On 16-Jun-20 12:20, Michael Richardson wrote: > > Hi, I have had a few conversations with Toerless who is trying to deal with > the feedback on the ACP document. > > An item that has come up is the use, or claimed abuse of the rfc822Name SAN. > > We already had this debate. > Some time ago. The WG decided. > Three or four years ago, I think.
Yes, this is relitigating an issue that was resolved a long time ago in discussing Ben's DISCUSS: https://mailarchive.ietf.org/arch/msg/anima/lnZ-ykqas487qih86sYNVsUGbsc The explanation is at https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-24#page-26 I believe it is incorrect IETF process to rediscuss this point yet again. Brian > > I sure wish that we could use something else. > But, CAs and CA software make that very difficult. > > Given that the era of publically anchored Enterprise CAs is dead, there are > only two ways an (Enterprise) ACP Registrar is going to occur. > > 1) by running a private CA. > Sure anything is possible if you are writing your own code, but > most will not be doing that. (I've supported otherName in my code for > other purposes, and it's not that difficult, but it's not trivial either) > My experience with COTS CA systems it that it's really hard to > get them to do it. Please prove me wrong. > The most popular Enterprise CA software is the Microsoft CA. > > 2) by using ACME to speak to a hosted CA. Maybe WebPKI, maybe not. > Either way, getting otherName supported is even harder, because > nobody else uses it. > > If we can't depend upon otherName being filled in, then we have to look for > two things. That means more code paths (two more) to test, more test > vectors, and what exactly does an end point do when both are present, BUT > THEY DO NOT MATCH? So three more pages of text there. > Remember, that just rejecting the certificate means that we have to send out > a truck, which is what ACP aims to avoid, so that won't be popular. > And of course, there could also be bugs (maybe even CVEs) in the code that > tries to deal with the tie. > > -- > Michael Richardson <[email protected]>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > > _______________________________________________ > Anima mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima > _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
