Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)

Nico Williams <nico@cryptonector.com> Fri, 19 March 2021 16:41 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F683A1A00 for <uta@ietfa.amsl.com>; Fri, 19 Mar 2021 09:41:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oj3ldGxp7NO3 for <uta@ietfa.amsl.com>; Fri, 19 Mar 2021 09:41:42 -0700 (PDT)
Received: from insect.birch.relay.mailchannels.net (insect.birch.relay.mailchannels.net [23.83.209.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7873A19FF for <uta@ietf.org>; Fri, 19 Mar 2021 09:41:41 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 117E1361F04; Fri, 19 Mar 2021 16:41:40 +0000 (UTC)
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (100-96-17-75.trex.outbound.svc.cluster.local [100.96.17.75]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 51F67362241; Fri, 19 Mar 2021 16:41:39 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.17.75 (trex/6.1.1); Fri, 19 Mar 2021 16:41:39 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Keen-Turn: 359494c30a15e5d0_1616172099824_77981030
X-MC-Loop-Signature: 1616172099823:2613676013
X-MC-Ingress-Time: 1616172099823
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTP id C54E07F409; Fri, 19 Mar 2021 09:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=lUJT4kZK7+BHt3 kMnlFj6chQPwc=; b=nIOfKZE2e028Roza6JVdaGnSlrZKj0853ABXVIQbpOIWCA 9aRXGW87a1HlsKN8mlHl45xCVVoiuPPi4aiCC8AVwICaoJAk0jhaekZOvt1CX7Jd Ow5kSzLBRmfvx1kG5Twuiqv96SQ2Y8wpAWOfujMM+B1HeA10UmWmqdEufoaqU=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTPSA id D30DF7E73C; Fri, 19 Mar 2021 09:41:36 -0700 (PDT)
Date: Fri, 19 Mar 2021 11:41:34 -0500
X-DH-BACKEND: pdx1-sub0-mail-a26
From: Nico Williams <nico@cryptonector.com>
To: Eliot Lear <elear=40cisco.com@dmarc.ietf.org>
Cc: Hubert Kario <hkario@redhat.com>, uta@ietf.org
Message-ID: <20210319164133.GQ30153@localhost>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com> <CACsn0cky0_HhD-j0GhOZ2VjuYcqoP8eXVHbFrvFm4wGOBH_c3g@mail.gmail.com> <D62376C8-9EB3-4956-8B64-7BDE99B1984F@cisco.com> <c3590f1d-9062-47e8-8d3b-683b1f599a3d@redhat.com> <5B307E1B-7A3B-4A1F-8299-4F9EF433BC8A@cisco.com> <3e24e00d-1fb6-4c60-a31f-c30235c164ce@redhat.com> <080B1D47-F30F-4C3F-8DC7-B4A67372AC6E@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <080B1D47-F30F-4C3F-8DC7-B4A67372AC6E@cisco.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/ir2YUgNrZ1xAUGjMSfNEW97xvGk>
Subject: Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 16:41:43 -0000

On Fri, Mar 19, 2021 at 05:19:17PM +0100, Eliot Lear wrote:
> This is it for me.  Apparently you are not going to be convinced that
> the world is bigger than the web.  This is not about excuses, but the
> real world.  It is not about lawyering- few of us here, [...]

I think you've convinced yourself that there isn't a better alternative
to the one you've suggested, and so you feel justified in writing such
an aggressive reply to Hubert (which reads to me as "apparently you are
not going to be convinced that you're so very very wrong, have a nice
day").

My take is that RPs should be prepared to validate certs issued before a
certain date using the old DN rules but require SANs in certs issued
after.  This covers the extant very-long-lived certs use cases while
still making progress.

Now, there might be other extant issues, like old RPs that can't be
upgraded.  There's still room for argument.

Nico
--