[dtn] PKIX Extended Key Purpose recommendations
Brian Sipos <BSipos@rkf-eng.com> Fri, 20 November 2020 17:34 UTC
Return-Path: <BSipos@rkf-eng.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647113A0B55 for <dtn@ietfa.amsl.com>; Fri, 20 Nov 2020 09:34:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2rh_spC51iT for <dtn@ietfa.amsl.com>; Fri, 20 Nov 2020 09:34:54 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2065.outbound.protection.outlook.com [40.107.94.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 839443A0B45 for <dtn@ietf.org>; Fri, 20 Nov 2020 09:34:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=azNrhWnRBBh6NEYMqzcXW7CjsHrrcGy0hF/W3jJQmHstkZJj8N+jcitwDW5W9LXQ4j3QWZzR2Vnb3vPBnv9PUz/wjGdTjGxtuAbfSUgmCNAnAitfcP6KV/oaVtYzCNvG6MOQtZu9JsDsoD/NxoS8WSuHABanuZYprcq5cqf3tX5IBqEbbkcwpeJcWAO3/xOILZI1qNoFiCjavnqlq7QVn9ZNfCXsarDvDVdXz0jcZIo3J3sdpJFfBQywQx/8Bg9TjNpUCq+LB6UJB1K+TskjBBajRCnHkknq/RpQMbr8GRMS2kssozQXZXvyGqVoL+o8HhPR0am95T+w5AgWpQsFdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r0ZsFHA3EKTrWpkw8B+5GVht4k1BGbl2LoSSKuJs8rk=; b=PRWqwB2zc4Y/XU0yaZcfsAdAWxIdyfycU5vKGks70Ko/2kqDDlZkBBrh3lgpB5PQjHYlKeyBoB2k9ANqGA8FhwiC4MYaVy5Qz2PyIol8MwbnNdSXu1Hi5brFQwweBi8eVp7ifvNPerYQ+b80KmQucffiSFPQMT4f0bavosuSp7cu28pbJq8CbiqEnldUgZBqrkQfM0VPUt+dfjCjjwCXANPD3mHyi96eWh/cGtVJTsB54OsCytylZSRfmINtoCIFOe232dUhQvRBNPkj0OIzmvwpiFIuUTmA+RHcZAjr6QA++Yh/rGKMGbW/RQ6wpCWntukD0oNLQ+SFs/OSpTpAXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r0ZsFHA3EKTrWpkw8B+5GVht4k1BGbl2LoSSKuJs8rk=; b=Sk8f7z44dn5LgRIXfNSUtAPpAWgwIIQ40m4Vu3jg7NGzx3Laxk1R+vT0PgPmPAYVKhBsc8EQdw2XijMVr4aW3AsougyEOvWHp+H/AEIxXUCp9JhlxVllsnmBaI5thTgZXVhWK/UybZvpaFjkRH/He3Svw6OuIGZylQYPq/jdK1o=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by BL0PR13MB4291.namprd13.prod.outlook.com (2603:10b6:208:8e::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Fri, 20 Nov 2020 17:34:51 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::54f4:962e:10e5:a2e1]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::54f4:962e:10e5:a2e1%7]) with mapi id 15.20.3611.011; Fri, 20 Nov 2020 17:34:50 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: Russ Housley <housley@vigilsec.com>
CC: "dtn@ietf.org" <dtn@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: PKIX Extended Key Purpose recommendations
Thread-Index: AQHWvv0sWy/YaK09E0Ki20F4+VZLKw==
Date: Fri, 20 Nov 2020 17:34:50 +0000
Message-ID: <MN2PR13MB3567A71AA43D243A2ED6989F9FFF0@MN2PR13MB3567.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e5de798c-6644-4966-fc1d-08d88d7a9591
x-ms-traffictypediagnostic: BL0PR13MB4291:
x-microsoft-antispam-prvs: <BL0PR13MB42911B1E4A456D47146F30509FFF0@BL0PR13MB4291.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DGVAxZHjPZPEJDSDG0A4MRcNBdJfkrFGizimL88u4X76Pl94bjElReEl5rxwRWIsOo5LbBDRLtQch0T40QZcTQNsI91ue1sIugRJMMQfygzkmiHpgHbVIQ4CT62F+3ySdaZEhcCEqR853bEOWpyItxks8J43FfHytiGfT4PeCOBmSjjAd/ehs1Zj3dcHXdslDONepkkkeK9kGlM5f/PWjLCZGLrlCjXfL5O1yXr2Lup6zRWBFLDboNC0m1G0vcGgOkugwV1pPqZ7qeZpnKxAopCKEIXmAPqMW0XK0NpdTmDntmAoo7i6ayCa6TyAGidbD5bFgI7xbNmnS9/2Vc5IDIYCwFmrEnmvOwHur/+QO1yEl+lIGtQmaG+7LH1JfINzxNhQ1pFBT0lpExzybSkFGw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(346002)(39830400003)(376002)(396003)(86362001)(52536014)(8936002)(6916009)(19627235002)(5660300002)(966005)(9686003)(55016002)(4326008)(83380400001)(71200400001)(54906003)(478600001)(6506007)(7696005)(8676002)(64756008)(66476007)(33656002)(76116006)(66946007)(19627405001)(166002)(66446008)(66556008)(26005)(316002)(2906002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: fmGIBmvZjP9bBdekPSvLTm0s7LQyjhQ+WLWwJiUQum9F3lrIHBcXPHi4V99PJ4vCl1+sq1hBC7/hcGYqmegihYq4CFepNrTS8s2bLvVLgv+4qusimP5gFHVRUbmZHZWmYFDXD6LWcE06rAK+0ruqA3FiaDiqLfzMyr5QlK52xTfn5teLW3Md4ol0C4rcdopAjQQ3+Gy38nrN+YWlV+gzg4co+1H32M8LHno6rk8Zl99Mpvx1GfOIB5GCD5dpgYnkh0ZGfqvV3MXKYIFqtuYTUKT8IBG7ispyYCCbpNIMIirrT537n6I8PEsoVmKYLUiNo7o2g9H6uM6s5bfJ4RQ2r5UAxJs/2NOE9MdrB7mkOmtKAk86Ft2TUAGt7FcC/C1mfRLWNHajDQp/FhswPESl22foXBTLLuvKVGh3iVf9wIQ8H5F1GnVoddu2N6IcdBIhudibPkP5F07uDYcXyHpbrhHEQh9qYpDa81Ij8+mfcaS9m0et4hnT5MT7+MrR3w4oN/Sv3et8+xht1he5MoEhgf4W5kLs8HaxcmrF0/6gWMNfAWKODPOmqF+qP7XyIACg9EzVPSCT/1bFV+xOmyE/EosZ50hlpswMzY+SSolQuOZOpnGucp1f3odoP/ziEUmNrmIW6my15LlFGSBPx1Z5r/oCdt6xcdZHMUJeYwLS8LqdnlxikrgbehWTP7TRyC4AIlksax28RFaES5o/A8pRw4dRbadFSASLxEpN9S6x77SgpDEH6VnHCeF10+pY/doLVOjnkE7cg3uAyFk3GPStM6TsA5A927KI4GuVSLB4wIz1aJPMF5LvK2g8QxUfn8KL76sZBqcgjIQFqw7rCZrZ+2Ta5O4OxetrPATqhmTrtvakqvP3fJEsC6NhiDIaeRrgnBasIwzpw0D+86U1QNCceQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB3567A71AA43D243A2ED6989F9FFF0MN2PR13MB3567namp_"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e5de798c-6644-4966-fc1d-08d88d7a9591
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2020 17:34:50.7014 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TjomoMAaC1dVlYCvetpOucKVIWMMdQmRUI77+8lyIm6XCqjQmuVLsA6XMi9YkJyvuotJEAPSAQnjoaLkNYP9VA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR13MB4291
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/mVid6VVcf9Z3vGXHbmPD_FYjkiM>
Subject: [dtn] PKIX Extended Key Purpose recommendations
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 17:34:56 -0000
Russ, I was referred to you from Ben Kaduk regarding the design and use of a new PKIX Extended Key Purpose. The use cases for this new purpose are for the IETF DTN WG (CCd on this email) and currently fall under three categories: bundle transport security (using TLS), bundle integrity (signing), and bundle confidentiality (encryption). The idea is that a new OID is allocated for "DTN Security" and this would be present in the EKU to indicate that a CA has verified the key holder to be trusted to run a DTN node. There is an open question as to whether there is enough distinction between a purpose of "generating or accepting security blocks" and the purpose of "transporting a whole bundle untouched". The good news for rationale and understanding of these uses are that they are very similar to SMTP/TLS [1] and S/MIME [2] respectively. Although it appears that the id-kp-emailProtection OID was only ever specified for S/MIME and not for email transport between MTAs. I don't know what kinds of policies SMTP MTAs have with regard to PKIX certificates, even recent MTA-STS spec [3] doesn't define or reference a more detailed PKIX profile and doesn't mention any X.509 extensions at all. The bad news is that in some very simple testing of adding a new purpose OID I see that OpenSSL, which is used by both of my reference libraries Qt5 and python "ssl" package, appears to assume [4] that when I want "TLS on a socket" what I mean is "TLS for Web client/server purposes" and requires either id-kp-serverAuth or id-kp-clientAuth. There also appear to be quite a number of other implicit uses of the Web purposes in OpenSSL and no real access via higher-level APIs to affect this. The other key purposes seem to be usable only through different APIs unrelated to TLS. Ben originally referred me to [5] as an example of allocating new OIDs for another recent use of TLS for RPC. That draft doesn't really have a PKIX profile for how the new purposes inter-relate with existing purposes or how validation should treat the new purposes relative to pre-existing purposes. All that said, the short question is: is there value in allocating an extended key purpose for DTN security? If so, how much detail for a certificate profile and/or validation logic is either necessary or useful relative to any new purpose? Thanks for any help or guidance, Brian S. [1] https://tools.ietf.org/html/rfc3207 [2] https://tools.ietf.org/html/rfc8550#section-4.4.4 [3] https://tools.ietf.org/html/rfc8461 [4] https://github.com/openssl/openssl/blob/master/ssl/ssl_cert.c#L418 [5] https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls-10
- [dtn] PKIX Extended Key Purpose recommendations Brian Sipos
- Re: [dtn] PKIX Extended Key Purpose recommendatio… Russ Housley
- Re: [dtn] PKIX Extended Key Purpose recommendatio… Brian Sipos
- Re: [dtn] PKIX Extended Key Purpose recommendatio… Benjamin Kaduk
- Re: [dtn] PKIX Extended Key Purpose recommendatio… Brian Sipos