IETF Logo Mail Archive

Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Peter Saint-Andre <stpeter@stpeter.im> Mon, 27 June 2022 20:43 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78256C15AD34 for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 13:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.003
X-Spam-Level:
X-Spam-Status: No, score=-4.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=WwefMjA+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Icf0JgDb
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x94OG4bxlMvX for <uta@ietfa.amsl.com>; Mon, 27 Jun 2022 13:43:45 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 981D3C15AD40 for <uta@ietf.org>; Mon, 27 Jun 2022 13:43:45 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E61195C00AC; Mon, 27 Jun 2022 16:43:44 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 27 Jun 2022 16:43:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1656362624; x= 1656449024; bh=pShzeuVnk+LmpHcu+9RRdQot5gDwKaZ1H+yVFzJGRkQ=; b=W wefMjA+fuCkmOvQ5jJob+N3mBCl+t8iEgo1ay7NR15I8orMStnNyA/hoWIB0jaUj mVVWrZSR6zRvDyoviXvpoCfMssmLkjeKeABaFbK3h57Qcfx6UFMuV4u3pzoaMuFL ttlzIRF0XF8drhxi3QtrBcyR0DDU7U2K+XLx6V9gwh8f1udxUXAmmaNa0lwhP8ZU MtmUnRsvXHbqe54H3ir3K7YNuSGUmmdIAfRA8ucrcKQf0Wc5C6eyb3STqQ+MRKPk vkVZvygfcOlH55RAxF7YFzT5xMm+4hKWUyy5WVVkLoiLA6dCXjwzUcz1zuPEzOLx JOHXG7C3aD2zDAoklhJsw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1656362624; x=1656449024; bh=p ShzeuVnk+LmpHcu+9RRdQot5gDwKaZ1H+yVFzJGRkQ=; b=Icf0JgDbNioP8CGe6 uU9wYcRZitTx75PzG2O/3QukKBciVD8dXP4iGDJTSRsVWn0OfhAHAtwARU8MsacF 8BbqNXXiFVNsDm5WGd/rTLOqab2xhgMfRe151f8FW80Kf6Qx7DVVUA9hgJ4AxDra luQtWLDQZ+LMCq5pKZwBYpBzM7vWCwHeFJR9GncF3mr6zknAeXtvscreslwFEQlG tzIlh2dptvsa49LTMWY/tcSrN53lAnnRFw+K2aLbI118VQN59FEY0rrREgGeOnQn bsuVpxCD7+oHxU+g0wrwMwkiH1JM2fyZG1ZLzYYlhrDp45zJqbrYe4OImcycOKZZ O9kHA==
X-ME-Sender: <xms:gBa6Yh6Ukc-CiCE0UhaWPJAnD_8AFn6468-jl_ItSpJsn9CqVIhwJg> <xme:gBa6Yu4grQO0uqx_6Ik3KFVElOa1siPZzUlFIGOt1fPayA6v7Kkr5LdWxdDIP3hGf 2jLj3q0oAzpiyiBhQ>
X-ME-Received: <xmr:gBa6YocxFdOR4BSvu5GXw6X7dnKzKNt3jsh0IxuESAtMBa-cb_dGJMvg1y9B>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudeghedgudehiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesth ejredttdefjeenucfhrhhomheprfgvthgvrhcuufgrihhnthdqtehnughrvgcuoehsthhp vghtvghrsehsthhpvghtvghrrdhimheqnecuggftrfgrthhtvghrnhepheethfdvjedvhf egteeghfefuedufeektedvhfekleelueehfeelkeekkeeiffdunecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtphgvth gvrhdrihhm
X-ME-Proxy: <xmx:gBa6YqLM3OnJOdfo-nd8x7BeU1H5lEoK-PJ9hUtiE0MDbKuPWm7zqg> <xmx:gBa6YlJxeFCUvvFOI7wHl0LqdOn_u7-PA2BWS-2nDvtIB0V_kHERbw> <xmx:gBa6YjyIlo0NC2lE6cAehQ2iML2NCpKAJ4h6WkeRDZLdP3HtDlt-BQ> <xmx:gBa6YjgKUJW8zU5ZhtB8-CyatIF8w4kjIa8IYKPQVyl7V-3uQl6lmA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 27 Jun 2022 16:43:44 -0400 (EDT)
Message-ID: <45cf71a8-c890-695a-5469-a7d545143571@stpeter.im>
Date: Mon, 27 Jun 2022 14:43:43 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: uta@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im> <BE6D8552-2723-4B64-9909-22C0BC32AC75@gmail.com> <8cf3b08d-478c-4cc5-be19-46cc1cc90271@stpeter.im> <YroARsHlIeR97z52@straasha.imrryr.org>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <YroARsHlIeR97z52@straasha.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/zonRUPeiQFh9_Q6eoKIobKCgK9c>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 20:43:50 -0000

On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
> On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
> 
>>> Yep, we can punt the definition but then we need to address all the special cases.
>>
>> I would prefer to bring back the reference to RFC 1034.
> 
> A DNS FQDN is sequence of dot-separated labels each of whose wire forms
> is at most 63 octets, and where the total wire length including the
> final zero length byte (terminating empty root label) is at most 255
> bytes.  Due to potential characters that need escaping, the presentation
> form of such a name can contain labels whose length exceeds 63 bytes,
> and whole name can exceed 255 bytes.
> 
> It is not clear to me that DNS names in certificates are a priori
> constrained by the host requirements RFC which constrains hostnames to
> LDH label forms, although perhaps the scope of RFC6125bis is exclusively
> for certificates that identify end-entities that meet the host
> requirements RFC.

I'm not necessarily saying that - I'm saying only that Jeff and I tried 
to find a canonical definition of "fully-qualified domain name" and the 
best we could do was RFC 1034. Alternative proposals are welcome.

>> I'm not sure what you mean by "non-public DNS names". As for .local
>> addresses, I'm not sure who would issue certificates for those. However,
>> if you can obtain certificates for either of these name-types, then I
>> don't see why the same rules wouldn't apply.
> 
> A private CA trusted by the relying party can indeed issue certificates
> for "example.local", ...

Of course. I was thinking about public CAs.

Peter

v2.23.0 | Report a Bug | By Email