rid] IPv6 address encoding in commonName Michael Richardson
- Re: [Tm-rid] IPv6 address encoding in commonName Robert Moskowitz
- Re: [Tm-rid] IPv6 address encoding in commonName Michael Richardson