Hi, I have had a few conversations with Toerless who is trying to deal with the feedback on the ACP document.
An item that has come up is the use, or claimed abuse of the rfc822Name SAN. We already had this debate. Some time ago. The WG decided. Three or four years ago, I think. I sure wish that we could use something else. But, CAs and CA software make that very difficult. Given that the era of publically anchored Enterprise CAs is dead, there are only two ways an (Enterprise) ACP Registrar is going to occur. 1) by running a private CA. Sure anything is possible if you are writing your own code, but most will not be doing that. (I've supported otherName in my code for other purposes, and it's not that difficult, but it's not trivial either) My experience with COTS CA systems it that it's really hard to get them to do it. Please prove me wrong. The most popular Enterprise CA software is the Microsoft CA. 2) by using ACME to speak to a hosted CA. Maybe WebPKI, maybe not. Either way, getting otherName supported is even harder, because nobody else uses it. If we can't depend upon otherName being filled in, then we have to look for two things. That means more code paths (two more) to test, more test vectors, and what exactly does an end point do when both are present, BUT THEY DO NOT MATCH? So three more pages of text there. Remember, that just rejecting the certificate means that we have to send out a truck, which is what ACP aims to avoid, so that won't be popular. And of course, there could also be bugs (maybe even CVEs) in the code that tries to deal with the tie. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
