IETF Logo Mail Archive

Re: [rfc-i] RECOMMENDS

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 03 January 2024 15:41 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: rfc-interest@ietfa.amsl.com
Delivered-To: rfc-interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC541C31E88B for <rfc-interest@ietfa.amsl.com>; Wed, 3 Jan 2024 07:41:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4MdRv3TalrJ for <rfc-interest@ietfa.amsl.com>; Wed, 3 Jan 2024 07:41:23 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7289C31E888 for <rfc-interest@rfc-editor.org>; Wed, 3 Jan 2024 07:41:23 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 458EF18010; Wed, 3 Jan 2024 10:41:21 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Rm2IMa0wtWu5; Wed, 3 Jan 2024 10:41:19 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5016F1800C; Wed, 3 Jan 2024 10:41:19 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1704296479; bh=gMJH8CdJjBtsnjXJYAq7FJbZIK/n7tw+G76YvsXaBWw=; h=From:To:Subject:In-Reply-To:References:Date:From; b=k8Kj7YrMtOJ0nHnJqbupblA7eAQKgvddvfyFNgm5sqvErXJRHW74uxryzQParXHud SPNLpYHVd3Jv0kVV9BoPdhP9SZ4LT/zEaIQDC7E6m2FqweLajqG16Ec/HjpYgAVZ3Y d85kwmBeNSbShcv/8fmjIAOl7eDRZJnduBOxdbDUNHCxFqCQ8OyaEoPgdXCt+3Ylvt 0AQlZHoqwegdsUkp90XcPrOjZxF/Zzji+NqpEuAegSkQy7/JInHSPlcQbAhcTTE0gF SrXd7/j6zlZDDC7L12muUW2zkHk8KZrKrgmINpOVjs9m7nbpem/HJS/dsdwXwTbFlp yH48J6pMsCvvw==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 44D88DA; Wed, 3 Jan 2024 10:41:19 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Robert Sparks <rjsparks@nostrum.com>, Brian Carpenter <brian.e.carpenter@gmail.com>, Julian Reschke <julian.reschke=40gmx.de@dmarc.ietf.org>, RFC Interest <rfc-interest@rfc-editor.org>
In-Reply-To: <d27bf8eb-9fce-41d2-9895-33d8f0ec9fac@nostrum.com>
References: <d2c2ffee-1af6-8441-7486-06115542690d@gmail.com> <13079.1704159169@obiwan.sandelman.ca> <ccb81ba5-d09c-a849-c32e-aaaa16cde968@gmail.com> <DM6PR02MB43774EE37D2FCB4C10A581F7D861A@DM6PR02MB4377.namprd02.prod.outlook.com> <c49f652f-e370-4e61-8e14-a8c61079617f@gmx.de> <CANMZLAZu_xTGor6tZdSE3RiW+gRvEN-snYLepgU_HQxL2EgcnQ@mail.gmail.com> <d27bf8eb-9fce-41d2-9895-33d8f0ec9fac@nostrum.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Jan 2024 10:41:19 -0500
Message-ID: <18687.1704296479@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rfc-interest/qGC0obZGIfYw-ts6xGtn_A37w5I>
Subject: Re: [rfc-i] RECOMMENDS
X-BeenThere: rfc-interest@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A list for discussion of the RFC series and RFC Editor functions." <rfc-interest.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/rfc-interest>, <mailto:rfc-interest-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rfc-interest/>
List-Post: <mailto:rfc-interest@rfc-editor.org>
List-Help: <mailto:rfc-interest-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/rfc-interest>, <mailto:rfc-interest-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 15:41:28 -0000

Hmm.
I'm responsible for the RFC8995 use of RECOMMENDS, in it's full context is:

   Sections 7.2.13 (2009 edition) and 8.10.3 (2018 edition) of [IDevID]
   discuss keyUsage and extendedKeyUsage extensions in the IDevID
   certificate.  [IDevID] acknowledges that adding restrictions in the
   certificate limits applicability of these long-lived certificates.
   This specification emphasizes this point and therefore RECOMMENDS
   that no key usage restrictions be included.  This is consistent with
   [RFC5280], Section 4.2.1.3, which does not require key usage
   restrictions for end-entity certificates.

in the list that Brian posted, it seems to be the youngest use :-)

We could have worded it:
   This specification emphasizes this point and therefore it is RECOMMENDED
   that no key usage restrictions be included.  This is consistent with

There definitely ought to be an "or else" for each SHOULD, and the "or else"
here is that it likely will fail to interoperate with anything that is
enforcing EKU.  In our case, that is actually what the IDevID document(s)
say, so we avoided repeating ourself, and I think that's okay.
Using "SHOULD NOT" we could have written:

   This specification emphasizes this point and key usage restrictions SHOULD
   NOT be included.  This is consistent with...

I think that these revisions would have been just fine.
I mostly agree with a few people (who unicasted me) that "it's all fine"

Where I agree with Brian: "grep" and non-english speakers who wonder if there
is some difference.  And the XML/HTML markup needs fixing.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email