IETF Logo Mail Archive

Re: [lamps] Proposed charter update regarding clarifications

Daniel McCarney <cpu@letsencrypt.org> Tue, 30 July 2019 14:04 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDDC1201D0 for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKAR3S_vZo3c for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:04:02 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F511201E2 for <spasm@ietf.org>; Tue, 30 Jul 2019 07:04:01 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id s3so57271307wms.2 for <spasm@ietf.org>; Tue, 30 Jul 2019 07:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=ZCQ/BMOp2kKm/VGNJYhzYe4ESlqxRxyNH0TrkQQfS00=; b=M/Q3ewN6KEEqtik3ttTHqpHr9v6l917myuKf4yNLVtkYBDViBnfmFqbq7hYeLoha3t 2N2SHXGGIsS4VRCxNVDJ3yr3CCvxEXLKdIviPLDLobgTMhdF/RvLZtEMO01Bd4TZ5iBd N4GA4oHA4Gza4s055QfSaCbBm7x4b6QBwwyDM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=ZCQ/BMOp2kKm/VGNJYhzYe4ESlqxRxyNH0TrkQQfS00=; b=RoGXu9gAvAqFdlOez9vL9A+N/yFd87+HhcQ/a9zwdt11/m6quZT95760x6iFQZNDj9 qLKZPtANUdoYBe+4eKOZ78xQtIqX3XXHz6f8PH5/x73FsA/zyDCKuGa4bNuvzQuBjA+d MgSNcULewhH6/NLvFYRExUD4BEoAZf3F4NhsafCkd+vVnXiYyqTIYmUQt4g4tPlv+h7O Kil6FLD/ZFcJoSs+B/ojVuQNnflo+IFRcf7YIZKHuvL8O3CrMUZC+pYAzrqngyg36V6J gBuzNE74QA0JjM+36KW/hHPIgTGXOl1yAEXySltGezbNKk2mJ1+OeIddZJF/krMwlYfi /Wuw==
X-Gm-Message-State: APjAAAXQT92dRTZMvP01F2NneSlY8vSb4lSG9OWBZFccA4RmUwwrqiGr +qdA2/o9hAR44/AJhMxgM0v6+o38zEWvSP3vp0PSCg==
X-Google-Smtp-Source: APXvYqw/rEiKpULw/tzDC6ZqtEpyCMs6416BGpV4S3YfRpE2KawDQ+1o/4OvvX8QfUfP7cLdFnk30u0OezSK9RUu7cQ=
X-Received: by 2002:a05:600c:225a:: with SMTP id a26mr110851003wmm.81.1564495440057; Tue, 30 Jul 2019 07:04:00 -0700 (PDT)
MIME-Version: 1.0
References: <3DB1B550-26FA-4F93-8CFA-434C1F8811D1@vigilsec.com> <DB7PR10MB2411F2A8FE1776633516C1EEFEDD0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM> <D08454BE-8EA4-4221-AD6E-ECEF6A84958A@vigilsec.com> <DB7PR10MB24111D460F40F2CF04000590FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB7PR10MB24111D460F40F2CF04000590FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Tue, 30 Jul 2019 10:03:49 -0400
Message-ID: <CAKnbcLjpG1z-ykZ_QCy_4PtfT3F2i4R==sO_VUQYf2J4FVu3YA@mail.gmail.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f54ca0058ee67afa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2fH1dXPSh2c4g-pZhgsl0WMGiic>
Subject: Re: [lamps] Proposed charter update regarding clarifications
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 14:04:05 -0000

>
> I see this as a clarification that is correct but no necessarily needed,
> as direct encipherment is technically not possible with ec-keys.


Hi Hendrik,

I respectfully disagree that this is not needed. The existing language
doesn't make this technical impossibility clear enough to prevent
certificates with such key usage bits being seen in the real world. The
more certificates with such nonsense KU's are produced the more likely it
will be that other systems begin to special case this phenomenon,
increasing complexity and the chance for more significant errors.

If you chase the links through the zlint PR[0] I wrote that Ryan referenced
earlier in thread you'll find your way to a Bugzilla bug[1] that references
~30 certificates issued by a trusted CA that contain the technically
impossible KU in question (here's one example[2]). My experience within the
larger web PKI ecosystem suggests to me this could be just the tip of the
iceberg.

I deeply sympathize with Stephen's appeal to not produce more useless paper
but the update to RFC 5480 won't fall into this category. An update to RFC
5480 will both clarify a point that is causing demonstrated confusion for
implementors and make it easier for the web PKI community to forbid the
practice with haste.

[0]: https://github.com/zmap/zlint/pull/293
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1560234
[2]: https://crt.sh/?id=741149075


On Tue, Jul 30, 2019 at 8:38 AM Brockhaus, Hendrik <
hendrik.brockhaus@siemens.com> wrote:

> I see this as a clarification that is correct but no necessarily needed,
> as direct encipherment is technically not possible with ec-keys.
> But it may be helpful to have this more explicitly as currently specified.
>
> Hendrik
>
> > -----Ursprüngliche Nachricht-----
> > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley
> > Gesendet: Montag, 29. Juli 2019 16:22
> > An: Brockhaus, Hendrik (CT RDA CST SEA-DE)
> > <hendrik.brockhaus@siemens.com>
> > Cc: LAMPS WG <spasm@ietf.org>
> > Betreff: Re: [lamps] Proposed charter update regarding clarifications
> >
> > How does the update to RFC 5480 about key usage fit here?
> >
> > Russ
> >
> > > On Jul 29, 2019, at 8:13 AM, Brockhaus, Hendrik
> > <hendrik.brockhaus@siemens.com> wrote:
> > >
> > > I would be happy with the current text. But I guess there will be the
> need
> > for many updates at least with regard to support of upcoming crypto
> > algorithms. Therefore the new text will ease the processes.
> > > Finally it will be a trade-off between administrative overhead vs.
> risk of
> > 'pointless paper'. Finally I am with Stephen, that nothing should be done
> > without people willing to implement it.
> > >
> > > Hendrik
> > >
> > >> -----Ursprüngliche Nachricht-----
> > >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley
> > >> Gesendet: Samstag, 27. Juli 2019 13:40
> > >> An: LAMPS WG <spasm@ietf.org>
> > >> Betreff: [lamps] Proposed charter update regarding clarifications
> > >>
> > >> At the meeting in Montreal, we suggested a charter update to allow
> > >> clarifications.  I suggest:
> > >>
> > >> OLD:
> > >>
> > >> In addition, the LAMPS WG may investigate other updates to documents
> > >> produced by the PKIX and S/MIME WGs, but the LAMPS WG shall not
> > adopt
> > >> any of these potential work items without rechartering.
> > >>
> > >> NEW:
> > >>
> > >> In addition, the LAMPS WG may investigate other updates to documents
> > >> produced by the PKIX and S/MIME WG. The LAMPS WG may produce
> > >> clarifications where needed, but the LAMPS WG shall not adopt
> > >> anything beyond clarifications without rechartering.
> > >>
> > >> Thoughts?
> > >>
> > >> Russ
> > >> _______________________________________________
> > >> Spasm mailing list
> > >> Spasm@ietf.org
> > >> https://www
> > >>
> > .ietf.org%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
> > >>
> > brockhaus%40siemens.com%7C28e8b2e7640e486105ab08d712873521%7C38
> > >>
> > ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636998244239259100&am
> > >>
> > p;sdata=5wTBzw09KsNOVU%2FOZAIi94fIzXu2UZ%2Bm%2B12sIf%2FRS4w%3
> > >> D&amp;reserved=0
> > >
> > > _______________________________________________
> > > Spasm mailing list
> > > Spasm@ietf.org
> > >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> > .
> > >
> > ietf.org%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.b
> > rock
> > >
> > haus%40siemens.com%7C6192e50f83614e861f7208d714303717%7C38ae3bcd
> > 95794f
> > >
> > d4addab42e1495d55a%7C1%7C0%7C637000069621473442&amp;sdata=X5Kto
> > 6cOEfFt
> > > lPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&amp;reserved=0
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> > .ietf.org%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
> > brockhaus%40siemens.com%7C6192e50f83614e861f7208d714303717%7C38a
> > e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637000069621473442&amp;
> > sdata=X5Kto6cOEfFtlPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&amp;reserv
> > ed=0
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email