> On Jun 27, 2020, at 6:46 PM, Toerless Eckert <[email protected]> wrote:
>
> On Sat, Jun 27, 2020 at 11:52:20AM -0400, Russ Housley wrote:
>> Toerless:
>>
>> I think Brian actually made my point. While the filed contains an email
>> address, using it as such would result in a delivery failure. The private
>> key holder cannot be reached by this address.
>
> Russ, i said:
>
>> First of all, you can if you want to,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Aka: Yes, if an ACP admin thinks ACME style challenge/reply
> email authentication mechanism is useful, then he can of course
> set up those email addresses accordingly. I did reply to that
> point exhaustively in my reply about the ACME email mechanism.
>
> Why do you ignore that answer ?
You and Michael have said that MX records could be set up, but Brian says that
will lead to delivery failures. And then Ben pointed out that a single mailbox
rfcSELF@<domain> is used for all ACP identities in the domain. That has not
been resolved.
>
>> and secondly, i contest that it is a requirement to be able
>> to do that if the recipient doesn't need to support it.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>> Think about [email protected].
>> You do want to make sure though that you are in control of
>> the electronic mail address though, and that is given for ACP
>> addresses.
>
> Where in rfc5280 or any other generic RFC about certificates does
> it say you MUST have a mailbox that is reachable ? Where does it
> say that all certificiates with rfc822Name must be email boxes
> that support ACME email style challenge-reply about the email address ?
> I think this is a non-existing requirement against email addresses.
>
> Of course, [email protected] can have a certificate with
> that rfc822Name. It just can't use the ACME mechanism to be
> generated. But the signed mails sent from that address can be
> authenticated.
>
> Or there are never emails, because the email address just serves
> as identifier of an entity such as in wifi roaming identification
> and authentication. In that case you are not authenticating
> e.g.: password ownership for the email address via actual emails
> but via AAA protocols against a DNS domain known AAA server
> for the domain part of the email address.
>
> If you want to write a standards track RFC that all email addresses
> used in any X.509v3 certificate MUST support an ACME style
> challenge/reply email, then please do that, and seee if you get
> thast through. If would invalidate a lot of solutions like
> those wifi roaming ones. It WOULD NOT invalidate the ACP
> solution, because as said (no several times) the ACP solution
> can perfectly be set up to support this. It just does not
> need to.
I have explained reasoning in a note yesterday in response to Brian, and it had
nothing to do with ACME.
Russ
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
