[lamps] draft-ietf-lamps-8410-ku-clarifications: EE/CRLIssuer Text
Sean Turner <sean@sn3rd.com> Thu, 02 June 2022 13:06 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20537C15AAE2 for <spasm@ietfa.amsl.com>; Thu, 2 Jun 2022 06:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgDl4pIPFyFi for <spasm@ietfa.amsl.com>; Thu, 2 Jun 2022 06:06:39 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34348C15AAD2 for <spasm@ietf.org>; Thu, 2 Jun 2022 06:06:38 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id p8so3285947qtx.9 for <spasm@ietf.org>; Thu, 02 Jun 2022 06:06:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=uV5tV6R2tUYXgi05EOmLKErTb3a/1o9vT+GBHd/ZZQU=; b=IpHR+sOuiayWgyb8UH6ebgdFMWmqH9nu4eq9hYfvHj8uV0kOVr23ZThU+ASdsx8F+V vhpK8ZhShw4JYCIYzM+NFyGolSmOFmumaNsWt0QlvrT03fLSOYx4G+9qLwhHzFBhtd1q +89TbypGmYf5SgeEjvjqe6y4jKDNQxTFYUKyw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=uV5tV6R2tUYXgi05EOmLKErTb3a/1o9vT+GBHd/ZZQU=; b=cY/s/6M/jnMLJNq7OIj+qR11N9sZjWjd2TCflHAk5t8dKbVscSPrsgK+GiJNQZEEko OXfecp1iTfJNvF++Y17CdqEjoIu0VQvof9dJ/1Uw1MVoQDstD2TlEvPTSGEkGBZ4mLnD bEtvWILjuw9IxRk3t1YWMBxTApcsptVH7HWCUM/N8IiP8GNsAr1NY+Nv0kJmZpXK2Vxh jllv1aTj1oRjVfJEvls2MUrGOCw9WunIQC+IDlQ8dhYENnazQn7aPqKpjdGSsX+wFYMh 1esgJveqngA8gIeK/BDSYcojkLFW3izwD57SFyS51t0O2xX8Gnn8XOoaROtrgggYBMRo qlKg==
X-Gm-Message-State: AOAM531TeVJLwdP1k+38Zi6FM67r5WzlWhGzcB6FN1d6FGQmmU+AxpGQ QqTXEKlmCaO/c7NERwvQcc73sYbvKgJ+ag==
X-Google-Smtp-Source: ABdhPJwA3mX7GUjjnqPlivuh+7xevHNTT6ikHvjOfvuVhsfoHJYfFd76Ib9Bd0SKJ5jwZrR09r6rYg==
X-Received: by 2002:ac8:7f91:0:b0:304:b7ba:3334 with SMTP id z17-20020ac87f91000000b00304b7ba3334mr3410936qtj.87.1654175197566; Thu, 02 Jun 2022 06:06:37 -0700 (PDT)
Received: from smtpclient.apple (pool-72-83-85-4.washdc.east.verizon.net. [72.83.85.4]) by smtp.gmail.com with ESMTPSA id p6-20020a05620a056600b0069fc13ce23bsm2937766qkp.108.2022.06.02.06.06.36 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Jun 2022 06:06:36 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Message-Id: <1C2C3B94-DA30-4DA4-BBF3-F7F873587F30@sn3rd.com>
Date: Thu, 02 Jun 2022 09:06:35 -0400
To: LAMPS WG <spasm@ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3LDpSPHjp8qvws6EdSxMsa5Z8_o>
Subject: [lamps] draft-ietf-lamps-8410-ku-clarifications: EE/CRLIssuer Text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 13:06:43 -0000
Hi! During IESG review we got comments from a couple of couple of ADs (3) about EE/CRL issue text (note this is NOT a DISCUSS but if we tripped up 3 then it’s probably worth having a look at):
If the keyUsage extension is present in an end-entity or CRL issuer
certificate that indicates id-Ed25519 or id-Ed448 in
SubjectPublicKeyInfo, then the keyUsage extension MUST contain at
least one of the following:
nonRepudiation;
digitalSignature; and
cRLSign;
and the following MUST NOT be present:
keyEncipherment;
dataEncipherment;
keyAgreement;
keyCertSign;
encipherOnly; and
decipherOnly.
One way to fix this is to make the following changes to separate out the EE and CRL issuer:
If the keyUsage extension is present in an end-entity
certificate that indicates id-Ed25519 or id-Ed448 in
SubjectPublicKeyInfo, then the keyUsage extension MUST contain at
least one of the following:
nonRepudiation; and
digitalSignature;
and the following MUST NOT be present:
keyEncipherment;
dataEncipherment;
keyAgreement;
keyCertSign;
encipherOnly; and
decipherOnly.
….
Also ADD:
If the keyUsage extension is present in an CRL issuer
certificate that indicates id-Ed25519 or id-Ed448 in
SubjectPublicKeyInfo, then the keyUsage extension MUST contain at
least one of the following:
nonRepudiation;
digitalSignature; and
cRLSign;
and the following MUST NOT be present:
keyEncipherment;
dataEncipherment;
keyAgreement;
keyCertSign;
encipherOnly; and
decipherOnly.
Open to other suggestions as well.
Cheers,
spt
- [lamps] draft-ietf-lamps-8410-ku-clarifications: … Sean Turner
- Re: [lamps] draft-ietf-lamps-8410-ku-clarificatio… Jonathan Hammell
- Re: [lamps] draft-ietf-lamps-8410-ku-clarificatio… Tadahiko Ito
- Re: [lamps] draft-ietf-lamps-8410-ku-clarificatio… Sean Turner