IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 30 July 2021 16:03 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88EE73A2E8F for <spasm@ietfa.amsl.com>; Fri, 30 Jul 2021 09:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gITnVn9cs6Hj for <spasm@ietfa.amsl.com>; Fri, 30 Jul 2021 09:03:06 -0700 (PDT)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8264A3A2E90 for <spasm@ietf.org>; Fri, 30 Jul 2021 09:03:06 -0700 (PDT)
Received: by mail-pj1-f49.google.com with SMTP id b6so15831464pji.4 for <spasm@ietf.org>; Fri, 30 Jul 2021 09:03:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=81U4rOnsSH8QTOQMckFGYeesLDDPddvja//M6l8vJY4=; b=TGTlEp5QiApLRgbRNoTH8euNLPZ58YMbOmbI1muav6J+1vRn5+1smykXgT2B3ZwDeJ ivUzgabTQ+ckxg6XdZXbn5S3/RLrXQQRB2Hfw30NLoJROuI+NEpWKq6yglsvCUR7GlL7 WSd1gwC4o5/TOESNGCmhmmGE+6UOb8d/fC1nht7P0xe4Buewfc75Ngvf+yGGJB3EbGCv MJEW4M5JF18sAHGRLJ7JG8jBybVDSOsfFVIXA6ogBJffiGihLXos7F/JQXCLj4aDH9/0 XamJUAyGgS0f16R68sB46MSJm6i9g8mSRp6VKzD9qcDkQ57JMk5MfamuiegJjaA4zVgT BdwQ==
X-Gm-Message-State: AOAM531lWzmFDvnh5wOWmrigeeUrhYy9PAm4fzYevbqA3fJUY83s7WPt XnsWetGAL6rUptJmlTlau4rmb4t5Z5g=
X-Google-Smtp-Source: ABdhPJxB47KDGMlgyzbGa5k9HDg/raNgAd3ApY6FlFLyx0yn3GKpKH5CbSNo5k7/lwVZMsn6fx4IqQ==
X-Received: by 2002:a65:6a0a:: with SMTP id m10mr2298886pgu.145.1627660985689; Fri, 30 Jul 2021 09:03:05 -0700 (PDT)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com. [209.85.214.175]) by smtp.gmail.com with ESMTPSA id v6sm2367559pfu.15.2021.07.30.09.03.05 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 30 Jul 2021 09:03:05 -0700 (PDT)
Received: by mail-pl1-f175.google.com with SMTP id u16so3076105ple.2 for <spasm@ietf.org>; Fri, 30 Jul 2021 09:03:05 -0700 (PDT)
X-Received: by 2002:aa7:921a:0:b029:2cf:b55b:9d52 with SMTP id 26-20020aa7921a0000b02902cfb55b9d52mr3417843pfo.35.1627660984667; Fri, 30 Jul 2021 09:03:04 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <19561F5C-1EED-4D7E-81EB-210A2B47556C@vigilsec.com> <E1B3DCF1-DE9C-4FD9-AD2C-F86D5B0C374A@akamai.com>
In-Reply-To: <E1B3DCF1-DE9C-4FD9-AD2C-F86D5B0C374A@akamai.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 30 Jul 2021 12:02:53 -0400
X-Gmail-Original-Message-ID: <CAErg=HFnTtGyspS3wyrqMhNaOiecTf2ouEkexNcz3119UhQw2w@mail.gmail.com>
Message-ID: <CAErg=HFnTtGyspS3wyrqMhNaOiecTf2ouEkexNcz3119UhQw2w@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce56aa05c8595ad0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AiJoEXNivnSY9Mtyz6auSGTCu8Q>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 16:03:11 -0000

On Fri, Jul 30, 2021 at 10:37 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> This is tougher than I thought. Ryan has more in-the-trenches experience
> with these things than most, and perhaps more than most of us combined. On
> the other hand, defining an EKU is pretty small potatoes, and there's
> likely not to be much cost to the s/w stacks because they already have to
> make the cert, ku, eku available to the application anyway.


The only value, for the stated goal, however, is if applications check
this. That's why the most relevant feedback is not from e-mail app
providers (which already check for emailProtection), or from TLS client
libs (which already check for id-kp-serverAuth), but from those that are
consuming digital signatures. This is why I suggested ETSI is wholly
appropriate if they wanted to specify an EKU for their specifications (as
the misuse of emailProtection is primarily coming from European CAs
targeting European relying parties implementing ETSI ESI specifications).
And, by and large, these apps aren't checking EKU at all - that is, they'd
be perfectly fine validating a document signed with a TLS certificate, if a
CA issued such a certificate. So the CA using a different EKU provides no
value without the relying party apps changing, and if you can identify who
that constituency is (of app implementors), you've necessarily identified
who can and should just get an EKU for their constituency.

This is why I'm trying to flag "implementor interest" is both critical, and
absent, for achieving the stated goals.


> On the third hand, the idea of CABforum starting to address email worries
> me -- will membership open up to allow email app providers? I guess that's
> really not our concern.
>

Yes, it already is, and yes, it should worry you :)

The CA/Browser Forum has two other Chartered WGs, and participation in
either CWG (as with TLS) allows participation in the overall CA/B Forum
(although not necessarily other CWGs)
- https://cabforum.org/working-groups/smime-certificate-wg/ (For e-mail app
providers)
- https://cabforum.org/code-signing-working-group/ (Effectively, the
Microsoft Code Signing WG)

v2.23.0 | Report a Bug | By Email