Re: [lamps] draft-ietf-lamps-samples KU check
Sean Turner <sean@sn3rd.com> Fri, 25 March 2022 11:45 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA33C3A06E7 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 04:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dK81xzUBdML5 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 04:45:02 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BAC33A1134 for <spasm@ietf.org>; Fri, 25 Mar 2022 04:45:02 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id kk12so5943179qvb.13 for <spasm@ietf.org>; Fri, 25 Mar 2022 04:45:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=umGRKpwIBO9fCprBoqTrnd0RBoSpYcRDy3eXF+dgn3U=; b=WgMVhgu0oX16p1koYQd0/gdl5HTmqGM+4Qrs2TvolEuox7hQffCIjdU/cMKXRJC0xP o++Wds+h4aTduBOWi5ugbEwRT+QohzopZfEEMHGdSC/wRNuNll7EsQNy2/TLiCkbQmnX u+5nljuLj7/MBEKNsmEViUe6+H1pmgV77JIuI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=umGRKpwIBO9fCprBoqTrnd0RBoSpYcRDy3eXF+dgn3U=; b=NPJ1vHP5i3kD+T2jtNA70M0GJRc9yvNyBb3hi6z6wGd2aFmD3O7tSg6OAu9/cI5iK3 PJWLkzUgppVcrqOBLqCcAJQ7CppmQUinE47bL1iRKSoFjbWzVUdCfU1f6w6ePo/DUd6m dCcZxMzj5XwBekorQdg/WfDRYi1WtL19ocffV4j4el3ZIQHWD4Ow4mbs1UT6OP11B+V2 AtnnFobgofyxuX9oEYan8/FSSrd8++Y7x7EYTxBK8MqTL16ZIY+wnwZ5k6lT/0KypIdN TZuRmk1BoFr1C01TmpSQ8S1vId+qFyojKcya9N1NUvmrmYN6E1gnPANx4pm5GuQfFGI/ 1Xzw==
X-Gm-Message-State: AOAM533V80AjoxgZ9CeeXfhnnzWFLPyGTsCjOococOtsb8sNYfNO0e0/ qUoneJCNdnXIj7kv9LNI2wgHXb7kX1aFIA==
X-Google-Smtp-Source: ABdhPJylSWppxcxJ3rDqTmdXJDgtfeVXjZdCpCJ8CxKcBbLZgGemPIDatsUAelbxPfOcQgtM8zEeKw==
X-Received: by 2002:ad4:5ccb:0:b0:441:1abe:1b8a with SMTP id iu11-20020ad45ccb000000b004411abe1b8amr8816762qvb.7.1648208701195; Fri, 25 Mar 2022 04:45:01 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id j28-20020a05620a147c00b0067e765e6c0asm2985839qkl.21.2022.03.25.04.45.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Mar 2022 04:45:00 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Message-Id: <3F523C55-A77F-4B9C-93D0-7C43C0CDC558@sn3rd.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A85CF77B-BFFD-41A4-9708-0AE743CDD2A0"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Fri, 25 Mar 2022 07:44:59 -0400
In-Reply-To: <87bkxuw9t0.fsf@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <17DD8ED1-ABFF-4B6B-8DBF-5C2AF937F5AE@sn3rd.com> <87bkxuw9t0.fsf@fifthhorseman.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/G4Ac0V8-Izbp8weIjYX_BuJ_YBE>
Subject: Re: [lamps] draft-ietf-lamps-samples KU check
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 11:45:08 -0000
> On Mar 25, 2022, at 07:28, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > Thanks for double-checking the KUs in draft-ietf-lamps-samples, Sean! > > On Fri 2022-03-25 06:49:54 -0400, Sean Turner wrote: >> tl;dr: looks good, but I didn’t check the P12 blobs. > > The P12 blobs are just generated from the other material, so that should > be fine. > >> s7.1/s8.1 an ed25519 sig cert has KU set to 11. This sets both >> digitalSignature and nonRepudiation. You can set one, the other, or >> both so this is "good”. I have a slight bias to drop nonRepudiation, >> but the choice is “compliant”. > > The draft is in AUTH48 now. The hope is that these keys and certs will > be used to test implementations in MUAs in the future. It seems > possible that their parameter choices will be cargo-culted into > some certificate profiles for S/MIME at some point. > > I'm inclined to leave them as-is, but if there are scenarios where you > think that the inclusion of nonRepudiation is a bad idea, please let the > WG know. i'm willing to do another round of revisions on the draft if > there is a compelling reason. > > --dkg It is perfectly fine to leave them as is. The Certificate Policy drives whether NR is set or not. spt
- [lamps] draft-ietf-lamps-samples KU check Sean Turner
- Re: [lamps] draft-ietf-lamps-samples KU check Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples KU check Sean Turner