IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 27 July 2021 01:21 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 112BE3A0D55 for <spasm@ietfa.amsl.com>; Mon, 26 Jul 2021 18:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9tlCtn3b5eo for <spasm@ietfa.amsl.com>; Mon, 26 Jul 2021 18:21:18 -0700 (PDT)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1660D3A0D50 for <spasm@ietf.org>; Mon, 26 Jul 2021 18:21:17 -0700 (PDT)
Received: by mail-pj1-f52.google.com with SMTP id b1-20020a17090a8001b029017700de3903so1501805pjn.1 for <spasm@ietf.org>; Mon, 26 Jul 2021 18:21:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QJYQEIB5oCcgK6o8aL93k4MjjxRBmf2N+1adblAH+as=; b=FSW8+Xn9g4FdMoKNPCtPMEu/fk49DHM/pf1Kt8lHZ2MrMN8jzos1f1Wng4bT9ZxFBF mF7IuL/IUEsvDJ9k6bAwGf0Mf8TQNt9NaITs0Ui81U3rWtE993oGflyaaoY8X8AU4CSm ejaer+5EeWBSDmu9WR+QEM+a19OTrsQMPQJMEwWoW2vizEkwmqwexH5pN5hsTVa6n5C6 jwcYkFrTkEbB8qol+MUlLJbcWof41sHmn85G+c9GG+49EXNnoII3ke0hsuifs82oIAzV 037OYuWRaGtGLwssb8KhZg9dpQC7EZoQD376mWb0NFejOmR8XY7Ia0OJTrB8edkYTFpe uQwQ==
X-Gm-Message-State: AOAM530FykxoP84SiPCugyyN90IOKpFn6J6MJlRQNUobtNd75nOSDES/ KRhdNNfg9TdeKoD032pTerrE90ETgnY=
X-Google-Smtp-Source: ABdhPJydusF3INlotlO/2ItkFxaSbgupJtOxABcQa6+CkYy3mwbz2sY8c0qLYHnsFl8vb7GeApjDSQ==
X-Received: by 2002:a17:902:8488:b029:129:97e8:16e7 with SMTP id c8-20020a1709028488b029012997e816e7mr16790882plo.39.1627348877012; Mon, 26 Jul 2021 18:21:17 -0700 (PDT)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com. [209.85.214.180]) by smtp.gmail.com with ESMTPSA id w2sm869950pjq.5.2021.07.26.18.21.16 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Jul 2021 18:21:16 -0700 (PDT)
Received: by mail-pl1-f180.google.com with SMTP id i1so13851453plr.9 for <spasm@ietf.org>; Mon, 26 Jul 2021 18:21:16 -0700 (PDT)
X-Received: by 2002:a63:cd4d:: with SMTP id a13mr20802503pgj.364.1627348876224; Mon, 26 Jul 2021 18:21:16 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com>
In-Reply-To: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 26 Jul 2021 21:21:05 -0400
X-Gmail-Original-Message-ID: <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com>
Message-ID: <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b16e0105c810af90"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8VezxPICG-UFuPrmT8OftxpcnZM>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 01:21:23 -0000

I have read the draft, as well the meeting materials from IETF 111 [1], and
I do not support adoption.

Explicitly, I do not believe it furthers its stated goal of promoting
interoperability.

The existing set of IANA-assigned EKUs [2] have a practical
correspondence to IETF-defined protocols:
* id-kp-serverAuth corresponds to the TLS protocol (RFC 8446), typically
combined with HTTP (RFC 7231) as further expanded by RFC 6125
* id-kp-OCSPSigning corresponds to the OCSP protocol (RFC 6960)
* id-kp-timeStamping corresponds to the use of the Time Stamp Protocol (RFC
3161)
* id-kp-emailProtection corresponds to the use of CMS (RFC 5652) as used by
S/MIME (RFC 8551)

The current draft [3] fails to properly justify the need for an
IANA-defined EKU within introduction, and fails to define any practical
protocol that this key usage should be bound to. It intentionally and
explicitly leaves it ambiguous on the appropriateness or inappropriateness
of its use, and thus fails to provide any interoperable value. The draft
suggests that there is value in assigning from the IANA arc, but fails to
provide any practical or technical justification to that effect.

These are, I believe, blockers towards the adoption of the work: Without a
clear justification that both informs the goal and the potential scope of
work, I do not believe the draft should be adopted as a work item for the
WG.

At its core, the value provided for this EKU is to indicate a
locally-interpreted meaning which lacks interoperability, namely:
"Inclusion of this KeyPurposeId in a certificate indicates that the use of
any Subject names in the certificate is restricted to use by a document
signing service or a software". That is, it seeks to assign semantic
meaning to an area subject to local policy (e.g. a naming authority). Using
a policy OID appropriate for the local naming authority is entirely
appropriate and suitable, but a generic OID to indicate a certificate is
subject to "a" naming authority is not valuable in and of itself.

[1]
https://datatracker.ietf.org/meeting/111/materials/slides-111-lamps-sessa-general-purpose-eku-for-document-signing-00
[2]
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.3
[3] https://datatracker.ietf.org/doc/html/draft-ito-documentsigning-eku-01

On Mon, Jul 26, 2021 at 6:13 PM Russ Housley <housley@vigilsec.com> wrote:

> We have already discussing the assignment of an object identifier for
> document signing, and we had a presentation at IETF 111.  Following the
> IETF 111 presentation, no one spoke against against adoption of this work.
> This call is to see if there is rough consensus for the LAMPS WG to proceed
> with this work.
>
> Please send your reply about whether you support adopting
> draft-ito-documentsigning-eku as a WG document.  Please voice your support
> or raise concerns by 14 August 2021.
>
> For the LAMPS WG Chairs,
> Russ
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email