IETF Logo Mail Archive

Re: [Uta] Adoption of draft-rsalz-use-san

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 15 March 2021 10:31 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47C2B3A0AD1 for <uta@ietfa.amsl.com>; Mon, 15 Mar 2021 03:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbUqs2fNc_GU for <uta@ietfa.amsl.com>; Mon, 15 Mar 2021 03:31:40 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05083A0ACB for <uta@ietf.org>; Mon, 15 Mar 2021 03:31:40 -0700 (PDT)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 74ED2CE7B2 for <uta@ietf.org>; Mon, 15 Mar 2021 06:31:39 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
Date: Mon, 15 Mar 2021 08:31:39 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: uta@ietf.org
Message-Id: <5EA0DD1C-4977-4E2E-9D16-6762EA366AD9@dukhovni.org>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/UyWjFyc0Am2rBj64y5VNqwKoREU>
Subject: Re: [Uta] Adoption of draft-rsalz-use-san
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 10:31:42 -0000

> On Mar 15, 2021, at 7:58 AM, Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote:
> 
> Architecturally, Rich is nailing it.  We should be encouraging the use of SANs.  However, use of SANs beyond the scope of the web may not be entirely ubiquitous, and so we should  either be a bit more targeted, or slow roll the other uses with some backward compatibility language.  Personally I like the latter approach.  We shouldn’t hold up deprecation across the web due to the other uses, but we should encourage those other uses to move off of subject.
> 
> If Rich and others are ok with that, I’m all for adoption.

Certificates are barely checked in SMTP at all (opportunistic
and at that), but to the extent that they are, I am not aware
of anyone who's got meaningful certificates that only have a
matching CN and no matching SAN.

It is fine to deprecate the requirement to support CNs in the
absence of a DNS-ID SAN also for SMTP (not just Web).  Long
overdue.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email