[secdir] Secdir last call review of draft-ietf-lamps-automation-keyusages-04
Carl Wallace via Datatracker <noreply@ietf.org> Fri, 07 February 2025 10:55 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from mail2.ietf.org (mail2.ietf.org [166.84.6.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPSA id BB862C1CAE74; Fri, 7 Feb 2025 02:55:26 -0800 (PST)
Received: from mail.ietf.org (mail.ietf.org [50.223.129.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPSA id 1535131940; Fri, 07 Feb 2025 10:55:26 +0000 (UTC)
Received: from [10.244.8.212] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id 18F7BC1CAE74; Fri, 7 Feb 2025 02:55:25 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Carl Wallace via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.35.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <173892572466.443.6318444420906288872@dt-datatracker-75c44cbbdf-pxnd6>
Date: Fri, 07 Feb 2025 02:55:24 -0800
Message-ID-Hash: G3UR3KHHJPOOJA2YXQCYUK4KEF3D4J42
X-Message-ID-Hash: G3UR3KHHJPOOJA2YXQCYUK4KEF3D4J42
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-lamps-automation-keyusages.all@ietf.org, last-call@ietf.org, spasm@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Carl Wallace <carl@redhoundsoftware.com>
Subject: [secdir] Secdir last call review of draft-ietf-lamps-automation-keyusages-04
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tO79hVETdUAfvkjUgROZm3qwKI4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Reviewer: Carl Wallace Review result: Has Nits The draft defines four new object identifiers for use with the extended key usage extension defined in RFC 5280. The mechanism in the draft is fine and the security considerations section seem adequate but the draft could use some editing. A few suggestions are below. Intro - Expand ERJU - The first sentence is correct but perhaps should note the extension is defined there too. Maybe: RFC 5280 defines the ExtendedKeyUsage extension and several extended key purpose identifiers (KeyPurposeIds) for use with that extension in X.509 certificates. Section 1 - The first sentence of the fourth paragraph is not quite right. Suggest "specifies several extended key usages" instead of "specifies several key usage extensions." - In the second sentence replace "Key usage extensions" with "KeyPurposeIds." - s/management of trust anchor/management of trust anchors - s/if the file is signed/if the file is verified - Suggest adding "or in ExtendedKeyUsage extensions that have been marked critical" to the end of the second sentence in the next to last paragraph. Suggest dropping "or misusing" in the same sentence. - The last two sentences of the last paragraph are overly broad. As written, I could elect to use any of these KeyPurposeIds for any purpose I want to. That can't be the intention and it's in direct conflict with the first paragraph of Section 3. Suggest deleting those sentences. I suspect the point was to address combination of KeyPurposeIds. If this is correct, maybe: "This specification does not prohibit combining the KeyPurposeIds defined in this specification with any other KeyPurposeId. Such restrictions may be imposed by other technical standards or certificate policies." This point is already made in section 3, though, so deletion is fine too. Section 3 - s/keyPurposeId's/KeyPurposeIds - s/KeyPurposeId's/KeyPurposeIds - In the last paragraph, the should in the first sentence should probably be SHOULD. - Why are keyEncipherment and keyAgreement mentioned in this draft? All of the KeyPurposeIds are focused on signature usage. Suggest: All certificates containing one of the KeyPurposeIds defined in this specification MUST also feature a KeyUsage extension that asserts the digitalSignature value. Section 5 This section does not add much. Admonishing a CA to include "correct" values for EKU and KU extensions is not necessary. The point about combinations is already made in Section 3. Section 6 s/reduces existing/reduce existing
- [secdir] Secdir last call review of draft-ietf-la… Carl Wallace via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Brockhaus, Hendrik
- [secdir] Re: Secdir last call review of draft-iet… Carl Wallace
- [secdir] Re: Secdir last call review of draft-iet… Brockhaus, Hendrik