IETF Logo Mail Archive

Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)

Hubert Kario <hkario@redhat.com> Fri, 19 March 2021 16:02 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCDD3A193C for <uta@ietfa.amsl.com>; Fri, 19 Mar 2021 09:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.368
X-Spam-Level:
X-Spam-Status: No, score=-2.368 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwGG_JLcUvF8 for <uta@ietfa.amsl.com>; Fri, 19 Mar 2021 09:02:02 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305EF3A193A for <uta@ietf.org>; Fri, 19 Mar 2021 09:02:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616169721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FgGDegUl7ZOCpNIqNRc9UA0dmd8mQGZ0W2So80k7Hv8=; b=IpfgWWXQ+9MIPvH6RANSzwKLhS7c3OzJm+JHs8NLWZJh4I7FQIsrLXLNg8uBx2XMR5eiFq 8FHtKnJhAww+L3L5wU9ZRJqvZgOluXhfqCc6PK18gImiT6hfjgLSekbkvLcMWum/GGS3VC Qq701Yu75x+57HeI1XH5DRQ0RZkzRqs=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-463-O3aARadDMXWIdyXyERMxwQ-1; Fri, 19 Mar 2021 12:01:59 -0400
X-MC-Unique: O3aARadDMXWIdyXyERMxwQ-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 24162107ACCD; Fri, 19 Mar 2021 16:01:58 +0000 (UTC)
Received: from localhost (unknown [10.40.208.49]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 694AA60871; Fri, 19 Mar 2021 16:01:56 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: "Eliot Lear (elear)" <elear@cisco.com>
Cc: uta@ietf.org
Date: Fri, 19 Mar 2021 17:01:54 +0100
MIME-Version: 1.0
Message-ID: <3e24e00d-1fb6-4c60-a31f-c30235c164ce@redhat.com>
In-Reply-To: <5B307E1B-7A3B-4A1F-8299-4F9EF433BC8A@cisco.com>
References: <004201d718e1$007959a0$016c0ce0$@gmail.com> <E4D5BAE4-6BCA-4405-B9AA-D83F0F784A81@cisco.com> <CACsn0cky0_HhD-j0GhOZ2VjuYcqoP8eXVHbFrvFm4wGOBH_c3g@mail.gmail.com> <D62376C8-9EB3-4956-8B64-7BDE99B1984F@cisco.com> <c3590f1d-9062-47e8-8d3b-683b1f599a3d@redhat.com> <5B307E1B-7A3B-4A1F-8299-4F9EF433BC8A@cisco.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.14.2; xcb; Linux; Fedora release 32 (Thirty Two)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=hkario@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/w_aZLAAXvggYef5DGlVFuUscENM>
Subject: Re: [Uta] Depreciation (was Re: Adoption of draft-rsalz-use-san)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 16:02:04 -0000

On Friday, 19 March 2021 15:12:25 CET, Eliot Lear (elear) wrote:
>
>> On 19 Mar 2021, at 12:20, Hubert Kario <hkario@redhat.com> wrote:
>> 
>> it's also a place that needs to keep on moving forward as new attacks and
>> more powerful computers come into light every year
>
> Sure.  That’s why I support the draft.
>
>> 
>>>> which nothing short of
>>>> MUST NOT seems to get across.
>>> 
>>> Why would you think that in this case?  The IEEE has been 
>>> remarkably good at tracking our work, as have a  great many 
>>> other organizations, but for uses you’ve never considered.  
>>> That’s why code like OpenSSL is deployed in places you’ve 
>>> never heard of.  And while you’re right, we’re not the 
>>> protocol police, it’s bad when we give developers advice they 
>>> simply cannot follow because they live in the real world.
>> 
>> they also need to accept the reality that their use-case is a niche use
>> case for the whole ecosystem, so not all things will align nicely and not
>> all advice will be applicable to them
>
> Is it?  There are hundreds of millions of devices that cover 
> this use case, and that number is accelerating.

and how it's a good thing that the number of devices that can't have their
software updated is accelerating?

>> 
>> so maybe, we should give them a little bit of credit and 
>> assume that they are
>> able to differentiate stuff that makes sense in their context from stuff
>> that's applicable to the web in general
>
> And herein lies the problem: either this document is intended 
> for the “web” or it is intended to be general.  The two are not 
> the same.  I like scoping this document broadly, though, to mark 
> what is currently a best practice.  And THEN you can give those 
> people credit for doing the right thing, because they largely 
> have in the past.
>
> To be clear: this is a bit of a juggernaut.  The idea that a 
> device identity survives through the entire lifetime of a device 
> very much depends on what that lifetime is.  Toys and IT 
> equipment have 3-5 year lifetimes.  Some sensors have six week 
> lifetimes.  Some stuff in the ground has 40-50 year lifetimes, 
> and some mechanical tools like presses have 120 year lifetimes.
>
> So sure.  802.1AR is going to need to evolve around these 
> concepts.  But let’s please just recognize the reality we face, 
> that the currently deployed systems are going to be around for 
> quite a while, they will continue to verify as they do, and 
> their certs won’t change, at least for onboarding purposes.

the whole point of it is to say: this is how you this TLS stuff,
if you don't do it like this, you really should have a good excuse

but it's not IETF job to find those excuses, and it's not IETF job to
ensure that you're able to use IETF protocols, unchanged, for 50
years

now, just because you have an excuse, doesn't mean you don't have a
liability, just like the people that run lathes or presses using
Windows 95 PCs
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email