Re: [dns-privacy] [DNSOP] RFC9103 -- extended key usage
"A. Schulze" <sca@andreasschulze.de> Sun, 04 December 2022 12:44 UTC
Return-Path: <sca@andreasschulze.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC70C14CF0F; Sun, 4 Dec 2022 04:44:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=andreasschulze.de header.b=rCdaEkpt; dkim=pass (2048-bit key) header.d=andreasschulze.de header.b=hvVulPk6
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1VIwJ7dZPQY; Sun, 4 Dec 2022 04:44:48 -0800 (PST)
Received: from mta.somaf.de (mta.somaf.de [IPv6:2001:470:77b3:103::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33893C14F744; Sun, 4 Dec 2022 04:44:46 -0800 (PST)
Message-ID: <7a17ac15-2a20-0b89-6326-5ba4d4bbb2ea@andreasschulze.de>
ARC-Seal: i=1; a=rsa-sha256; d=mta.somaf.de; s=arcseal202101; t=1670157883; cv=none; b=jtCvdQdVUMXQUzkjZSFP+Mzg5/DWxGLqet/yhVqbsGGWCyg/ALBUfVSdFMouGSTUhWNFs7+/WPJUXvOklqDZegGMb3eOX/ZTmb3zqTeaJT6RnSxp8H/iRBI3txE7mjOEEwlWU/s+URwL/cfrWTcZNemfrLao5EqcvNzuRKZj1WeWtm+XnlIv6JBOZkYy1yQLpJMVICJCKKrbY4V5aVMgW0WAkThZiFxcLix4kscWVeRA/a2bQB4qAVgIbLjWC/q3NRaMzvk9lL2PgD4dc6ZmbhKNQwUm51XGMLLFXEFKAxqa+jmnyFf/MhaUGmy/0atxC6Q1LAOeozdZeUiIsjXLaA==
ARC-Message-Signature: i=1; a=rsa-sha256; d=mta.somaf.de; s=arcseal202101; t=1670157883; c=relaxed/relaxed; bh=mKg31A4zpYBnn9O2dHl6IX37N4y7GHzBJTQE4kN9NtY=; h=Message-ID:DKIM-Signature:DKIM-Signature:Date:MIME-Version: Subject:Content-Language:To:References:From:In-Reply-To: Content-Type:Content-Transfer-Encoding; b=VNDgSUWt9euCEFlMQ1byfR6i/iw2uHyA8KmFijQk2rC01oTZMAMB0nCNGBYrm04eqPrjpEyp7K/msp5BQk5DuuHj7S2EOIWQgv/g7lkKFxb3UulAaco9BO6gQSqPtAeieaZI3e0neo90+9NYlz+zNrw2Bq82r7rAMQDwrevHxzKNgyAohu36uWarDCzk0bE/L6tV4bih13yc7NCVQ/zTmUR2DcCz+9FPq7vKHJHYp7OmJwN52CP4vxVaQRAqPSR0okl0RRHve4sAGaLQ/n7OO1IRBdGHArYM+j5IuDD3xlPz1z7xTA/uQi+PKSUtT/H0P42HSRnrFUrDDXe0Laru8Q==
ARC-Authentication-Results: i=1; mta.somaf.de
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=20221202-eAECE1BD8; t=1670157883; x=1675157883; bh=mKg31A4zpYBnn9O2dHl6IX37N4y7GHzBJTQE4kN9NtY=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:Content-Transfer-Encoding:autocrypt:cc: content-transfer-encoding:content-type:date:from:in-reply-to: message-id:mime-version:openpgp:references:subject:to; b=rCdaEkpthQYGRCFOoRxXDWAXLuHMdRWZEPbqN5iSZ1dj8OKSVigIUNVSsdFFb2zpu ZBAOMNEXRv0ou+6P6FTAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=20221130-e467C72CD; t=1670157883; x=1675157883; bh=mKg31A4zpYBnn9O2dHl6IX37N4y7GHzBJTQE4kN9NtY=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:Content-Transfer-Encoding:autocrypt:cc: content-transfer-encoding:content-type:date:from:in-reply-to: message-id:mime-version:openpgp:references:subject:to; b=hvVulPk6HlqsczPhL//c0A4ovkasu/0HPc1UliwpeDUJDB+skshorzmrw8wrQmsO5 J/YbNOKCuDtW3V/WiRndqJKViNLrYtxsDbI2ASY2Wd/Wgd9e08LYbz5r3ePFD2Mvpt zBzwIfNRhXUJYHp9EnN1IaW/w3fJWM69xLTudJgyPlLVq+4INY5Akj8AVIS/O3v75o jHFte5U0iBf97XP2O2V8w8UIicF7+8EBJXITk2Bu5zGJFOAiPq74QvQ/skEZ/wNKEN X4kTFtLuXevRtv9BYBvSmIzzhl6rbm7T8Z3k2YwcWCphsOP8fUAgO7uUA1lloh4qHI 05PR8USfJQvtA==
Date: Sun, 04 Dec 2022 13:43:02 +0100
MIME-Version: 1.0
Content-Language: en-US
To: DNS Privacy Working Group <dns-privacy@ietf.org>, dnsop@ietf.org
References: <20796.1670016918@localhost> <CADZyTkkLpW466AA_2iGtbG_1=Ea7Uk83KEUSwUguxrM_jcEquw@mail.gmail.com>
From: "A. Schulze" <sca@andreasschulze.de>
In-Reply-To: <CADZyTkkLpW466AA_2iGtbG_1=Ea7Uk83KEUSwUguxrM_jcEquw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kxtW0NCc30zHhXxNqm6uja-1lWU>
Subject: Re: [dns-privacy] [DNSOP] RFC9103 -- extended key usage
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 12:44:52 -0000
Am 03.12.22 um 01:22 schrieb Daniel Migault: > adding dns-privacy to the thread. > Yours, > Daniel > > On Fri, Dec 2, 2022 at 4:35 PM Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote: > https://www.ietf.org/rfc/rfc9103.html#name-mutual-tls <https://www.ietf.org/rfc/rfc9103.html#name-mutual-tls> tells me how I could > use mutual TLS to authenticate (and I think, authorize) a zone transfer. > > What it does not tell me is whether there should be any Extended Key Usage > bits set on the certificates. Are the WebServer/WebClient required? forbidden? tolerated? Hello, the e-mail eco-system is fine with the current values. $ openssl x509 -noout -ext extendedKeyUsage -in /path/to/mailservers/cert.pem X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication So I see no reason to add something like "DNSServer/DNSClient" as Extended Key Usage Andreas
- Re: [dns-privacy] [DNSOP] RFC9103 -- extended key… Daniel Migault
- Re: [dns-privacy] [DNSOP] RFC9103 -- extended key… A. Schulze
- Re: [dns-privacy] [DNSOP] RFC9103 -- extended key… Ilari Liusvaara