IETF Logo Mail Archive

Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)

Nico Williams <nico@cryptonector.com> Fri, 19 March 2021 16:34 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B0F3A19D9; Fri, 19 Mar 2021 09:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hBrGeZ_GQsq8; Fri, 19 Mar 2021 09:34:37 -0700 (PDT)
Received: from butterfly.birch.relay.mailchannels.net (butterfly.birch.relay.mailchannels.net [23.83.209.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45B913A19D8; Fri, 19 Mar 2021 09:34:37 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D6626102957; Fri, 19 Mar 2021 16:34:35 +0000 (UTC)
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (100-101-162-6.trex.outbound.svc.cluster.local [100.101.162.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 33CC8102748; Fri, 19 Mar 2021 16:34:34 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.101.162.6 (trex/6.1.1); Fri, 19 Mar 2021 16:34:35 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Keen-Spill: 0dd0066e7614ef3f_1616171674579_3356746531
X-MC-Loop-Signature: 1616171674578:1568422189
X-MC-Ingress-Time: 1616171674578
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTP id D35F37F16D; Fri, 19 Mar 2021 09:34:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=RXXhJJje5c/ndfzVUP/4F6hjyXc=; b=Yd7ME86KP1S zN4c2AlFwXr5vZq3COHnd7gGd2O7nMOdc+jcqgkNgpLrUVLlR/KbIpUSxb3MdZY0 +U+Wq4Cwq640W730VeU1JNND4rzzvJfMOZf3K8eCqhtlQ8WHcWxMT4cDeu2uismz Fk9g3dQeDKgrmCW9pqXA0YmJG5rU0VMY=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 6488E7F409; Fri, 19 Mar 2021 09:34:31 -0700 (PDT)
Date: Fri, 19 Mar 2021 11:34:29 -0500
X-DH-BACKEND: pdx1-sub0-mail-a26
From: Nico Williams <nico@cryptonector.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: Watson Ladd <watsonbladd@gmail.com>, uta@ietf.org, "Salz, Rich" <rsalz@akamai.com>, Valery Smyslov <smyslov.ietf@gmail.com>, uta-chairs@ietf.org
Message-ID: <20210319163428.GP30153@localhost>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com> <CACsn0cky0_HhD-j0GhOZ2VjuYcqoP8eXVHbFrvFm4wGOBH_c3g@mail.gmail.com> <D62376C8-9EB3-4956-8B64-7BDE99B1984F@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <D62376C8-9EB3-4956-8B64-7BDE99B1984F@cisco.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/l4_P2lg2XUD1CSBH5Mn2xNPLZo8>
Subject: Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 16:34:39 -0000

On Wed, Mar 17, 2021 at 07:53:25AM +0100, Eliot Lear wrote:
> The alternative view is that we shouldn’t break stuff or write edicts
> we know will be ignored.  AR certs are burned into products.  They’re
> NEVER going to change, and some code in some contexts need to expect
> them.  That includes, by the way, in all likelihood, the smart meter
> providing your house electricity.  Not everything is apache or a
> browser that you can take an auto-update and simply get away from bad
> code.   The world is a complex place.

A better alternative view is that certs issued before a certain date can
continue to be validated with the old rules, and certs issued after can
be required by RPs to have SANs.  A much better approach to not breaking
existing things while still making progress.

Nico
--

v2.23.0 | Report a Bug | By Email