IETF Logo Mail Archive

Re: [lamps] Proposed charter update regarding clarifications

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 30 July 2019 14:21 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20960120187 for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:21:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yiOGVMmTJQfN for <spasm@ietfa.amsl.com>; Tue, 30 Jul 2019 07:21:35 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0603.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::603]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DBBC120199 for <spasm@ietf.org>; Tue, 30 Jul 2019 07:21:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H8kq0DRxdjqv6HCtmSGaJ/5rlUEgNoC1SXhoNPkd5qsrfO0ZxUAkJ/Lx3DKVKIy3ujbCGQx3bTFmLGGtllLtq+fbHLCbZ5oa4aTEHbG2GT/yCs9CCN4Ms2WCsJ7HanOOH+xOV0QU8jzvDRArfHS3myxat11S9vMyoYr32eR5GyzUkWjJOyYwIoTtkBhTZQzKJ4rWmdttT0jUA90kLFMwa/IevgD7R7z6y4pScaP8PuDTXMErYQyCbRjguOj01Bh0CjhcoNaIyl3X2XJe7kTWkCb5FLSxPM0uFB00m5m7yGy+DDzaSUNPBmF8u2++c+9L3psC/KATl9FWAT17Vx1y0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jMckA4FudLAWHHwchky5DlhJSjWfX1xe+kn9f2daFC0=; b=Xo3dFEGL9Ay96tsExViQxPBX3YkdBzioN5gxNOzOu7u9ARvu8xBTfUjwTZGwed2HmFWV7x31PKseJlp/mPox5wLZvgJeF3hiMXuB0ZKn4MRkPBnmC6NWnDuiBNnAoo5GWyMAJlbReOU2CH8tWT2DaYiJgBE8AwG+/rFnaQUjJIpVx6iGCpKfgIrerXM2HarJ4RF+ytcMhvxtey1LuM2BNwdA4LsQPiSn0rYnlXTodKBD2fGqIZsEZp/r9Li9rKcEKYBbuu8HKF8ehEUFaAmya30Le/mnG8ukJB77VNeNc2aLo/nEW4CN5K0DpJpC4z9iC5ZO6ZEdVkhNQZgRXyV00Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=siemens.com;dmarc=pass action=none header.from=siemens.com;dkim=pass header.d=siemens.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector2-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jMckA4FudLAWHHwchky5DlhJSjWfX1xe+kn9f2daFC0=; b=s6XY/shKwAaJgeFrX4THAlsZYrOtkZQsld9wF8MoW5Lgh7gyDsmfGfrN6V/AxC3M16dSyBKgDuk1PdfKPAyZFYyrivHkbEnXFHNzetr8kgZJhcqJWW6r2t2GVNrYNbB5PZi6K+Mgy4L813QCRNaMwNrSuN5eXu+Qt8iFqRl2idw=
Received: from DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM (20.177.121.209) by DB7PR10MB2491.EURPRD10.PROD.OUTLOOK.COM (20.176.238.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.13; Tue, 30 Jul 2019 14:21:20 +0000
Received: from DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM ([fe80::7113:bf0:9bf8:ee0c]) by DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM ([fe80::7113:bf0:9bf8:ee0c%7]) with mapi id 15.20.2115.005; Tue, 30 Jul 2019 14:21:20 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: "cpu@letsencrypt.org" <cpu@letsencrypt.org>
CC: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] Proposed charter update regarding clarifications
Thread-Index: AQHVRHAU976CKRQUrkqVEcAqKmzoNabhgnWAgAAmvQCAAXRk4IAAGMKAgAAEVHA=
Date: Tue, 30 Jul 2019 14:21:20 +0000
Message-ID: <DB7PR10MB24117042C96CE14664A75478FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
References: <3DB1B550-26FA-4F93-8CFA-434C1F8811D1@vigilsec.com> <DB7PR10MB2411F2A8FE1776633516C1EEFEDD0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM> <D08454BE-8EA4-4221-AD6E-ECEF6A84958A@vigilsec.com> <DB7PR10MB24111D460F40F2CF04000590FEDC0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM> <CAKnbcLjpG1z-ykZ_QCy_4PtfT3F2i4R==sO_VUQYf2J4FVu3YA@mail.gmail.com>
In-Reply-To: <CAKnbcLjpG1z-ykZ_QCy_4PtfT3F2i4R==sO_VUQYf2J4FVu3YA@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-document-confidentiality: NotClassified
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com;
x-originating-ip: [195.145.170.173]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bebc4362-1b19-44cd-19df-08d714f93178
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB7PR10MB2491;
x-ms-traffictypediagnostic: DB7PR10MB2491:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <DB7PR10MB2491D0BBAB70617419016452FEDC0@DB7PR10MB2491.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(346002)(396003)(136003)(39860400002)(199004)(189003)(316002)(5660300002)(2420400007)(102836004)(476003)(2906002)(71200400001)(99286004)(86362001)(486006)(6436002)(14454004)(446003)(71190400001)(11346002)(15650500001)(6916009)(66446008)(7696005)(25786009)(54906003)(68736007)(26005)(186003)(76116006)(45080400002)(7736002)(478600001)(76176011)(66476007)(66946007)(74316002)(64756008)(66556008)(66574012)(966005)(55016002)(81156014)(81166006)(1730700003)(3846002)(66066001)(236005)(9686003)(6116002)(790700001)(8676002)(8936002)(256004)(52536014)(2351001)(2501003)(14444005)(4326008)(6306002)(53936002)(33656002)(6506007)(5640700003)(54896002)(19627235002)(53546011)(7110500001)(606006); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR10MB2491; H:DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: EvGsKYQqe43fqLVCsDFWsUFOk/JeEoGVPdUR5V5nLUWWpQ6svfG+A7f2/Zij5gQUQtq++oxwcz9F3LAO0O1KPfPIVczijmJw9ZYPBI8ZSAbk6YFsUyt4e/d11S85EXE8WCBd2aZL89cTIzni0MHJapoHK8oxeeNzSoQMJgWGhD+HJbhsm9tsAJqi/aekAU0n9gNkfV5ECSPhFpZUXzM/3QEh0B1v3JSdoZ5x6EmWjEhw62+xcwXxyZaUSfVCbWnDSAyP7s6KsAEDLHHPeS9epW7THLtZtKKukNmVYsloNhk9qG70iNg2Wzy26/uex9msclbGQUNxO6u8rMicyxNecIY4SMfCUnTh6NQo06BQ6YyC/55YmMrbMYhXn1SFK51Ezs+YIbypyOAxudteBCvEqN4iaRP/A1WkTifW5CGWQr0=
Content-Type: multipart/alternative; boundary="_000_DB7PR10MB24117042C96CE14664A75478FEDC0DB7PR10MB2411EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bebc4362-1b19-44cd-19df-08d714f93178
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2019 14:21:20.3942 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hendrik.brockhaus@siemens.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR10MB2491
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QwknvSi--LGHZVUAACnllAoAL5U>
Subject: Re: [lamps] Proposed charter update regarding clarifications
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 14:21:38 -0000

You are absolutely right, the draft makes it more explicit for all those who did not knew it before and this will help you to clarify it.

Von: Daniel McCarney <cpu@letsencrypt.org>
Gesendet: Dienstag, 30. Juli 2019 16:04


I see this as a clarification that is correct but no necessarily needed, as direct encipherment is technically not possible with ec-keys.

Hi Hendrik,

I respectfully disagree that this is not needed. The existing language doesn't make this technical impossibility clear enough to prevent certificates with such key usage bits being seen in the real world. The more certificates with such nonsense KU's are produced the more likely it will be that other systems begin to special case this phenomenon, increasing complexity and the chance for more significant errors.

If you chase the links through the zlint PR[0] I wrote that Ryan referenced earlier in thread you'll find your way to a Bugzilla bug[1] that references ~30 certificates issued by a trusted CA that contain the technically impossible KU in question (here's one example[2]). My experience within the larger web PKI ecosystem suggests to me this could be just the tip of the iceberg.

I deeply sympathize with Stephen's appeal to not produce more useless paper but the update to RFC 5480 won't fall into this category. An update to RFC 5480 will both clarify a point that is causing demonstrated confusion for implementors and make it easier for the web PKI community to forbid the practice with haste.

[0]: https://github.com/zmap/zlint/pull/293<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint%2Fpull%2F293&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107435388&sdata=8W8QhfxIjW12TMqe5%2BbBWNuIjsHOxZMeAzE9eF9h5OE%3D&reserved=0>
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1560234<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1560234&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107445386&sdata=gE7%2FyXX4bNfslnYONsuc1nNeuVuPJV%2FeJmDy7p%2FyZ1g%3D&reserved=0>
[2]: https://crt.sh/?id=741149075<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D741149075&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107445386&sdata=oYikrYWgaObljeKV4rbyOXI1cleCuBG56unltcxmLFg%3D&reserved=0>

On Tue, Jul 30, 2019 at 8:38 AM Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:
I see this as a clarification that is correct but no necessarily needed, as direct encipherment is technically not possible with ec-keys.
But it may be helpful to have this more explicitly as currently specified.

Hendrik

> -----Ursprüngliche Nachricht-----
> Von: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> Im Auftrag von Russ Housley
> Gesendet: Montag, 29. Juli 2019 16:22
> An: Brockhaus, Hendrik (CT RDA CST SEA-DE)
> <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>>
> Cc: LAMPS WG <spasm@ietf.org<mailto:spasm@ietf.org>>
> Betreff: Re: [lamps] Proposed charter update regarding clarifications
>
> How does the update to RFC 5480 about key usage fit here?
>
> Russ
>
> > On Jul 29, 2019, at 8:13 AM, Brockhaus, Hendrik
> <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:
> >
> > I would be happy with the current text. But I guess there will be the need
> for many updates at least with regard to support of upcoming crypto
> algorithms. Therefore the new text will ease the processes.
> > Finally it will be a trade-off between administrative overhead vs. risk of
> 'pointless paper'. Finally I am with Stephen, that nothing should be done
> without people willing to implement it.
> >
> > Hendrik
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> Im Auftrag von Russ Housley
> >> Gesendet: Samstag, 27. Juli 2019 13:40
> >> An: LAMPS WG <spasm@ietf.org<mailto:spasm@ietf.org>>
> >> Betreff: [lamps] Proposed charter update regarding clarifications
> >>
> >> At the meeting in Montreal, we suggested a charter update to allow
> >> clarifications.  I suggest:
> >>
> >> OLD:
> >>
> >> In addition, the LAMPS WG may investigate other updates to documents
> >> produced by the PKIX and S/MIME WGs, but the LAMPS WG shall not
> adopt
> >> any of these potential work items without rechartering.
> >>
> >> NEW:
> >>
> >> In addition, the LAMPS WG may investigate other updates to documents
> >> produced by the PKIX and S/MIME WG. The LAMPS WG may produce
> >> clarifications where needed, but the LAMPS WG shall not adopt
> >> anything beyond clarifications without rechartering.
> >>
> >> Thoughts?
> >>
> >> Russ
> >> _______________________________________________
> >> Spasm mailing list
> >> Spasm@ietf.org<mailto:Spasm@ietf.org>
> >> https://www
> >>
> .ietf.org<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fietf.org&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107455375&sdata=aW6wWaM87aoQqG10lbzbpgWakCmAb0CUOn3nzTMZFvc%3D&reserved=0>%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
> >>
> brockhaus%40siemens.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F40siemens.com&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107455375&sdata=bpob1bOLkZDdv2BtDPe7Bsmr4%2B%2Fd6owyssImsLkbrdM%3D&reserved=0>%7C28e8b2e7640e486105ab08d712873521%7C38
> >>
> ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636998244239259100&am
> >>
> p;sdata=5wTBzw09KsNOVU%2FOZAIi94fIzXu2UZ%2Bm%2B12sIf%2FRS4w%3
> >> D&amp;reserved=0
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org<mailto:Spasm@ietf.org>
> >
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww<https://www>
> .
> >
> ietf.org<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fietf.org&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107465379&sdata=LGEoAm%2BZPIyd2OYQfh%2BIlcrzEifHeTDhAfGx8Qe3Mfo%3D&reserved=0>%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.b
> rock
> >
> haus%40siemens.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F40siemens.com&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107465379&sdata=MYgJ%2F6%2BeOjIV3I9efFzxSkQ%2F4CMEjTo6hWqcCheJ6lE%3D&reserved=0>%7C6192e50f83614e861f7208d714303717%7C38ae3bcd
> 95794f
> >
> d4addab42e1495d55a%7C1%7C0%7C637000069621473442&amp;sdata=X5Kto
> 6cOEfFt
> > lPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&amp;reserved=0
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org<mailto:Spasm@ietf.org>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww<https://www>
> .ietf.org<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fietf.org&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107475371&sdata=aprBNKcFf5Lg3zqKAMuqhsMW7FS%2Bif964aBydedjVjY%3D&reserved=0>%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
> brockhaus%40siemens.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F40siemens.com&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107475371&sdata=hj5KGznE47X2apk5eaf59B4RKFc9P3QqIZHEPGz2ZtU%3D&reserved=0>%7C6192e50f83614e861f7208d714303717%7C38a
> e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637000069621473442&amp;
> sdata=X5Kto6cOEfFtlPEfePsHx23ouMD7dKXRpP5JeBfqhnw%3D&amp;reserv
> ed=0
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cefa81101b4bb4ad4443908d714f6eece%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637000923107475371&sdata=%2BB%2FzCDhLmKWYIGhM9ztdPUVUeE9rjij9P%2BKjTZHnops%3D&reserved=0>

v2.23.0 | Report a Bug | By Email