Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 21 June 2022 06:16 UTC

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, Paul Wouters <paul.wouters@aiven.io>
Thread-Topic: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
Thread-Index: AQHYfPnjzDEKO2coT0qkWxzM01uaJK1YpW8AgADNDeA=
Date: Tue, 21 Jun 2022 06:15:58 +0000
Message-ID: <GV2PR10MB6210D3BF51679ABE1F7ECAE5FEB39@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com> <4F14F2A5-C581-47D9-9A84-BD61A6EFE322@redhoundsoftware.com>
In-Reply-To: <4F14F2A5-C581-47D9-9A84-BD61A6EFE322@redhoundsoftware.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-06-21T06:15:56Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=aa027eb2-f50b-4ca9-8f0e-7793d0b4ecdb; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0fcbbe86-98f0-4daa-08a9-08da534d820a
x-ms-traffictypediagnostic: PR3PR10MB3881:EE_
x-microsoft-antispam-prvs: <PR3PR10MB3881C4D36CA6AC43D87ACCD9FEB39@PR3PR10MB3881.EURPRD10.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HW/fCS1Vuqug0c5MdYEovVyt7750vdulOcvQlGWqcEOmjEjhAAbTLfFPr7ysJVeBdaMSowZmiTYBKhLMmai4NCtmq9RNmjoCLikfLPGlKXZpysb17qDKHvr74oNtFJC5qFElM+FUd+sIqaxWpDPTqiTLXWJj9Igt5iApdl56O7lCaqjcTsyVyRvkt+jTe7buqaomITlrNPR20hP6XhjI3arqvZ5NBwA2R1oq9nXdDdxE9ssMfh/IjF3rnS7IfR17TazOgY+iiHZLZUmcTcup4wR9Lnw1vjE7ZALSeWYrueXxwKgu58TiLc7PgBfDzniRYDrz89wiACTyZWQ3ZoVsFm9dd7ht3/R9IEgaH47XBU1xpvrdHKcBECOxtgZOtBYg2O0dqRuvFOGs2typdPvzS/VuTp/03YBmOHZO9Nfb2uVumMUvd+uY8AxeHFEVDJQ1hwbA3Hpoqc5fB6KVep09DSTZdVsqIyAc4fELfRIVEfvUhPF1AS2M3M/VUzpl4qSOFMu/xvWLeu8o4kC34nBkYEmpMA7MN5L8pUqT8s6YbgTXtEEw8tJLwML73bijkJ9KYezu65RPk0LKkyc+i0qk8Lgkrh+LbCH2Ma/zIXaWIvVcM0hGMnbe7DaGLbIFCyA5iIWF6/fQausfTdlvHENCnxL+c4m3Cdg9Jh8gKZwXUDbanvwp9RyCgn/54iM9wdgyIO54gOUphGcScDh58iungw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(136003)(366004)(396003)(376002)(346002)(83380400001)(122000001)(55016003)(186003)(82960400001)(38100700002)(6506007)(7696005)(110136005)(316002)(8936002)(9686003)(33656002)(26005)(15650500001)(2906002)(478600001)(71200400001)(41300700001)(64756008)(76116006)(66476007)(66446008)(5660300002)(66946007)(8676002)(66556008)(86362001)(52536014)(38070700005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: R8jke/QEXfqmHNGPfyLMtXy7Oa7w+o2rqzHHbRkfS/VRN83Bsv54BofBhRNmpN9JH6GI6p69tNPo5hevu2sHFUpMnO6sasv9nGt250aaSIZpG91UdcWmiGqk0zL7p3tmrdUG0Vfe1saaTxzZ9kcbtMfQTL4BG5NV54Y/fHfR/DD4x7Muz0+lmL70RRhXVwxUpeil19orNu80QshorhNq+txVwLwBN7cGQFS4lCFSg5vY/6bfrN5Ua9PB4mdbYyzIequRty1B/Lbrx0IUjw89xSP6IZb3/Gxy76hhrLjgl2rIgIG6bW3RgVM/rC9IWAGhYjzJf0JO9g/arOomWDGznt1mBYxYIisooC6TBl7Tf8NulaYCwHNAfzXkw7B5WeAP75LbezpgFFbdbvaXgCK+C937Lz4tTZ5rwwuCh3DKoQ7vzD8jE8CmGrli3lXfVpu6wG0Fjsy6ssKA6ag0D3qeF0zERI8OhivLmaAl4CKgmIVMOgzcmG/hoAM8ThmcF8vzhekKfYb+q0QljC4hCmklv2I61by/UJKhxQkGEsaDw/hfBmedF40u4vbZTdMlGgc1uH6+TFWfj5QrKgiwgDdIz8vWmg++wmT3s5Z/O/Im3NZCJ89yLO78inZRkR2QVjbZ69j4wPRwcd8G0OZ3TWysgXhl0P44pvOPWrm//0SUaXeKAqW/kA+KVqgN96ZPXy2OQ9fqjgOoy8Qxa6obtVXBN4tjN+WzihMcIJ7yBrDjcqXa1X/9uekVvLN0fs8Y8R4e7LO5A3TF7rirKUXvYGon2U/ImEgo32oPMJ3MJ/TdlgP4UhQ7aWm8DJNFLJd5JwgKQMYhcUmSBXxN4lHK8xbkQL75jfeIo63EGIXS5qoqR3L9iZQZTc4U4dVz+YxL5DQcJW2rt1T05FChG46CFzPUVvCDFA6gqaHktdduFiu0mUcr7vEff8++iO2OwVzlCzlvrouKP0nih6qWJVZvE0ohU73/GSreFTqT6t4AiFBxic8G/Rp1U8lJ9u2IvSOQGEh6BPGjUGKCsHtkmHWSZJDrS2Kuow1A+azZSwiamyuH5V08BCcTUGKaqW3cJacHkXivatr0nLAPg4763ocT532e46PJR2u+nCyiK4OJTsVZEPbJbfTUzHI0lJpbNKJ16856XjofH6w472V29+ONaMJMkAFQ6ZEQID8me//yncCSkcTPBA840ACY2Cs30Wy1pFig4PgiqKbpSMJslCt96ZoeBEfLHI+Me5sLQsX45cNyfXZyvAIMVoBpNK8tJugQfPS+qJ5DHo/9YI6Tp6GeIEY8569nBRe3kT0IYf4Jl0t2mIuUU1bg6Z7NYUe5tZN2m3w7aHj6b26KrVzJXO0Wg0jtSl1r78cCH/gx6r1rP+T8KMKyh78qG0NsiWlprNiksB6eS2n7czXPVBNgJyTCZ/UciaXDuIS/kvRMF2E6xAanXUG55vsbiR6jnotl4dIuJW7U86hFkHJBlBivpT+a6Il3om/zVeE1IsUD5gYH24BiksykPd009iNJcaA1mOHE5UIFo0jmNH0cHwCPHxEorjkreO3dUWRYshmbJG1ReiE1Y6I19UssrjJKyxiEHFCVA4+AOcpO4rTUuEx0HQlg8TDGvNICd8ffpq8kcvXWokF+cdhh+ApejX44AjPUkFBZFt8CCI1u2Clv4d/acalclk74eSFWKGEKDBixJtj5q9FZivsPu9CYhzgviqPeuWSMsoXviiijCJcdYa0Ibh9x1imFET3quCVs+pNbcKaJvfpAVk8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0fcbbe86-98f0-4daa-08a9-08da534d820a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2022 06:15:58.5316 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IMYNM8nsIPwByRjhzJII52mSwok+zK6eZQj1FyOqfGSBlca2Q/ElPNv/vB4FLxw08vRWkKeeoAALAAoqVTY/V1F+GlyoovdOKP0CRxXkvpo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR10MB3881
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xRHj6LY3iul6_reS6Fam7pCFRJ0>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 06:16:07 -0000

Carl

Thank you for this comment. I agree and will come up with a proposal.

Hendrik

> Von: Carl Wallace <carl@redhoundsoftware.com>
> 
> <snip>
> 
>     #1:
>                  This is a
>                  very sensitive service and therefore needs specific
>                  authorization.  This authorization is with the CA
>                  certificate itself.  Alternatively, the CA MAY delegate the
>                  authorization by placing the id-kp-cmKGA extended key usage
>                  in the certificate used to authenticate the origin of the
>                  generated private key or the delegation MAY be determined
>                  through local configuration of the end entity.
> 
>     These two MAYs are related, you MUST do one or the other. The text as it
>     can be interpreted to not perform either MAYs.
> 
> [CW] I recognize this is a late comment and that there are no words to borrow
> in either RFC6402 or RFC6960, but adding a security consideration that highlights
> the need to authorize certificate requests including these new EKUs (not just id-
> kp-cmKGA) may be worthwhile. This would mirror the "therefore needs specific
> authorization" in the above snip but apply to the act of requesting delegation via
> the EKUs.
>

[lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Tomas Gustavsson
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Russ Housley
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace