IETF Logo Mail Archive

Re: [Gen-art] draft-ietf-lamps-5480-ku-clarifications-01

Alissa Cooper <alissa@cooperw.in> Tue, 03 March 2020 21:09 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA1A3A09A7; Tue, 3 Mar 2020 13:09:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=tdgTZbXR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=fmGzxI3i
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPWw6cX4ArBO; Tue, 3 Mar 2020 13:09:47 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A1C3A09A8; Tue, 3 Mar 2020 13:09:47 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id BA4317A9; Tue, 3 Mar 2020 16:09:43 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 03 Mar 2020 16:09:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=T X8zZ2l//fEuUPBxL2P3BLjQTTisgx+SdtHn+itMrf4=; b=tdgTZbXRlaxKxVNQ+ iHE8eOnLVMGgr/n7o61wKFt3ecpzHDNUq9YXmMZwbbTjMJD9n2V2CGju9dGGf90t 62WQntr1L069qulYUY5/WNU/9z4zWg0OcpIa/cuu3ZbOT6Lg5mqQmcn6OPduNBTf lPk4GGNBOuaLIAODXEzUCY8OOyldLlT/1FqjOtxwEYw6R5nBfqz5YH6sWdwh/s6r 8B19zub2SoPrZS9sqv8WqYBG3PJ6sK3HGJ//c7q9oeyUg3uxpH+OA7/NnCabN1al vI4mYB29TwRF5Vo/zl8YNlip4rhpxkN8yZ5v8fA6HgzeVn2DYOZko+LFAKn3mgZD lgqeA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=TX8zZ2l//fEuUPBxL2P3BLjQTTisgx+SdtHn+itMr f4=; b=fmGzxI3i4CYLe0iYBrbb75PHQrlj782jKN06q6z/zoOzFbEcvuOUsmHzl Bse/HwEG6tXIdUrJLfnTDSLvXs6o/mClDga9oCjClRJESVH8Rnl+qP51chqMWEGv uDCnth8aegNTkKmd7Vrtgohy+yrmIiCvqDMpwcGP5eX2kImWaWL79xc008fDY0V7 f5w9XoqyuMmEa2zbfDQKFNqlGukUC/1Jrm5bXJV+/6oyIohdZPRyPzbqKeI9MX0x G+/whiWV1uLRFxwVOzoherp9lCsPD9wiyL+oPxJOxM+LuUD51zQ/O44TEON9t9bW RQpWeeGaX7jHzIuxLL1AmV26Z1XKA==
X-ME-Sender: <xms:l8deXv2HNF_YDgAJjUih1KoZVm-Ums65FnSZ7nj0oKxoJwKsqEziVw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtiedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeetlhhi shhsrgcuvehoohhpvghruceorghlihhsshgrsegtohhophgvrhifrdhinheqnecuffhomh grihhnpehivghtfhdrohhrghenucfkphepudejfedrfeekrdduudejrdektdenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhhishhsrgestg hoohhpvghrfidrihhn
X-ME-Proxy: <xmx:l8deXq1eLB0QE7xRTIZ87zFNOqy0h87_cRgNzffcc-jmvmCJUBhR0g> <xmx:l8deXveHkV6NyVnZz3-p-qgTMMSHt2V0aCkO4NSS1Zi-TrrCpj94WA> <xmx:l8deXtcoN2HyxIwJyRiw15arGc3UrcQLfXyRcF--oOq0m1Yt6ohayw> <xmx:l8deXuUwo0ta7BqEGhxGBToYEAkizgPHkSo3eSIYxmzPgz5lBr8iEA>
Received: from rtp-alcoop-nitro2.cisco.com (unknown [173.38.117.80]) by mail.messagingengine.com (Postfix) with ESMTPA id A655C3280060; Tue, 3 Mar 2020 16:09:42 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <878skjcso5.fsf@hobgoblin.ariadne.com>
Date: Tue, 03 Mar 2020 16:09:40 -0500
Cc: Sean Turner <sean@sn3rd.com>, draft-ietf-lamps-5480-ku-clarifications.all@ietf.org, last-call@ietf.org, gen-art@ietf.org, spasm@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <54001CEE-1D17-46CB-9314-D9AF45452D63@cooperw.in>
References: <878skjcso5.fsf@hobgoblin.ariadne.com>
To: "Dale R. Worley" <worley@ariadne.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/XCXcdDuJ-5AjAv3JM9J2ilGKfKg>
Subject: Re: [Gen-art] draft-ietf-lamps-5480-ku-clarifications-01
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 21:09:49 -0000

Dale, thanks for your reviews. Sean, thanks for your responses. I entered a No Objection ballot. If Dale’s questions can be clarified for non-expert readers, I think that would be good.

Alissa


> On Mar 1, 2020, at 11:00 PM, Dale R. Worley <worley@ariadne.com> wrote:
> 
> Looking at draft-ietf-lamps-5480-ku-clarifications-01, these points
> occur to me:
> 
>   1.  Introduction
> 
>   This document corrects this omission, by updating Section 3 of
>   [RFC5480] to make it clear that neither keyEncipherment nor the
>   dataEncipherment key usage bits are set for key agreement algorithms.
> 
> I think it would be more accurate to say something like "neither ... are
> set in certificates that specify key agreement algorithms" -- usage bits
> are logically a component of a certificate rather than a feature of an
> algorithm.
> 
> But it's unclear to me whether id-ecPublicKey is only used in key
> agreement certificates.  RFC 5480 states that if the cert uses id-ecDH
> or id-ecMQV and provides keyUsage, then keyAgreement must be set.  So
> it's clear that certs with id-ecDH or id-ecMQV are key agreement certs.
> But RFC 5480 says that if the cert lists id-ecPublicKey, then
> keyAgreement is optional.  That suggests to me that some certs can use
> id-ecPublicKey without being key agreement certs.  In turn, section 1 of
> this I-D suggests the I-D is not intended to apply to those certs, but
> section 3 seems to apply to them anyway.
> 
> To try to distill it to one sentence:  Can id-ecPublicKey appear in
> certs that are not for key agreement, and if so, are keyEncipherment and
> dataEncipherment allowed in the keyUsage of those certs?
> 
>   3.  Updates to Section 3
> 
>   If the keyUsage extension is present in a certificate that indicates
>   in SubjectPublicKeyInfo, then following values MUST NOT be present:
> ---^
> 
> Is "id-ecPublicKey" missing here?
> 
>   If the keyUsage extension is present in a certificate that indicates
>   id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following
>   values also MUST NOT be present:
> 
> Is it a fact that all certificates with these three algorithms are
> certificates for key agreement?  If so, it would be nice to state that
> either in section 3 or section 1, to show how section 3 is connected
> with "for key agreement algorithms" in section 1.  Otherwise, the
> connection between the two requires information that is stated
> elsewhere.
> 
> Dale
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email