IETF Logo Mail Archive

Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 25 June 2022 14:30 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E4F0C15AD23; Sat, 25 Jun 2022 07:30:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.056
X-Spam-Level:
X-Spam-Status: No, score=-0.056 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=2.052, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5hQq3Bcmm_5; Sat, 25 Jun 2022 07:30:36 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA070C14F719; Sat, 25 Jun 2022 07:30:35 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id h85so5475880iof.4; Sat, 25 Jun 2022 07:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=t718OdXAgOFgjJj6STLkaclBMUy4rjLrYvHlCdXcQB8=; b=QAvzt4bap/mBbVpMTeQMZ4UYhHmA6H//kkHJV9tEjWAw+1J1pXE46I1Qrjb5uh0ck2 B64gdS1dTDPrKw7IUpDX+GrLg/mw3XRX1k/B8hvGtXp0cHeFRVA9Q+iiJyJUi8O5Jjvy OJTWA9pmotcl/Kzl340qIyYshfH7mrWms3+6ruj2ZJADfoBAgZP98H0lMdDh9IPKRuTm 6qlr3MWyyGbruJe9Ecj0D/chRGpkSFVPdGWvSX7QZnxumI/+Eo3yWsuPehBkZKqKl0dl XJyBO8zPqMqw7+oHGvgGJkWYZFOz/ZB02FTOLq5PgX8HKlsytk0qXM+5YwfEw8Ry+7+G wHDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=t718OdXAgOFgjJj6STLkaclBMUy4rjLrYvHlCdXcQB8=; b=A+vPFsg91IxU3q6uPtXk/6ClV1vrmqnkgBpQhRVfosLBsGxuwkeoLFue+aQhjuJESs fZupItLb7VqtzkeRuiJpLvoCemK29AtGpKgrZpSBW8ntqxoR08D3jlylbsW/3uSIJtpp 5NA99RbJ9m0Cy1T2r0HVNjcgeAXBNXA1Sa7AkpU+StgjI39/VmlDf6GOg0qwPST6QLvg uSXio3Zw37kZNiTlLzbRbPwfduxUycZgYBhGbgbpwApFK7pzogVLw5vD9e0pXmWE364N Jg+gm8D1eKzgDRhSs8fyD/FdDXsBnzDWfxASCP7qXhm2Dlou6tSA6zxEIUgfrASphyTl gqPA==
X-Gm-Message-State: AJIora97FPuGMCbeaEZjqQUm/SGsYvRxpF+LV5jG3NgTWRipvVnmIopu HPyNgBLXupZbAklxmtSp39/rViNlB34=
X-Google-Smtp-Source: AGRyM1txaBmQDBt9ACzWQ+FroV4cI53PoaXY/QFwK0EvnfcZ6uRFw7tiX2GsKgFMHRkrs7tu4BTINw==
X-Received: by 2002:a05:6638:460e:b0:33b:12ee:21dd with SMTP id bw14-20020a056638460e00b0033b12ee21ddmr2733434jab.78.1656167434695; Sat, 25 Jun 2022 07:30:34 -0700 (PDT)
Received: from [192.168.68.106] (IGLD-84-229-147-215.inter.net.il. [84.229.147.215]) by smtp.gmail.com with ESMTPSA id e43-20020a02862e000000b003316536ebc1sm2392416jai.73.2022.06.25.07.30.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Jun 2022 07:30:34 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.62.22061100
Date: Sat, 25 Jun 2022 17:30:30 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>, Valery Smyslov <valery@smyslov.net>, uta@ietf.org, draft-ietf-uta-rfc6125bis@ietf.org
CC: uta-chairs@ietf.org
Message-ID: <BE6D8552-2723-4B64-9909-22C0BC32AC75@gmail.com>
Thread-Topic: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im>
In-Reply-To: <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/d8P_e34Qkw9_T729cF_PEj2nd9o>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2022 14:30:40 -0000

Thank you Rich and Peter, some follow-ups below.

	Yaron

On 6/25/22, 02:07, "Peter Saint-Andre" <stpeter@stpeter.im> wrote:

    On 6/24/22 4:40 PM, Peter Saint-Andre wrote:
    > The list admins might want to be aware that this message was truncated 
    > as follows (at least for me and Rich)...
    > 
    > On 6/24/22 10:04 AM, Yaron Sheffer wrote:
    >> So here's a few comments. Thanks Valery for the reminder!
    >>
    >> * The DTLS reference should change to DTLS 1.3.

    Easily fixed.

    >> * See Appendix A of [VERIFY]

    Yes, that's a typo.

    >> * The rules are brief - it's not clear from the text if this is a 
    >> summary of the totality of the new RFC, or just the changes from the 
    >> previosu version

    Section 1.3 is entitled "Overview of Recommendations" but we could make 
    the text clearer (e.g., "The following is a brief summary of the rules, 
    which are described at greater length in the remainder of this document").

That would be clearer.

    > In the archive [1], Yaron's message continued as follows...
    > 
    > ###
    > 
    > * No definition is given for "FQDN" even though the name being an FQDN 
    > is a major component of the document's scope. Specifically, are 
    > enterprise hostnames (that are not on the public DNS) in scope? Are 
    > .local names?

    Section 2.2 of RFC 6125 referenced RFC 1034 in this regard. IIRC from 
    when Jeff and I worked on RFC 6125, it is surprisingly difficult to find 
    a canonical definition for FQDN and similar terms.

Yep, we can punt the definition but then we need to address all the special cases. For example, you didn't answer my questions re: non-public DNS names and ".local"...

    > * Similarly, it is not clear to me whether certs obtained through DANE 
    > are in or out of scope.

    Well, DANE (RFC 6698) post-dates RFC 6125 so we might need to update our 
    recommendations to take account of DANE. I'll need to think about the 
    exact text we need.

    > * And the same question for delegated credentials 
    > (draft-ietf-tls-subcerts).

    That's an emerging technology, but at least an informational reference 
    might be appropriate.

    > * The Common Name RDN... can appear more than once in the subjectName. 
    > I'm probably missing something, but how is this different from multiple 
    > server names appearing in SAN when the certificate protects multiple 
    > services?

    We do say (in Section 2):

        The Common Name RDN MUST NOT be used to identify a service.

    I'm probably missing something in what you suggest here.

Sorry, should have been clearer. I am referring to this text, that lists two reasons why the Common Name RDN doesn't identify a service. I agree with the first reason but I think the second one is incorrect, because SubjectAltNames have the same property and we still use them.

    > * XMPP backward compatibility: does the XmppAddr still need to be 
    > mentioned in -bis?

    For server certificates, that would be appropriate (see Section 
    13.7.1.2.1 of RFC 6120).

My question was: is it possible that we needed for *backward compatibility* 11 years ago may be outdated and ready to be obsoleted today.

    > * the service provider SHOULD request [...] an SRV-ID or URI-ID that 
    > limits the deployment scope of the certificate to only the defined 
    > application service type. This is only somewhat accurate, because an 
    > HTTP client would happily accept the DNS-ID, no matter what other 
    > SRV-IDs are found there.

    As far as I know, there is no SRV-ID or URI-ID defined for HTTP 
    (although there was an Internet-Draft on the topic years ago). Do you 
    think that changes are needed to the text?

This particular sentence is not great but I don't have a better alternative.

    > * Which identifier types a client includes in its list of reference 
    > identifiers, and their priority, is a matter of local policy - given the 
    > situation today, can we have a normative recommendation for clients to 
    > be strict in constructing their reference list? If we don't include such 
    > normative text, we're basically telling people to make the easier choice 
    > and build lenient clients.

    It seems to me that the local policy will depend a great deal on the 
    protocol(s) that an application supports, the state of SRV-ID and URI-ID 
    support in that protocol and its implementations/deployments, etc. 
    However, I do think that we can formulate some more strict rules that 
    ought to be followed by implementations. Text to follow.

    Peter

v2.23.0 | Report a Bug | By Email