[lamps] draft-ietf-lamps-samples KU check
Sean Turner <sean@sn3rd.com> Fri, 25 March 2022 10:50 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CBDA3A0F05 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 03:50:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3_WGEcPfFa3 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 03:49:56 -0700 (PDT)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BACC33A0EF7 for <spasm@ietf.org>; Fri, 25 Mar 2022 03:49:56 -0700 (PDT)
Received: by mail-qv1-xf32.google.com with SMTP id e22so5868823qvf.9 for <spasm@ietf.org>; Fri, 25 Mar 2022 03:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=bGYRwsir3PCSX7DAaL+tkPr5OuITSJHDOaU8yxg03uw=; b=CUREGgLGS6TXQHHLo7kYEWEyqr2kNMN7A5n0ESC2ZqQ4HSLIIxv/ZQNE8gMLgd15C4 az1Es81JXKoxs+ujCxTC0aPrSsP4WC7FUgHQu9WSm8Dd3z/N+/pRHAhUlrtlz8FRHpJD 5M6w9nRHZf8Iob+NkR835fnxZGdQvGZ8+ibW0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=bGYRwsir3PCSX7DAaL+tkPr5OuITSJHDOaU8yxg03uw=; b=W+VFYpvKuCSQpaAMQQM/mXr5HDv4qzV32agijdbaTq4b4dlD5+CNaIA4EqOhoG/IjY bgsPFao5Izbpwf/uIMy9h4MBEkGFqcwiL0HWzu2b47ja4CB+eU1AGGiGami4AS1nGSfW Nl8HsCJ/zNEmvpQr+0CbHhhR4g/g38k+ghAxMJ2nx7PUOhfDtdRfatw6sJKbxhM69Bl0 8yRZ14VBoORyCOII3nWp9ab1BIKuG4zOxcKs/uAW0krO+ILoaWow+4apBeDTzE+Xut3o SoD0ocFe59CPP+7/7iOK1dBeavqfWZ8Dq6lGf8ftlZDkm/ckCd9W3PqceXbCMepJts62 qKAA==
X-Gm-Message-State: AOAM533UNITmnV1cXevy6cdxk45/PlOuP//kpfG3qyw6lelULalbgb4L GnD37b8Onh7Xze17ZvtRBJe2+dYqmv5YMQ==
X-Google-Smtp-Source: ABdhPJz6CYLUPkaHB+FVOffkQlDv7YK2IHNLmvctVlzA8S9GigdvwcGQfYKtQ82g+X8s352uU+CsPA==
X-Received: by 2002:a05:6214:1cc5:b0:440:a054:a63d with SMTP id g5-20020a0562141cc500b00440a054a63dmr8216037qvd.125.1648205395231; Fri, 25 Mar 2022 03:49:55 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id g4-20020ac87d04000000b002e06b4674a1sm4843194qtb.61.2022.03.25.03.49.54 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Mar 2022 03:49:54 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Message-Id: <17DD8ED1-ABFF-4B6B-8DBF-5C2AF937F5AE@sn3rd.com>
Date: Fri, 25 Mar 2022 06:49:54 -0400
To: SPASM <spasm@ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1woA-OrS8e-RBrkY79BUgdfJxvo>
Subject: [lamps] draft-ietf-lamps-samples KU check
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 10:50:11 -0000
tl;dr: looks good, but I didn’t check the P12 blobs. Checking for KU bit string and RFC 8813 “compliance”: s3.1/s3.3 RSA CA certs have KU set to 0000011. This is good; it’s just keyCertSign and cRLSign. I mean you can set more bits but if you don’t have to don’t. s4.1/s5.1 an RSA sig cert has KU set to 11. This sets both digitalSignature and nonRepudiation. You can set one, the other, or both so this is "good”. I have a slight bias to drop nonRepudiation, but the choice is “compliant”. s4.2/s5.2 an RSA enc cert has KU set to 001. This is good; it’s just keyEncipherment. Checking for KU bit string and 8410/draft-ietf-lamps-ku-clarifications "compliance”: s6.1/6.3 ed25519 CA certs has KU set to 0000011. This is good; it’s just keyCertSign and cRLSign. I mean you can set more bits but if you don’t have to don’t. s7.1/s8.1 an ed25519 sig cert has KU set to 11. This sets both digitalSignature and nonRepudiation. You can set one, the other, or both so this is "good”. I have a slight bias to drop nonRepudiation, but the choice is “compliant”. s7.3/8.3 an x25519 enc cert has KU set to 00001. This is good; it’s just keyAgreement. Cheers, spt
- [lamps] draft-ietf-lamps-samples KU check Sean Turner
- Re: [lamps] draft-ietf-lamps-samples KU check Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples KU check Sean Turner