IETF Logo Mail Archive

Re: [Uta] Adoption of draft-rsalz-use-san

Eliot Lear <lear@cisco.com> Mon, 15 March 2021 09:59 UTC

Return-Path: <lear@cisco.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F36D3A083E; Mon, 15 Mar 2021 02:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeeDqRxczb37; Mon, 15 Mar 2021 02:59:02 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 368AB3A0839; Mon, 15 Mar 2021 02:59:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11558; q=dns/txt; s=iport; t=1615802342; x=1617011942; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=kixfXd8SksiU9UZENEHMi7+qV0lUe8Ge31YCFcka9bQ=; b=Va8a5jIKoiALfdi4WHDeFGYXl3COHUXochk4AW8d5JI+ILqVqK3Mfih5 klJMr+EsAsKix+UIx1aT1oRQQ/jqjatSk/GEcxyOVuD/0DpoFpmb5EocN a70yfkxLptznvkauFB/n9z2IkfvRP8XKRHtA28BF11v9Fi8NhnE/2iPmD E=;
X-Files: signature.asc : 488
X-IPAS-Result: A0AEAwBBL09g/xbLJq1aHAEBAQEBAQcBARIBAQQEAQGCD4EjgX5WAScSMYRBiQSIQgOHdIIzig+IHwQHAQEBCgMBAR0BCgwEAQGETQKBeCY4EwIDAQEBAwIDAQEBAQUBAQECAQYEcYVhDYZEAQEBAQIBAQEbBksLBQsLGCcDAgIhBh8RBhOCcAGCVQMOIQ+rfneBMoVYglUNghgKBoE5gVOFKgGGRUKCDIE4DBCCWD6CHkIBAYR1NYIrBIJGaDIbBluBKJ4DnA1bgwyDM4E/kh2FLwMWCZNxhQCLJKNQj04xAYN4AgQGBQIWgWsjKoEtMxoIGxU7KgGCPj4SGQ2XIoVGQAMvOAIGAQkBAQMJjCYtghYBAQ
IronPort-HdrOrdr: A9a23:Q2mrw6ofzJ64YF4uiUL+f1YaV5qpeYIsi2QD101hICF9WMbwrb HMoN0w0xjohDENHEwxgNzoAsW9aF7V6JId2+gsFJi4Wg2OggGVBaFkqbDv2jjxXxD5n9Q86Y 5Ff7JlANP9SXh25PyW3CCdE9IthOaK67qpg+C29RhQZDpnYa1h8At1YzzzeiZLbTJLCpYjGJ 2X6tAvnUvERV0scs+5CnMZNtKsm/T3kvvdEHw7Li9izAGPiD+ygYSKdySw71M5Ty5Fx6sk/C zjlQH0j5/T1c2T+1v7y3LZ6YhQlZ/a7uZ7QOaIisQTN1zX+2GVWLg=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,249,1610409600"; d="asc'?scan'208,217";a="31762043"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Mar 2021 09:58:57 +0000
Received: from [10.61.144.59] ([10.61.144.59]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 12F9wvVa012190 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 Mar 2021 09:58:57 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C7111588-2FA1-4AAF-920B-EF33384C664B"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 15 Mar 2021 10:58:56 +0100
In-Reply-To: <004201d718e1$007959a0$016c0ce0$@gmail.com>
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, uta@ietf.org, uta-chairs@ietf.org
To: Valery Smyslov <smyslov.ietf@gmail.com>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.59, [10.61.144.59]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/mrE-ORhTD5o36aK75FVttUlDhqA>
Subject: Re: [Uta] Adoption of draft-rsalz-use-san
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 09:59:05 -0000

Architecturally, Rich is nailing it.  We should be encouraging the use of SANs.  However, use of SANs beyond the scope of the web may not be entirely ubiquitous, and so we should  either be a bit more targeted, or slow roll the other uses with some backward compatibility language.  Personally I like the latter approach.  We shouldn’t hold up deprecation across the web due to the other uses, but we should encourage those other uses to move off of subject.

If Rich and others are ok with that, I’m all for adoption.

By way of example, IEEE 802.1AR allows for the use of the subject, and some of those certs are extremely long lived.  One thing we should do is liaise this draft to the 802.1 committee so that they can prepare their base, and get their feedback about how to roll out this change.

For libraries like OpenSSL I wouldn’t mind throwing in a new flag, for instance, that would be required to validate a cert based on the subject.  That would help these other uses get over the hump over time; perhaps even with a warning of some form emitted.

Eliot

> On 14 Mar 2021, at 15:47, Valery Smyslov <smyslov.ietf@gmail.com> wrote:
> 
> Hi,
> 
> this message starts 2 weeks formal adoption call for draft-rsalz-use-san.
> The call will end on Sunday 28 March.
> 
> The draft has already received some support for adoption, of course it'll be counted.
> 
> Regards,
> Valery (for the chairs).
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org <mailto:Uta@ietf.org>
> https://www.ietf.org/mailman/listinfo/uta <https://www.ietf.org/mailman/listinfo/uta>

v2.23.0 | Report a Bug | By Email