IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 17 April 2024 20:23 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79396C14F6E2 for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 13:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nr52h1JHePoZ for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 13:23:37 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2121.outbound.protection.outlook.com [40.107.7.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 369F0C14F706 for <spasm@ietf.org>; Wed, 17 Apr 2024 13:23:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rb8943UpfAYU91DR+LCjcccBjAr7RNwBc9SF7af2CG9I1V9YsSVZPKefVyHsf1XZ/X00dlWWOqQVa2/3u7wrxmvDHBmTzFfETpboL9C1P38S3r/88/CrzktAvIkHUvHWfFKVV14hGEFAgbLMee/6QnS+LGNRkxJzJNFpnet3RPVkKkTEM6M3xxeEMUQfB74QNUvMViCF4+Z42XOseKrWbgHYT461Uob6JcqBi+tlzSdR0OaDJIgqVJQYmoWInLIGA9ZghcNTd1iS5wxta4dVGmZvU6PUR5XHrJPKgYIpqR6/sgbh4f5y3kywU3Glc3XL2626TW9MxVTTvtz2vuTaQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9TCwBUObYgbDK2NWDqjOkhlvc61cUjn4VHtnPMY+nwo=; b=oUe9KmgyT8YQiVo6lYC6/ePHxiEfa7zIb5x8FOX/8D7Y0xAh+OA8pkO/aAa3ssShEx9mkOM+dpUnUKhHoJPHioSXWst6QtICZIUDQfEuq2TMVQ5aazbn8xZAzCPpdnjDZJ5iOFjKJ/L7vGM9AWj11ik22DYJP048RbLOowBhWShz2/zu0eWb4ta3mOs4KIsqAumzZQLUOFoEzT+ORp8RkxjBOAxFddVuLGXdzvUznJMnescuxvr3IgFlBtFHnKLrqrxVbflQwoF0Z2Uv9w2VOuD5xK5ONzGfQyiv1Myf/eX5Ptw5/NYUC+bhmkLvwr09hesZn5fwC1vCsrnxIOD8DQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9TCwBUObYgbDK2NWDqjOkhlvc61cUjn4VHtnPMY+nwo=; b=jJ6IOOPQZLSHEOWLhSI0BAb55NU6GTHt/PmNMOiwbF7Ne7jrG4mCqR0mDnW3ofR9Ii2j6Kk8bd4Bw8O4MPsIJAA/+E5DaxxbQkAkihffbMEmxymSKNqjg/1c0h+QHI7QML1qzvQtIrcIMZhNRNLpThP8Bi8CKjiNyxszHZkAX8CICTtu9Xrbe9bumaK7+sOGtgW+WxFnqEDOhslfYG507eyW+Ga4P8fKC5VulDnrFDQY2mqa0sH5Xe554pDt4xcN1I7wKAtGEvsJZVklC9btk80f8w7XZqxiEkN6C+xz4ANDq5jDb/q+mNIC8b6ka+5Al1MXPHduTWtRFtSHf0cwFg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS8PR02MB9670.eurprd02.prod.outlook.com (2603:10a6:20b:5ee::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Wed, 17 Apr 2024 20:23:33 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9%7]) with mapi id 15.20.7472.037; Wed, 17 Apr 2024 20:23:33 +0000
Message-ID: <68fb3e14-701a-4bdf-a493-15038d4b8675@cs.tcd.ie>
Date: Wed, 17 Apr 2024 21:23:31 +0100
User-Agent: Mozilla Thunderbird
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Michael StJohns <msj@nthpermutation.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com> <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com> <CAKoiRuY5Caq_61+99RQiaRkeKUAou=fiLj+HadajzhwhLKOdAA@mail.gmail.com> <CH0PR11MB5739A5999D59A046D056812C9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739690323861CECECA630AF9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com> <SN7PR14MB64927E6AB1914083C485E0EA830F2@SN7PR14MB6492.namprd14.prod.outlook.com> <CAKoiRuZeuDOG+Hm97mE2jwJ7w4gXjyvpTj7o3nOykQuufRDv_Q@mail.gmail.com> <f8d86a07-6008-4e8a-991a-ac879200b4cc@cs.tcd.ie> <CAKoiRubx4uQ_=USr2DXOHx6LYj9HsX9fNg7xxqF_b8WXexVEcQ@mail.gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAKoiRubx4uQ_=USr2DXOHx6LYj9HsX9fNg7xxqF_b8WXexVEcQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------MSqTTk7fY2fR0WCcS2DkUIjy"
X-ClientProxiedBy: DU2PR04CA0038.eurprd04.prod.outlook.com (2603:10a6:10:234::13) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS8PR02MB9670:EE_
X-MS-Office365-Filtering-Correlation-Id: 284cf559-4ffe-4747-12f4-08dc5f1c40b5
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: MU5GO57+fXuGENqHHZu0bsXTwlOKjpYDAO5fBywEMEoCi4/ANn6P5IGaYweMrtfFOyz6z4D3fVEqglhYjwZw0ClqIgE1ChlG7+VJDD5TRbJZhqw/cwKba1w30Lvu1fUXBL86lu0lqkbNTTr2M6TcPNLcKAOSPaalYyKB6JWXOnD8Ppjh+7f/gpwbm1nMnNkg9ODkTim+BLd/0JnKWOn6F9BHtL6uuKXiTZCl5FrPx0ZsyRhZKvVgwjucKFeAUEZfBLmH4Q1RpIwOZE++cVVrSDUA9eGTtn+ujmohZdu17CDLFCjY6SmHRBYJMrQrGHf+7j4up3V/ZcQnVSf7NZGJnXIXkCElLSTLzpdCYLHQIXxCCOoAMmLPgnUjH3WxC8J4doY0luHHIu+xVIhyOcKwcO/G9xYyW7b6i2h3+4FbxM4MCmzJO/bKttLM/WHfQ+rucU6CpvMeo9/lXeI6J/kFGwRtx9NzAojrn1ugg26cPbi02CUPFj5glsrDUby96inaum3+XkyBIkzfMeBMxeZ6vhjf2sH3SLnwFF20hBmunIFbO0uXq0wN/HCCcCzoRuWmZbKRuAzd2rmlSvRao5fTXO8DEbaN18MM6+HRX0HPsPRM/EYQYyPPNZiA1o6vwuenlP2s1XGm++v2ps69Ilw7x1y371FiGKFx6XlFyEqPJOw=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 7sM0EMuU7/PMTqWMyJNxkpTlF7WCzKwEA70T8olS2rGnGo6e3Pgw2zmhSwBphS6RXvCEgGfZF9hvNMvM/VuBWZpcSri4KWYh9anIwBdqPMyVNTKS1A4KTmRvFNCi1wSKakA0HkzeQSDhUT8FJHtfW26hCQRg2xdVJeSVfopKHcGHok/92SCgv+njzZ1R+f3H+dZ/wMbcU/c65tiLNrp4x0DY9A7+F9w978tdkyzU8Fr+FlP3ezMRqZQAX/sOvLnFA+MtgVRjefLL7UbX1xooLeuUn1zkjTaUBANvHlvMdi9oFHf4tO1wZM25yUKf1kCYQKi+vUCfYgDBHAyy+xBmy+AGdEy7Fg9HGhQkyYvEGNrI6Cb2D663aWsMnQw+PCegLH8Ff1RzWHXAzS1jnFdyCKbYBAKDcSSUknY8VWn8xlL8vMo5E2sCEasUK3u2Z7Kjpq/gV7F2w+bDJYMsIFIprk9hkQgaKlkmYPceu58uKsD6qwFExwWbggkZz2doYWhkGy8nVffnfKgioJpkoMC2x+Iv/OFjao1MVorK9E4RStzjLWOThb92DTNSBk0vUIKzfgQjZnNba2GdvsLcj2aQvS8BCUREJTuYrHxVs69c1i8wfAkjrMGqsiVd1/x5f65+jD8ZVxrZADNIiAU9pZ9qpRcxCYxDQuop2bHS6cEIWe8QvrE0BAaXNAED1gUC95f4J+tPR1V4O4hCSgYk/hrRuphFC5BKJolfj466AHiVj7OO3lQC0l2ex+hux0iYK0/aToJQxUUi0+y9r/osUIpMO/WbXxaKsUL7OU6LuvTpa2AbCNNopaSchVszEelfyzBct1i0Ny2L8Z0+L9ndXiMt359f6kRqFgJTHbbgXDWgOy8SoycfqY7z4iQRj4iPS7sQfzU+GLwUDJgtil6g/tOToJjrAM14oIDalF1nP8rNy8NjeKQDYa7fvRGnz95P2xvGDGCUntSXwUTJZaIo+UxffJoWrJ/oKnBhaBLieW5/RotNjNecQSCuX56qfXnLvchDedC+FR3yjuC2iw5uTzLCXBaBoleKmJg90q7jkPx7KXBGSuhtymhrsJVJ2cm58MTmgFh0qPdbtrUVVGcNgls6je9oY98qdoweROgfb3301PcZmf4GpC88gO7axDV6MPFmIpkn4hWm7zViyQpGQOIHKL32w3xP2XiSBlFm/lV8mW8UNFpardqiD6Jczmc9WgzPaZp6Je/Ai5VvDUJKR5S+EVn4csg5nXmSMdCh3aQRCEWcAB+tFczZBhRQFiRyHxO72Jwqye1lvVQR+D4kgqJHdVSzbIoWNRzsP4sWEs41lDbrtnaxjAoAJN0PfEE7XmJR/mTfDE7Is/rxf769gUmgrVi5H8EiohgsybRpy9QsEN3NlvEH647bZChberERafHPm7VbT/R/CinuLhJGgF5TmP+3wFrgX5N+dHYAubF6pYn1MU7uLUrj4vR8D/uxxfCYk+vFiZBtSGaZIWLctRN4pnyPwBjy/Bd0MsK3rWURNuS8XvNptUwAavN2qBSL5JmZPvg9IZPox9UxiSMEP6rEKYF9JU3jW/89MTs04vOyJt3D81DCGp5spk9cCuQ2SlkUkvb2nGsT+F+dVlie8ziaTAqVuj9itT5XKEyJHzQlJqkjDGep8S78SrCOzl7mj+0u
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 284cf559-4ffe-4747-12f4-08dc5f1c40b5
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2024 20:23:33.3360 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 2ZohR861qwB50jXtWRD6IgQQRAIR+6iWfhvVYQo5sxTAJY5nH1asNt/FumGx9fJ9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB9670
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3yCrdn25QJISnPScxxcvrOO4cPY>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 20:23:42 -0000

Hiya,

On 17/04/2024 21:16, Rohan Mahy wrote:
> IMO, anyone who is issuing TLS server certificates would blissfully ignore
> IM extended key usage and carry on doing what they are doing.
> Matrix/Element clients would happily verify certificates from their TLS
> certificates not expecting this extension in that context. They would
> continue to require a key usage of serverAuth from the server certificates.

Ok, not for TLS: good.

> Matrix clients could also enroll user @alice on the server
> matrix.example.com with a certificate that uses this extended key usage.
> When Bob's client receives Alice's certificate (ex: in MLS, in the
> signaling that carries DoubleRatchet encryption, via some key transparency
> protocol, etc), Bob can validate Alice's certificate.

I'd still be concerned this kind of thing may make self-hosting
harder, and would consider that a downside perhaps more important
than the upside of enforcing a new EKU.

Cheers,
S.

v2.23.0 | Report a Bug | By Email