Re: [Uta] Adoption of draft-rsalz-use-san
Nico Williams <nico@cryptonector.com> Wed, 17 March 2021 16:08 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1032A3A1108; Wed, 17 Mar 2021 09:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3XGacJvUAmF; Wed, 17 Mar 2021 09:08:14 -0700 (PDT)
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5D33A1104; Wed, 17 Mar 2021 09:08:14 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D0ABB40321B; Wed, 17 Mar 2021 16:08:12 +0000 (UTC)
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (100-96-133-30.trex.outbound.svc.cluster.local [100.96.133.30]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 34EB24031CD; Wed, 17 Mar 2021 16:08:12 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.133.30 (trex/6.1.1); Wed, 17 Mar 2021 16:08:12 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Relation: 4024ce86676ba8cb_1615997292598_1257982748
X-MC-Loop-Signature: 1615997292598:2287048758
X-MC-Ingress-Time: 1615997292598
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTP id C44F17E43D; Wed, 17 Mar 2021 09:08:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=/RDMkMIwUVNOJZnyDIR8OHLWoLY=; b=Pbt0hTj0mHH VHSdkxoqv8MQX7zaqvVMqRTnHOf2uPM+SUq94LOBBTXIYdgA14D4FCj+58G2+7rJ /W9Mlhzop8tyWviko70n7/kczUFdHVZ8XrtBcqcqwwphv9Err6aODkANZD7QfUa3 e59aV38lazaWFZIutl0g4VA/xKGCyHK8=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTPSA id D3B7F7E40D; Wed, 17 Mar 2021 09:08:09 -0700 (PDT)
Date: Wed, 17 Mar 2021 11:08:07 -0500
X-DH-BACKEND: pdx1-sub0-mail-a65
From: Nico Williams <nico@cryptonector.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, uta@ietf.org, uta-chairs@ietf.org, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Message-ID: <20210317160806.GM30153@localhost>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/LXcPpIAbmId2WSMkXXKY8ho2ZkI>
Subject: Re: [Uta] Adoption of draft-rsalz-use-san
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 16:08:16 -0000
On Mon, Mar 15, 2021 at 10:58:56AM +0100, Eliot Lear wrote: > By way of example, IEEE 802.1AR allows for the use of the subject, and > some of those certs are extremely long lived. One thing we should do > is liaise this draft to the 802.1 committee so that they can prepare > their base, and get their feedback about how to roll out this change. > > For libraries like OpenSSL I wouldn’t mind throwing in a new flag, for > instance, that would be required to validate a cert based on the > subject. That would help these other uses get over the hump over > time; perhaps even with a warning of some form emitted. Easy fix IF we really need it: - relying parties MUST reject old-style certificates issued after some appropriate future date TBD - relying parties MAY continue to accept old-style certificates issued before some appropriate future date TBD - after some appropriate future date TBD, relying parties MAY reject old-style certificates issued before that date - after some later appropriate future date TBD, relying parties SHOULD reject old-style certificates issued before that date As Watson noted, one should be able to get old-style certificates re-issued with dNSName SANs and empty DNs. Some long-lived certificates can't be replaced easily (e.g., EKcerts), but generally those can't have any kind of hostname name because such names cannot possibly be known at issuance time or because it's not appropriate for the issuer to assert them. Conversely, devices not using such hard-to-roll certs must be possible to fix, so we can have a drop-dead date even for certificates issued before that date. Nico --
- [Uta] Adoption of draft-rsalz-use-san Valery Smyslov
- Re: [Uta] Adoption of draft-rsalz-use-san Loganaden Velvindron
- Re: [Uta] Adoption of draft-rsalz-use-san Alexey Melnikov
- Re: [Uta] Adoption of draft-rsalz-use-san Olle E. Johansson
- Re: [Uta] Adoption of draft-rsalz-use-san Brian Smith
- Re: [Uta] Adoption of draft-rsalz-use-san Eliot Lear
- Re: [Uta] Adoption of draft-rsalz-use-san Viktor Dukhovni
- Re: [Uta] Adoption of draft-rsalz-use-san Henning Krause
- Re: [Uta] Adoption of draft-rsalz-use-san Eliot Lear
- Re: [Uta] Adoption of draft-rsalz-use-san Valery Smyslov
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Eliot Lear
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Leif Johansson
- [Uta] Depreciation (was Re: Adoption of draft-rsa… Watson Ladd
- Re: [Uta] Depreciation (was Re: Adoption of draft… Eliot Lear
- Re: [Uta] Adoption of draft-rsalz-use-san Nico Williams
- Re: [Uta] Adoption of draft-rsalz-use-san Viktor Dukhovni
- Re: [Uta] Adoption of draft-rsalz-use-san Eliot Lear
- Re: [Uta] Adoption of draft-rsalz-use-san Viktor Dukhovni
- Re: [Uta] Adoption of draft-rsalz-use-san Brian Smith
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Hubert Kario
- Re: [Uta] Depreciation (was Re: Adoption of draft… Hubert Kario
- Re: [Uta] Depreciation (was Re: Adoption of draft… Eliot Lear (elear)
- Re: [Uta] Depreciation (was Re: Adoption of draft… Hubert Kario
- Re: [Uta] Depreciation (was Re: Adoption of draft… Eliot Lear
- Re: [Uta] Depreciation (was Re: Adoption of draft… Nico Williams
- Re: [Uta] Depreciation (was Re: Adoption of draft… Nico Williams
- Re: [Uta] Adoption of draft-rsalz-use-san Valery Smyslov
- Re: [Uta] Adoption of draft-rsalz-use-san Salz, Rich
- Re: [Uta] Adoption of draft-rsalz-use-san Valery Smyslov