Re: [lamps] Proposed charter update regarding clarifications
Daniel McCarney <cpu@letsencrypt.org> Tue, 30 July 2019 14:04 UTC
Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDDC1201D0 for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKAR3S_vZo3c for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:04:02 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F511201E2 for <spasm@ietf.org>; Tue, 30 Jul 2019 07:04:01 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id s3so57271307wms.2 for <spasm@ietf.org>; Tue, 30 Jul 2019 07:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=ZCQ/BMOp2kKm/VGNJYhzYe4ESlqxRxyNH0TrkQQfS00=; b=M/Q3ewN6KEEqtik3ttTHqpHr9v6l917myuKf4yNLVtkYBDViBnfmFqbq7hYeLoha3t 2N2SHXGGIsS4VRCxNVDJ3yr3CCvxEXLKdIviPLDLobgTMhdF/RvLZtEMO01Bd4TZ5iBd N4GA4oHA4Gza4s055QfSaCbBm7x4b6QBwwyDM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=ZCQ/BMOp2kKm/VGNJYhzYe4ESlqxRxyNH0TrkQQfS00=; b=RoGXu9gAvAqFdlOez9vL9A+N/yFd87+HhcQ/a9zwdt11/m6quZT95760x6iFQZNDj9 qLKZPtANUdoYBe+4eKOZ78xQtIqX3XXHz6f8PH5/x73FsA/zyDCKuGa4bNuvzQuBjA+d MgSNcULewhH6/NLvFYRExUD4BEoAZf3F4NhsafCkd+vVnXiYyqTIYmUQt4g4tPlv+h7O Kil6FLD/ZFcJoSs+B/ojVuQNnflo+IFRcf7YIZKHuvL8O3CrMUZC+pYAzrqngyg36V6J gBuzNE74QA0JjM+36KW/hHPIgTGXOl1yAEXySltGezbNKk2mJ1+OeIddZJF/krMwlYfi /Wuw==
X-Gm-Message-State: APjAAAXQT92dRTZMvP01F2NneSlY8vSb4lSG9OWBZFccA4RmUwwrqiGr +qdA2/o9hAR44/AJhMxgM0v6+o38zEWvSP3vp0PSCg==
X-Google-Smtp-Source: APXvYqw/rEiKpULw/tzDC6ZqtEpyCMs6416BGpV4S3YfRpE2KawDQ+1o/4OvvX8QfUfP7cLdFnk30u0OezSK9RUu7cQ=
X-Received: by 2002:a05:600c:225a:: with SMTP id a26mr110851003wmm.81.1564495440057; Tue, 30 Jul 2019 07:04:00 -0700 (PDT)
MIME-Version: 1.0
References: <3DB1B550-26FA-4F93-8CFA-434C1F8811D1@vigilsec.com> <DB7PR10MB2411F2A8FE1776633516C1EEFEDD0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM> <D08454BE-8EA4-4221-AD6E-ECEF6A84958A@vigilsec.com> <DB7PR10MB24111D460F40F2CF04000590FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB7PR10MB24111D460F40F2CF04000590FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Tue, 30 Jul 2019 10:03:49 -0400
Message-ID: <CAKnbcLjpG1z-ykZ_QCy_4PtfT3F2i4R==sO_VUQYf2J4FVu3YA@mail.gmail.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f54ca0058ee67afa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2fH1dXPSh2c4g-pZhgsl0WMGiic>
Subject: Re: [lamps] Proposed charter update regarding clarifications
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 14:04:05 -0000
> > I see this as a clarification that is correct but no necessarily needed, > as direct encipherment is technically not possible with ec-keys. Hi Hendrik, I respectfully disagree that this is not needed. The existing language doesn't make this technical impossibility clear enough to prevent certificates with such key usage bits being seen in the real world. The more certificates with such nonsense KU's are produced the more likely it will be that other systems begin to special case this phenomenon, increasing complexity and the chance for more significant errors. If you chase the links through the zlint PR[0] I wrote that Ryan referenced earlier in thread you'll find your way to a Bugzilla bug[1] that references ~30 certificates issued by a trusted CA that contain the technically impossible KU in question (here's one example[2]). My experience within the larger web PKI ecosystem suggests to me this could be just the tip of the iceberg. I deeply sympathize with Stephen's appeal to not produce more useless paper but the update to RFC 5480 won't fall into this category. An update to RFC 5480 will both clarify a point that is causing demonstrated confusion for implementors and make it easier for the web PKI community to forbid the practice with haste. [0]: https://github.com/zmap/zlint/pull/293 [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1560234 [2]: https://crt.sh/?id=741149075 On Tue, Jul 30, 2019 at 8:38 AM Brockhaus, Hendrik < hendrik.brockhaus@siemens.com> wrote: > I see this as a clarification that is correct but no necessarily needed, > as direct encipherment is technically not possible with ec-keys. > But it may be helpful to have this more explicitly as currently specified. > > Hendrik > > > -----Ursprüngliche Nachricht----- > > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley > > Gesendet: Montag, 29. Juli 2019 16:22 > > An: Brockhaus, Hendrik (CT RDA CST SEA-DE) > > <hendrik.brockhaus@siemens.com> > > Cc: LAMPS WG <spasm@ietf.org> > > Betreff: Re: [lamps] Proposed charter update regarding clarifications > > > > How does the update to RFC 5480 about key usage fit here? > > > > Russ > > > > > On Jul 29, 2019, at 8:13 AM, Brockhaus, Hendrik > > <hendrik.brockhaus@siemens.com> wrote: > > > > > > I would be happy with the current text. But I guess there will be the > need > > for many updates at least with regard to support of upcoming crypto > > algorithms. Therefore the new text will ease the processes. > > > Finally it will be a trade-off between administrative overhead vs. > risk of > > 'pointless paper'. Finally I am with Stephen, that nothing should be done > > without people willing to implement it. > > > > > > Hendrik > > > > > >> -----Ursprüngliche Nachricht----- > > >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley > > >> Gesendet: Samstag, 27. Juli 2019 13:40 > > >> An: LAMPS WG <spasm@ietf.org> > > >> Betreff: [lamps] Proposed charter update regarding clarifications > > >> > > >> At the meeting in Montreal, we suggested a charter update to allow > > >> clarifications. I suggest: > > >> > > >> OLD: > > >> > > >> In addition, the LAMPS WG may investigate other updates to documents > > >> produced by the PKIX and S/MIME WGs, but the LAMPS WG shall not > > adopt > > >> any of these potential work items without rechartering. > > >> > > >> NEW: > > >> > > >> In addition, the LAMPS WG may investigate other updates to documents > > >> produced by the PKIX and S/MIME WG. The LAMPS WG may produce > > >> clarifications where needed, but the LAMPS WG shall not adopt > > >> anything beyond clarifications without rechartering. > > >> > > >> Thoughts? > > >> > > >> Russ > > >> _______________________________________________ > > >> Spasm mailing list > > >> Spasm@ietf.org > > >> https://www > > >> > > .ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik. > > >> > > brockhaus%40siemens.com%7C28e8b2e7640e486105ab08d712873521%7C38 > > >> > > ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636998244239259100&am > > >> > > p;sdata=5wTBzw09KsNOVU%2FOZAIi94fIzXu2UZ%2Bm%2B12sIf%2FRS4w%3 > > >> D&reserved=0 > > > > > > _______________________________________________ > > > Spasm mailing list > > > Spasm@ietf.org > > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww > > . > > > > > ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik.b > > rock > > > > > haus%40siemens.com%7C6192e50f83614e861f7208d714303717%7C38ae3bcd > > 95794f > > > > > d4addab42e1495d55a%7C1%7C0%7C637000069621473442&sdata=X5Kto > > 6cOEfFt > > > lPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&reserved=0 > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww > > .ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik. > > brockhaus%40siemens.com%7C6192e50f83614e861f7208d714303717%7C38a > > e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637000069621473442& > > sdata=X5Kto6cOEfFtlPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&reserv > > ed=0 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Proposed charter update regarding clarifi… Russ Housley
- Re: [lamps] Proposed charter update regarding cla… Stephen Farrell
- Re: [lamps] Proposed charter update regarding cla… Salz, Rich
- Re: [lamps] Proposed charter update regarding cla… Ryan Sleevi
- Re: [lamps] Proposed charter update regarding cla… Michael Richardson
- Re: [lamps] Proposed charter update regarding cla… Brockhaus, Hendrik
- Re: [lamps] Proposed charter update regarding cla… Russ Housley
- Re: [lamps] Proposed charter update regarding cla… Brockhaus, Hendrik
- Re: [lamps] Proposed charter update regarding cla… Daniel McCarney
- Re: [lamps] Proposed charter update regarding cla… Brockhaus, Hendrik
- Re: [lamps] Proposed charter update regarding cla… Tim Hollebeek
- Re: [lamps] Proposed charter update regarding cla… Salz, Rich
- Re: [lamps] Proposed charter update regarding cla… Stephen Farrell
- Re: [lamps] Proposed charter update regarding cla… Russ Housley
- Re: [lamps] Proposed charter update regarding cla… Salz, Rich
- Re: [lamps] Proposed charter update regarding cla… Michael Richardson
- Re: [lamps] Proposed charter update regarding cla… Russ Housley
- Re: [lamps] Proposed charter update regarding cla… Jim Schaad
- Re: [lamps] Proposed charter update regarding cla… Brockhaus, Hendrik
- Re: [lamps] Proposed charter update regarding cla… Daniel McCarney
- Re: [lamps] Proposed charter update regarding cla… Daniel Van Geest
- Re: [lamps] Proposed charter update regarding cla… Salz, Rich
- Re: [lamps] Proposed charter update regarding cla… Russ Housley