IETF Logo Mail Archive

Re: [Uta] Adoption of draft-rsalz-use-san

Nico Williams <nico@cryptonector.com> Wed, 17 March 2021 16:08 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1032A3A1108; Wed, 17 Mar 2021 09:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3XGacJvUAmF; Wed, 17 Mar 2021 09:08:14 -0700 (PDT)
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5D33A1104; Wed, 17 Mar 2021 09:08:14 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D0ABB40321B; Wed, 17 Mar 2021 16:08:12 +0000 (UTC)
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (100-96-133-30.trex.outbound.svc.cluster.local [100.96.133.30]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 34EB24031CD; Wed, 17 Mar 2021 16:08:12 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.133.30 (trex/6.1.1); Wed, 17 Mar 2021 16:08:12 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Relation: 4024ce86676ba8cb_1615997292598_1257982748
X-MC-Loop-Signature: 1615997292598:2287048758
X-MC-Ingress-Time: 1615997292598
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTP id C44F17E43D; Wed, 17 Mar 2021 09:08:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=/RDMkMIwUVNOJZnyDIR8OHLWoLY=; b=Pbt0hTj0mHH VHSdkxoqv8MQX7zaqvVMqRTnHOf2uPM+SUq94LOBBTXIYdgA14D4FCj+58G2+7rJ /W9Mlhzop8tyWviko70n7/kczUFdHVZ8XrtBcqcqwwphv9Err6aODkANZD7QfUa3 e59aV38lazaWFZIutl0g4VA/xKGCyHK8=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTPSA id D3B7F7E40D; Wed, 17 Mar 2021 09:08:09 -0700 (PDT)
Date: Wed, 17 Mar 2021 11:08:07 -0500
X-DH-BACKEND: pdx1-sub0-mail-a65
From: Nico Williams <nico@cryptonector.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, uta@ietf.org, uta-chairs@ietf.org, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Message-ID: <20210317160806.GM30153@localhost>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/LXcPpIAbmId2WSMkXXKY8ho2ZkI>
Subject: Re: [Uta] Adoption of draft-rsalz-use-san
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 16:08:16 -0000

On Mon, Mar 15, 2021 at 10:58:56AM +0100, Eliot Lear wrote:
> By way of example, IEEE 802.1AR allows for the use of the subject, and
> some of those certs are extremely long lived.  One thing we should do
> is liaise this draft to the 802.1 committee so that they can prepare
> their base, and get their feedback about how to roll out this change.
> 
> For libraries like OpenSSL I wouldn’t mind throwing in a new flag, for
> instance, that would be required to validate a cert based on the
> subject.  That would help these other uses get over the hump over
> time; perhaps even with a warning of some form emitted.

Easy fix IF we really need it:

 - relying parties MUST reject old-style certificates issued after some
   appropriate future date TBD

 - relying parties MAY continue to accept old-style certificates issued
   before some appropriate future date TBD

 - after some appropriate future date TBD, relying parties MAY reject
   old-style certificates issued before that date

 - after some later appropriate future date TBD, relying parties SHOULD
   reject old-style certificates issued before that date

As Watson noted, one should be able to get old-style certificates
re-issued with dNSName SANs and empty DNs.

Some long-lived certificates can't be replaced easily (e.g., EKcerts),
but generally those can't have any kind of hostname name because such
names cannot possibly be known at issuance time or because it's not
appropriate for the issuer to assert them.

Conversely, devices not using such hard-to-roll certs must be possible
to fix, so we can have a drop-dead date even for certificates issued
before that date.

Nico
--

v2.23.0 | Report a Bug | By Email