IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 18 November 2021 17:52 UTC

Return-Path: <prvs=79562806c6=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393A33A0910 for <spasm@ietfa.amsl.com>; Thu, 18 Nov 2021 09:52:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VV3iLTkbbl3F for <spasm@ietfa.amsl.com>; Thu, 18 Nov 2021 09:52:36 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD9E33A08ED for <spasm@ietf.org>; Thu, 18 Nov 2021 09:52:35 -0800 (PST)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1AIHqXnj316767 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <spasm@ietf.org>; Thu, 18 Nov 2021 12:52:33 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=gKWZc6UdF27OPATxi7Xti3BClVVSfDiRCZBM8F+X6oORPxkNbdPjr/nXAIwy1ugu1flKzYQPLG353TXGm6aWXrnpa00TRNjM2Bk9MjRdRMfvWS+r4Rmjz3fZnmbjmdgSKY00G+2d6rBUx5+Q3107/w1GTKpZO71ialBZ1YlZqeT6LE8AQfukiC87inbafBnNx+hqaCrU7S+SMDjH3CKRHGVT/2JMNH7eQeLCvCWZMVgdTTu+ElmPwNUKJ5QyfpAkeTQ0Ijx3JNw6DvvwcciG5O+Qz6lKfn5x33qpTkL9WiG6QTo2ibdqzRxJxU+1+uqUtbc0urX7lzHbqlz29zQ6fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rpBSdG1svbD34ILc/NjQ7ylF9E9tXQZAzVAACdEJJic=; b=MNCp0DYOVZ7d8pig7IMWl/diatIiYRDubsYJgWBlgsoJFHVdCB31owECEPBN2e3Dq2dp9wcrdRMQ2H5tesqvRb+L3kzXKCBnXAUP97dwYWFhB4349aA5F9k21bxZjTkEwmk9r1awRWZG/owxTpidFVzkHd1+6mHHJKvT5CZVWxzW9J7f62/GmTyy59jLiL3OM9q4zmsQvAlWDaQ0jcYnCs4SSUSZf/ZdAtHCamsYbRgd5VOS/g23shOjCj8sFNbgHH4tIzoh0w2ynTmcQg3OjLp8o3Ids3FWvZz2ynCE179lrVVE+zXKtRmClFu2JAHg5pqBrdyvs3rynFj6cpQzLQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption for draft-ito-documentsigning-eku
Thread-Index: AQHX3J/Xmpxx/sSKY0+ZaQEk6h0DCKwJkNmA
Date: Thu, 18 Nov 2021 17:52:29 +0000
Message-ID: <C4FD2B77-C1B0-4283-8546-8510FCA5FF11@ll.mit.edu>
References: <CAFTXyYBA0M2qFiYhBYP6RU8eFWe5U=iXbexzzYFgcuzkUETzeA@mail.gmail.com>
In-Reply-To: <CAFTXyYBA0M2qFiYhBYP6RU8eFWe5U=iXbexzzYFgcuzkUETzeA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4772f084-89d7-4782-d6f9-08d9aabc30cd
x-ms-traffictypediagnostic: CY1P110MB0422:
x-microsoft-antispam-prvs: <CY1P110MB0422954B211B6D1C1EFF9AFF909B9@CY1P110MB0422.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jxMmlQw9hLkKPu83CfE9qKGHbuFRcyQKnRRE1x3YNlw/HTuJo8m+PkJ9P0LsSu/hRJ3xdsOtwtOjz4PQAHlS8e+61x0DiRJpkCRfRHCgQK10Rd5/DmBTtNfe4uWO2eA21Y60wEgC9TjbEcWxOPyPg1h6OA9AOpMFF7C9ITs360j0NiGjSpb5hRrrHjLZqJQSRT/Ota76F64OFbhp1AOoPHAwLZ4VUveNGi8M7cTl/apa+bpznHqO0Jvs7/BblafmM1cn7rm8OtE7JK/PJu2ZCDBs+mY5SIzHDBMT/Eu20LlcCy5ZG9QzGj/p7j7kmuQ77ZDP0Mp6ShlkNaZqAUQteULCoHBvRwLNSg4Y/clibaqWqiVy7Wi21oer9C1DchY40pSV3lQALlADR41Fb3z07vb5uU9uzHZ2ovjnM79FKsgGZxGEA78TlU0+3ma4CGVs/iuPxckWxnT7a97pY2nKSG79K2oFa/yr+hkfdbPQW0/ZS7eALBTUa1kfliaFnyW8qAFYsZJ58LvqSSWBEjMJvYXjBKYavGUQ9j/ts5kJjn3mM1X/ZwH8TsvX1dWlw7UtfswoDlFlWMQmMskRIu04ckdGZA6m/O0TKmTkKAOsSEBHawELO+awgGTBjcqo4cnGuKas4/JNOos6uRxRHyJSzXkZmOrQVDEM1HEU1RWO9F65uyVwOpsCgYHa6T869q3PFEOVBWfmVQll4iVdI949AnuhS0V+mtB5zo5xMw4p6E4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(66556008)(66476007)(8676002)(166002)(66946007)(316002)(86362001)(76116006)(8936002)(508600001)(2906002)(6486002)(99936003)(75432002)(64756008)(966005)(66446008)(53546011)(6506007)(6916009)(5660300002)(186003)(2616005)(71200400001)(83380400001)(33656002)(6512007)(122000001)(38070700005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LaNwJHhgiBYUOs/qZhUg+WD46VQktGpqgX6Y5Ef8KhkXyReUuAxp1ex+TGVhvoY1XiauAsjuJNU3qYt3YzMg3XcBUzoirK0If55P+mMv1Ve1sJsBw9N0FWnrPpS4X3G/mvfJgG480Mu53hwetdlM95ea6QV7+Gh4WWYuhqVM4nlGGghFyATMnWLHBUjOotVpDe7ymIlEGeRLYZzKD9Ln4gzbKXMEEX5rWSNWVt2LFDUPGIPR38auGDiHtpSTuls4kXzn4tiBrN7WWQMO/sN1Jz9t5Q7B/w6laQT8QLdZUh5DK5722XTVX0BDEcohpQ1WDjjy0bPbGSsTb5Fyo5qUkoy8e4KJ4sV9MLRWC/e689RyOdm3osO4jmPYtQOXCfULKqu+8sBqDArLvCgOaQQCrCbvJoMi3BAPz/ZNYqgogrRYsXW52iOOl5ysGJPXHs8hL1mlD2R8OMGj9xWhCl7YSLW5VmS8o8n8t4oI0MOe5ivj2dHZ4z9hKT+UV9oi1dfU9GtNZRt0GE4xdFNTK5mE4vphspO0/3DE9lmt+Z+pkjMHEEnEJC2WEiQk+bILUDbobM8CwFFYkz/9a6KuNgDl5RGaLKzZaIegNDzzGgdyth4=
Content-Type: multipart/signed; boundary="Apple-Mail-5A5BB8EB-0E86-4005-9F10-366EE12EC745"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4772f084-89d7-4782-d6f9-08d9aabc30cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2021 17:52:29.8296 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0422
X-Proofpoint-GUID: pakib3_WULgauFvFuAPkggwEtj4ta_W8
X-Proofpoint-ORIG-GUID: pakib3_WULgauFvFuAPkggwEtj4ta_W8
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-18_12:2021-11-17, 2021-11-18 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111180093
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1Fvngx3AboD2toyfpAYe6gSrO0c>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2021 17:52:38 -0000

My preference is for more generic KU and EKU. 
In practice, “more certificates -> more troubles”. ;-)

Regards,
Uri

> On Nov 18, 2021, at 12:15, Tadahiko Ito <tadahiko.ito.public@gmail.com> wrote:
> 
> 
> Hi Stefan,
> 
> Thanks for your comments.
> 
> > I think that the only thing we could agree on in the end was that it
> > probably was a huge mistake to try to bind a key to a purpose, as
> > opposed to binding the key to a particular protocol
> 
> While binding each and every protocol does have challenges, as you seen in the previous discussions, we are not opposed to that idea. For instance, in a automated authentication system, it is effective to assign an EKU to a protocol.
> However, we recognize that there are some use cases where assigning a EKU per protocol is not realistic. An example is with a PIV card which has limited amount of slots which would not scale if there are too many EKUs per protocol which equates to many keys on the card. This is one of the cases we had in mind for having a general document signing EKU.
> 
> I think it is rational to bind EKUs to specific protocols for many use cases.
> However, as such practices become more widely use, some difficult-to-bind applications would appear, and we need some choices for those application.
> (I believe it is similar to basket clause in the legal systems, and common approach to deal with classification.)
> For example, as it was mentioned on slide 3 of IETF111's presentation and also on the I-D, we have introduced, or rather, allowed a bad practice of using email protection or code sign EKU for document signing to infest.
> <https://datatracker.ietf.org/meeting/111/materials/slides-111-lamps-sessa-general-purpose-eku-for-document-signing-00>
> We believe that our approach is a rational and valid way to solve this problem by means other than making 5280bis.
> 
> > So my question is basically. What are the signer and the verifier
> > supposed to do based on seeing or not seeing this EKU in a cert. That is
> > not at all clear to me.
> 
> We believe beyond what we described in section 4 is something dependent on the policy which the relying party or the relaying party software follows. We gave enough room to accommodate myriads of policies hence, the name “general”.
> 
> In this draft, we focused on describing the mechanism as much as possible and tried to be policy neutral.
> That should be defined by the policy body (if applicable). Also please note that not all of the document signing schemes have governing policy bodies, for example, the document signing in RFC8358.
> 
> > "Inclusion of this KeyPurposeId in a certificate indicates that the use
> > of any Subject names in the certificate is restricted to use by a
> > document signing."
> >This is not compatible with the function of the EKU extension.
> 
> We received the same comment regarding this part and will be fixed in the next revision.
> We believe this does not affect the WG adoption.
> 
> Thanks,
> 
> Tadahiko
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email