Re: [Uta] Éric Vyncke's No Objection on draft-ietf-uta-rfc6125bis-14: (with COMMENT)
Peter Saint-Andre <stpeter@stpeter.im> Thu, 03 August 2023 14:17 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C18A6C14CF0D; Thu, 3 Aug 2023 07:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.199
X-Spam-Level:
X-Spam-Status: No, score=-7.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b="su5XEKTh"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="0zr7pdbX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oG3W0VPbhA9H; Thu, 3 Aug 2023 07:17:32 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1BA4C15153E; Thu, 3 Aug 2023 07:17:31 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id BD82332000D9; Thu, 3 Aug 2023 10:17:27 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 03 Aug 2023 10:17:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm1; t= 1691072247; x=1691158647; bh=LUyM4lWmEkOdnvHtDMtDuTBaApDiagS9d61 OOeYESz4=; b=su5XEKThI1/bGIHIaFIKDans1wLLG3F2RsqV4vUcET2yMx3fP2l k/4GnaX0ZZt2NN5tzoc9SknUpTrgAMIFA8ILORKF15cGrUN39I1bSB12622rABQr mVGgDMfH2EwHKyfH6tSIgI3+/3efWR5KbHZ3WfbJSdJyIYVrlt+mtY3gjJwOOsdN FigI7xE7ZbJBfgQx9mv4Iw6BaY37GpaI581gofvun0uaFVlAtKXBmumxQ3hzg8Fj xdpY2+Oh0kC2CbkhVPOo9y5t3njD21c/eEEgy3+mGY0E1o1gnLcOEq7IY2zQ8z5Z xRm46LyZoaZLFvPz6lJCCMQ9hvvYrDPQv1g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1691072247; x=1691158647; bh=LUyM4lWmEkOdnvHtDMtDuTBaApDiagS9d61 OOeYESz4=; b=0zr7pdbXzQx361QJW/+YHtrfEulVVd1+An93ZSqTACu882JkqY/ 75Af9i/Csh9Dw8DXu8Gh1+rk8AAQKFdLA/Ls7Fa66H5GHUv3YWr+GxGCVRskrCoG k7jdKyeNyOXoM/JtVf4AX/2BMHyGhxV+LUBatr1+uB1fqnirwsS8d1rkMU9mHgkw uxhs6iNuK7yCGQUbKWEDhYysUjYU/SLjadbLT2Pzi4VrF6EBv2h6u/6MXF6zeuOA OpDWfTEqXG22mo9pNtPRP+bqsYNq/is5BwNrTrCFCedW9Q3qfWWdDsmYpYHis+Fb 5xRg6b80UdLbf2fd8DgpXxSEyrccQkuGxcA==
X-ME-Sender: <xms:9rbLZI88itMBmoYzUlZVk2TLSkE0HubRbubKf8V1dll7hozQLfEQ3g> <xme:9rbLZAtfDmJOsyx8iHlRrsy3Hw4KJTrA5VIJCzKZ7QNfm6b4qRO_cDrB-S5tTfvJm pWC8g8DFkxkMVv26w>
X-ME-Received: <xmr:9rbLZOCxBsmp0PpdLbyzSWkTwq1sDwUBOgLuddJUHz5pUU_MT95zcmK_ZRd63ogR>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrkedvgdejfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefkffggfgfvvehfhffujggtgfesthejredttdefjeenucfhrhhomheprfgvthgv rhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimheqne cuggftrfgrthhtvghrnhephfeghfduudevieeutdfghfduhfegjeekjeegiedtleduieet ffetgfehgfehkeegnecuffhomhgrihhnpehgihhthhhusgdrtghomhdprhhftgdqvgguih htohhrrdhorhhgpdhivghtfhdrohhrghdpvgigrghmphhlvgdrtghomhenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsth hpvghtvghrrdhimh
X-ME-Proxy: <xmx:9rbLZIdoDBvxOd5924GoaMf1VA1UcLceqMGh9nkfnKcpUKckAqs77A> <xmx:9rbLZNOP6VS2WsOepInjfMi94bZcfdsZbmHDT6gScDf67hEAJBPbkg> <xmx:9rbLZClrFBB6Oc3eUEOR5H5m_LOydMVV0I63XO2gxE7PIDTnEa1Hkw> <xmx:97bLZGjSReklPmiasXW5Wjo8X7Iy8ocqu0NKUy2Ecv2DyLhfIeFLeQ>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 3 Aug 2023 10:17:25 -0400 (EDT)
Message-ID: <5be22f98-fda8-bb14-fd39-1de195e83fe4@stpeter.im>
Date: Thu, 03 Aug 2023 08:17:24 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US
To: Erik Nygren <erik+ietf@nygren.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, The IESG <iesg@ietf.org>, "draft-ietf-uta-rfc6125bis@ietf.org" <draft-ietf-uta-rfc6125bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "orie@transmute.industries" <orie@transmute.industries>, "draft-ietf-dnsop-svcb-https@ietf.org" <draft-ietf-dnsop-svcb-https@ietf.org>
References: <169095311455.35305.4947745650893038277@ietfa.amsl.com> <C348BAA0-178B-4B02-8D5A-9371A22D70BA@akamai.com> <51F6F1DB-8136-4263-B1FC-AA1268B8928B@cisco.com> <CAKC-DJg3yOv0-KGtOjubQk0sng2Ukv=9pyCVW+HSiL6xiGGLVA@mail.gmail.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <CAKC-DJg3yOv0-KGtOjubQk0sng2Ukv=9pyCVW+HSiL6xiGGLVA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/APL9Mwg6bfeztEI7t7Ywk6YYf-c>
Subject: Re: [Uta] Éric Vyncke's No Objection on draft-ietf-uta-rfc6125bis-14: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 14:17:36 -0000
Although it would have been nice to receive this feedback during one of the two WGLCs or during IETF LC, see my comments below. IMHO these are mostly small tweaks that we can fix in parallel with IESG feedback. On 8/2/23 2:26 PM, Erik Nygren wrote: > In going through the draft to look at it from a SVCB perspective, a few > things jumped out at me, most of which are minor. > This is past LC so perhaps too late, but sending here as well in-case > the WG or others think any need addressing. > (I opened > https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/101 > <https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/101> to > track but realize it may be too late.) > > 1. On DNS names starting with Labels: > > > historically this rule was also intended to apply to all labels > in a domain name (see Section 2.3.1 > <https://rfc-editor.org/rfc/rfc1035#section-2.3.1> of [DNS-NAMES > <https://www.rfc-editor.org/rfc/rfc1035>]), although that is not > always the case in practice. > > This should probably be more clear that domain names are explicitly > allowed to start with digits. As per > https://datatracker.ietf.org/doc/html/rfc1123#section-2.1 > <https://datatracker.ietf.org/doc/html/rfc1123#section-2.1> and > https://datatracker.ietf.org/doc/html/rfc2181#section-11 > <https://datatracker.ietf.org/doc/html/rfc2181#section-11> clearly > update this. For example from the former clearly states: > "One aspect of host name syntax is hereby changed: the restriction on > the first character is relaxed to allow either a letter or a digit. Host > software MUST support this more liberal syntax" It's not clear to me how the text should be improved. Suggestions welcome. > 2. On the Web example: > > > Consider a simple website at www.example.com > <http://www.example.com>, which is not discoverable via DNS SRV > lookups. Because HTTP does not specify the use of URIs in server > certificates, a certificate for this service might include only a > DNS-ID of www.example.com <http://www.example.com>. > > Consider the same website, which is reachable by a fixed IP > address of 2001:db8::5c. The certificate might include this value in > an IP-ID to allow clients to use the fixed IP address as a reference > identity. > > This would not be the same "website". In particular, the web origin > (rfc6454) is the tuple of scheme, authority, and port. Since the > authority is different (ie, the IP vs the hostname) they would be > distinct. If we're going to include this example, we should be clear > that https://www.example.com/ <https://www.example.com/> and > https://[2001:db8::5c]/ might be multi-tenant on the same server but are > different web origins (ie, different "websites")examples so we always > have both?) Indeed it might be more accurate to say "website service". > 3. > > Clarification on IP address matching > > > For an IP address that appears in a URI-ID, the "host" component > of both the reference identity and the presented identifier must > match. These are parsed as either an "IP-literal" (following [IPv6 > <https://www.rfc-editor.org/rfc/rfc4291>]) or an "IPv4address" > (following [IPv4 <https://www.rfc-editor.org/rfc/rfc791>]). If the > resulting octets are equal, the IP address matches. > > In the IPv6 case, it may be better to reference > https://datatracker.ietf.org/doc/html/rfc3986 > <https://datatracker.ietf.org/doc/html/rfc3986> section 3.2.2 since what > is being matched isn't "IP-literal" (which is in square brackets) per > the below ABNF but the address inside those brackets: > > |IP-literal = "[" ( IPv6address / IPvFuture ) "]" | Good catch, we'll wordsmith that. > There is also the case of https://www.rfc-editor.org/rfc/rfc6874 > <https://www.rfc-editor.org/rfc/rfc6874> (which allows zoneids) but > since the zoneid has host scope it makes no sense for it to be included > in how certs are verified. (But perhaps there should be a requirement > that the IPv6 IP-ID address NOT be LinkLocal?) I'm not sure that's necessary. Peter
- [Uta] Éric Vyncke's No Objection on draft-ietf-ut… Éric Vyncke via Datatracker
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Salz, Rich
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Eric Vyncke (evyncke)
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Erik Nygren
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Peter Saint-Andre
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Salz, Rich