IETF Logo Mail Archive

Re: [Uta] Adoption of draft-rsalz-use-san

Eliot Lear <lear@cisco.com> Mon, 15 March 2021 17:23 UTC

Return-Path: <lear@cisco.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B0FF3A17ED for <uta@ietfa.amsl.com>; Mon, 15 Mar 2021 10:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.9
X-Spam-Level:
X-Spam-Status: No, score=-11.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mY9jzi7yySCj for <uta@ietfa.amsl.com>; Mon, 15 Mar 2021 10:23:50 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 813F83A17EC for <uta@ietf.org>; Mon, 15 Mar 2021 10:23:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5965; q=dns/txt; s=iport; t=1615829029; x=1617038629; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=oAEffpdAe+GjpnmsFKk8aq2YxFVnGLaul7cG15acyWU=; b=gSXbgZbsWAaNk9eti9DQKkmLSh1lCMnmQAs8vWG6UoaG4cVao2XRRhYU SN8VC9JfHnzH7rZUXZbfreWRX750SNgCyHr3ck78JFEdMKF4M9Y/L9fdP 48LOmRf8Q7FeqVik49msvN9D+5e7WB8hF7yIgwEZDOusMs+8+2uj1yw7h 8=;
X-Files: signature.asc : 488
X-IPAS-Result: A0C8AAAVlU9gjBbLJq1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAYIPg3cBJxIxhEGJBIhElDaIHwQEAwEBAQoDAQE0BAEBhE0CgXgmOBMCAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBhkeGRAEBAQECASNWBQsLBBQnAwICRhEGE4JwAYJmIat0AUt3gTKFWIR9EDeBAoFThSoBglODckKCDIERJxyCWD6CYASEczWCKwSCQGoEgyEmnRKcaIMMgzOBP5dMAx+TcZAksx4xAYN4AgQGBQIWgWshgVkzGggbFWUBgj4+EhkNjjiOMEADLwI2AgYBCQEBAwmMJi2CFgEB
IronPort-HdrOrdr: A9a23:kQqwZqiFONWVEEUCkAZT1eT/eHBQXlgji2hD6mlwRA09T+Wzna mV7Zcm/DXzjyscX2xlpMCYNMC7LU/02JZp7eAqXIuKcxLhvAKTRr1KzYyn+DH4Hj27y+g178 ddWoxzEsf5A1Q/rcuS2mSFOvIhxNXCz6yyn+fZyB5WIj1CUK1r4wdnBgvzKCQfLzVuPpY3GI GR4cBKvVObCBEqR/6mDXoIVfWrnbP2va/hCCR2ZSIP2U2rhTOs5KWSKWn94j4uFxVS3Lwl7W /J1yv+66nLiYDc9jbsk0nO8p9RhNztjuFmOfXJoM0UJjLw4zzYA7hcZw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,251,1610409600"; d="asc'?scan'208,217";a="34146283"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Mar 2021 17:23:45 +0000
Received: from [10.61.144.71] ([10.61.144.71]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 12FHNiLH025473 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 Mar 2021 17:23:44 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <61861D17-5C02-4A91-AF26-12DA41A8C167@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A1E469CB-CFEF-4106-BB7C-7FCF2702438B"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 15 Mar 2021 18:23:44 +0100
In-Reply-To: <34549C03-20F8-46B2-9524-298559225F8D@akamai.com>
Cc: "uta@ietf.org" <uta@ietf.org>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com> <5EA0DD1C-4977-4E2E-9D16-6762EA366AD9@dukhovni.org> <3999D19E-F657-4574-AE52-6BB3C5733338@cisco.com> <34549C03-20F8-46B2-9524-298559225F8D@akamai.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.71, [10.61.144.71]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/ayfVzc_j0kK7wY0_cW8OR9r81LE>
Subject: Re: [Uta] Adoption of draft-rsalz-use-san
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 17:23:54 -0000

Thanks, Rich.  My recommendation is to state the architectural principle, much as you already you, but then to split up the recommendations, perhaps along the following lines:

Applications that make use of domain names and maybe ip addresses in certificates
Others

I *think* that is the right split (Victor got me thinking along these lines).  For the former, we don’t have to be too polite about those not using SANs: it’s well past time.  For the latter, I would couch the language just a bit, because there are likely to be non-IETF use cases tracking your work.

So something like: those producing certificates that do not contain domain names MUST use a SAN.  Those validating certificates not using domain names MAY reject certificates that do not contain a SAN, based on intended use case, length of certificates in play, and other specific application knowledge.

That probably needs a WHOLE lot of word smithing, but it gives fair warning to the industry that unstructured subjects are naughty.

I would still liaise this stuff to the IEEE.

Eliot



> On 15 Mar 2021, at 16:14, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org <mailto:rsalz=40akamai.com@dmarc.ietf.org>> wrote:
> 
>>   I’m quite certain this is NOT what Rich had in mind when he was writing the document, and thus my suggestions.
> 
> There are more things in heaven and earth, Horatio, than are covered by your draft :)
> 
> Happy to add some wording if anyone has suggestions.
>

v2.23.0 | Report a Bug | By Email