IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 17 April 2024 16:33 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C148CC14F6A6 for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 09:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPJoJxLP-y1f for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 09:33:38 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 749ABC14F5FF for <spasm@ietf.org>; Wed, 17 Apr 2024 09:33:37 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 43HEFlDl013771; Wed, 17 Apr 2024 11:33:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=pGuoYOnXXwKSsk1m0FzVlFBH ZftBF735Uo9QoPaJQnA=; b=NA6IijPvA71zZsWi8U2MoVFHkc8Ypl2hv0bR3Uzd iqqpw754jDVqXv89Nf7ZB12GQdl99m0OSWItftD9uNFtKWhyVgZHE0v/sLH5JKNj 9HwwFkHAUgXRFM4ntEW3i44k7tnHa5vgnmd+qtprVYOFR0fDt4UseVVAWfEEafFx vy49ACnSrC3JiiB0CGR13hxXc+lrZmq6FMuCMycXZjil7a9SY1OQdjH4IYwVNyOu taX4CfgWQSM5+nAa3EVffL+fDhczP5isN5ibZcdot25naeL4g7VaNKd3YoQa4YuR Ogf+2FxrrbMAFmv8DAijn9HKAcwaTjXbhCh8qela3HXnXw==
Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2040.outbound.protection.outlook.com [104.47.73.40]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3xfpr0hu01-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Apr 2024 11:33:34 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ixrdtBuR+9Wu8S8Bf2+BV+fNcFbsBdt1Zmdxy0xWkY47yqQtJ3/d7NvKJww8Oskqw7fO4CURpW22PJ7HEs4Uudic9QWMytsRyDV/3yVx66KAkTlNiw4r7vLCpWfNFVxlZMa9B0dcxI0ssACA753fMWeHyhKtvp2DvzJXoxq8MzJfEPqMlZqH97GYMvpnjSnp263MYa5uQhUureO24N9RtvdW4xO9zooci+SJow6bIiRAtvGGsbl97f6jF8ZUJKqvKYVjtx8KkKUyrt4bQy4I2pHKyq4YzyZJ4i/+EXnnn1ukoOEDLhL80t5h0vpney/Zyf4i89VqbFfzssYHqXTLng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=t6eBJFrcBj+WkCZVgwAf3G5xxOVZAcDHzALP5I7o8yM=; b=NVq0h+c0lToz1E4VCv/KGam1DGNt3egS219bUxODxlUCr4t0dn1ATKiPWyh70OKIGwg+vjpuL80Pcd8TEob5xsB17i1Hzbi848HboTyZ8TQt0PDfNQQZEwZOEJ/X9jYuS5NhjL/lspHEFrek847q5s42SoDuAPPQbrpSRsDdAO/auosMt6sAvr60UydMXpgGA2+sKCGE51ivY6H9EDyVb3eZuH04QnuGqI8N37+34hpwSl5O/K1HJv+xhA0Vi5jsibysM93bSioC5GtAE2BdGAsAJmwfJmL6+ZffI+95PTNkr4IcyKthdB0p89Liu/oHlef223tr/97MB5woUi6ylg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SA2PR11MB5163.namprd11.prod.outlook.com (2603:10b6:806:113::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.31; Wed, 17 Apr 2024 16:33:30 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173%5]) with mapi id 15.20.7472.027; Wed, 17 Apr 2024 16:33:30 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael StJohns <msj@nthpermutation.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
Thread-Index: AQHakOPyZMILz5XZSkuK8lMPDOLK07Fsp0KA
Date: Wed, 17 Apr 2024 16:33:29 +0000
Message-ID: <CH0PR11MB5739E734C551667C3EBA53A69F0F2@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com> <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com> <CAKoiRuY5Caq_61+99RQiaRkeKUAou=fiLj+HadajzhwhLKOdAA@mail.gmail.com> <CH0PR11MB5739A5999D59A046D056812C9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739690323861CECECA630AF9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com>
In-Reply-To: <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SA2PR11MB5163:EE_
x-ms-office365-filtering-correlation-id: bd42bfbf-30e7-4a4b-fae7-08dc5efc1d7b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BGgXiiupHCXrufXOQ61zGjm1onAB+51S/D4xOPMYznAiOTtK9mw666CDDdprVUhYVyCO+y+ZQEwchUer6qhMmMHA1GpfAqyy2BfxxU7ijBedUnHi3Aw/TC/eNM3RdOJ0UflseFWxmbwzeaaIzYfUFXxXeuePf0mMcQxic+viCuZ3PD563YmoGhOH5CAk/VUrGRF0oufm+TTcQv0H/mQsMWISMUqHevnZpF5Xv2B/LWS8kqvwFM9UeCtTWabCmkD3eF9+I1JdgP2ZyBtXHaR3p4Mcp/fSC9Y6LK0dzlAQvzo7kACWsWYmAmFoL/Iqm5q0x1LeQBYELcukqRXbUab4aM77cQtt4xUm1tDgXzNXIm0rGapYVMmwvdAIbpOIYlv59l4yY/JgFauO/x1RKZz1XZgKSm8A3w6zRiud5+px9PDAZ5IrghkibRh3l/g7Qs5lyR3Fi0fPLtAo6FpTOzJpr6K7KsW1oTJ6c31RP17FaaodZFE85J4texq8FI6VmcJ/fMQq9fCSemSLi8QqeTrVcnuS50lp2cFrYqU5CoKmy4Sly4Q/3ZEPBQsVy2Gc0Z57lGPRsSEaKGAY48ESO1ESkDIWpZufEKYzndMLOciFSzYBCPqKYLFHtfmGV7+60hExHlqShKMEhxqUPriOTBtHP12tt596Xt0/ds42+BwFEbGXs+U8ayDnQnC8dRHU7UKGN2eREcX8xnmd0FyiL1VAhjxalM7r2IzIpxvT5QugudA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iwKQB1TzNmid2kQN/8iMjPDiUQxR6WXuKY0xrBo9VbUpfFNu2JhNNBdOPbPnk7u9XP7lTxYbw9nDYvOVb0/4vmCwNUnSJRxKjhp16sdXED20ddjzdyM4QGB7P0tAuo/fiK1ZGqJNmgvbP2F0cKjv7D0Moxaq9321ezsMPJ9zgIfWQfJVhbnyLUNl/fdimMF6TkzvrjgwZNciWgUDm50ueUN7wmJVLa2iBhDa7scrm8SvoFyXUaf5sEyR0SsfhQlDEjB9YNVvDo0UhLRC7TP1G8RKuvm40oy1tsQfYcWA7zUgUkMrVLhmM+z0OOOOkVN1vTfT9orYxx4erDjEniFxrN7+fKZnLHqCD0U4V4zdx2PDaWOBO3osZ8u2B/w/BjaHXGVl0W24zP5LEAvosXKZP2lgSoLBHlC/+e5Uh/6Ul6fW3FaPJ07tJ6L4L2TNZcsezqOvxryXPNAqTMUUUqrm1MeNQdnBVWkJq6cIfqIom0LQhDDfVFNThH8XF0cDabsB0bEtK+ZZ+9pMFZGFYFdUz8+ntnwnOaeGnZfA+20oXlLPQtIZqJiQuHrwNHEB40qxTKk2+CevyB/IFcymrcn3+nEpnnMySDsjpQYQ2ljhyxgmNBZF/7wOlRaMvSBFPXiDD52kHqNCpoFP25ls71/Hvj0aY+dK+KXDPY5rp7wB7VsAMzJlFh1ksXU9w74xYGfT5JgrA+1eU8S0+aqwr8HpKZPMGkhtj8fpklMwCW/gjmrC6W9WWTuBEJnELMDecT6jTN6YUXY2f/INj7lJFZ64iEpLLMrt5CHakn9uG7P2DlrL70RDHXXFIsvjOJGuXjbuTslCnOxNt6afupq/knTbgc5b9FAk7KK36S3lemsQGxIj23zYJgsf4BAUeHSERKLBH4mvcGPvzYNf2zs9vjj97ERb9G4WOKArGKwDikipih1/W2KASAOGPuLxwkIyqI0FMeJPsikXF37XJxr3AnCQUgdZtzvq0yC1TaAFWAKr2UHXQzMypORfNTp9WPBK78IsODYApcjf+F1/L88X8mUaLWAHZWlchIDG5CXIwzJJx+C5MsKwS3zRt0cawfTjt34Yt/H+90fCRMsV0LBbjVgwuGWLKIEnx2hjqCavlttYrd4WlVXpMkNYmKtLG8+MmXINGEm+DaIQ25sNeBow8IttMQFLJ38HqMHUSmCzSPRG1RAgGQJnr5f3X8B3qT910aHFG9ASq1tNTf8GgqNGTdmjywOuOIq7OFcc33lKAf6MYdILe2LKAD9tOnBcxerMxZXFEmZwluG3vh3K+A2/g3eJ7Od7rV8E8I0rHJqChF2BMtluZ3gWL3S51MqIg2B0S2dcF+J85+ReMHIh0Ltpf7UqATimFS8Vt2TsI7aTJU355qi41k15zTfya328HwyW/Xuf15czu0DjsXjyNpMxrLfX6N7sGDQKHbLGI7fOVix6/PvcRQ06gR+8YYWH5C5VVfy6kSN+JImi4WG8cX4Gopcfnu/qI7tNW4f6B9SdYsuYSX9Wz+aP2IjrODiM6UVcNauISJW0T3Kn8ERV8xy8KGpGljc5zfbQm2Lnq3gkWglHRsxtFrk5pSI2327X06uFvM5t/UjDzfKE7Q1v7YNw4kVQzg==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_007F_01DA90BB.114612A0"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd42bfbf-30e7-4a4b-fae7-08dc5efc1d7b
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2024 16:33:29.8708 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3bGpgKaEOtTRvSob3gSHZYerq9F32nA/v4pRNW7SW2UKEaAB0Etc0oVxKWheUoRub0ySt3JtxexZF4BQSNyzCodn3shgTL/qfI3ul6eZ7zY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB5163
X-Proofpoint-GUID: 8VOKgH4viuDtdfslU1JBubepxM2Kg0Cu
X-Proofpoint-ORIG-GUID: 8VOKgH4viuDtdfslU1JBubepxM2Kg0Cu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-17_14,2024-04-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 phishscore=0 bulkscore=0 mlxscore=0 suspectscore=0 adultscore=0 spamscore=0 mlxlogscore=999 malwarescore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2404170115
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HqZLLYaqZED-5xvkdGkaMTfiuXw>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 16:33:42 -0000

Hi Mike,

 

Yup, I’d be fine with that too – more explanation of how a relying party is expected to use this EKU. 

 

Basically, I see that Rohan is trying to tighten things up, which is good, but how far should it be tightened? Is what’s proposed in the document striking the right balance? I think it would be helpful if the document had some discussion of that, and made an argument that this is the right balance.

 

---

Mike Ounsworth

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael StJohns
Sent: Wednesday, April 17, 2024 11:26 AM
To: spasm@ietf.org
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

 

Hi Mike - It's the responsibility (and the right) of the relying party to decide what's acceptable for a given interaction. If you followed your argument below to its logical conclusion, you would want to have different EKUs for TLS1. 2 clients 



Hi Mike - 

 

It's the responsibility (and the right) of the relying party to decide what's acceptable for a given interaction.  If you followed your argument below to its logical conclusion, you would want to have different EKUs for TLS1.2 clients vs TLS1.3  clients as they are - at least somewhat - different protocols.

 

If you want this document to do what you're suggesting, this document would need to issue an EKU for each and every well known IM service.  Let's not do that.

 

Talking about this in the security considerations section does not save the argument.

 

Hi Rohan - 

 

That said - section 3 of this document is - underwhelming in its explanations of how this might be used and what a relying party might do with it.

 

Something like: "An IM service operator MAY specify that client certificates used to connect to it MUST have this EKU, and that the IM service will reject connections negotiated with certificates missing this EKU.  This document does not impose any operational requirements on an IM service, it only suggests an appropriate use of this EKU."  and "Other IM protocol documents  MAY impose more stringent requirements on the acceptance of certificates without this specific EKU value than is implied by the previous paragraph." and "It is RECOMMENDED that a certificate containing this EKU SHOULD NOT also contain either an id-kp-serverAuth or id-kp-clientAuth EKU unless this certificate is specifically intended to also certify connections to non-IM services."

 

And lastly, "This EKU is optionally critical" is just wrong.  Extensions are critical, not the tags within them.  An EKU extension may already optionally be marked critical so the line is not needed.  Excess EKUs are ignored within the extension by the relying party - so there's no semantic meaning for this EKU by having the extension marked critical. (And please don't try and change this interpretation - you'll break things).

 

Later, Mike

 

On 4/17/2024 11:57 AM, Mike Ounsworth wrote:

(and IMO, that convincing argument should be in the Security Considerations)

 

- Mike Ounsworth

 


  _____  


From: Mike Ounsworth  <mailto:Mike.Ounsworth@entrust.com> <Mike.Ounsworth@entrust.com>
Sent: Wednesday, April 17, 2024 10:42:00 AM
To: Rohan Mahy  <mailto:rohan.mahy@gmail.com> <rohan.mahy@gmail.com>
Cc: Russ Housley  <mailto:housley@vigilsec.com> <housley@vigilsec.com>; Rohan Mahy  <mailto:rohan.ietf@gmail.com> <rohan.ietf@gmail.com>; LAMPS  <mailto:spasm@ietf.org> <spasm@ietf.org>
Subject: RE: [EXTERNAL] Re: [lamps] I-D Action: draft-ietf-lamps-im-keyusage-00.txt





Hey Rohan,

 

> “It should be perfectly fine to use this with XMPP, MIMI, or a proprietary messaging system.”

 

I don’t know the IM space very well, but we hear a lot about cross-protocol attacks if you, for example, use the same key with S/MIME and PGP. Probably that applies to encryption keys more than signature keys, but regardless, I think it’s gonna need more than the words “it should be fine” to make a convincing argument that it’s ok to use a single certificate across multiple IM protocols :P

 

---

Mike Ounsworth

 

From: Rohan Mahy  <mailto:rohan.mahy@gmail.com> <rohan.mahy@gmail.com> 
Sent: Wednesday, April 17, 2024 9:10 AM
To: Mike Ounsworth  <mailto:Mike.Ounsworth@entrust.com> <Mike.Ounsworth@entrust.com>
Cc: Russ Housley  <mailto:housley@vigilsec.com> <housley@vigilsec.com>; Rohan Mahy  <mailto:rohan.ietf@gmail.com> <rohan.ietf@gmail.com>; LAMPS  <mailto:spasm@ietf.org> <spasm@ietf.org>
Subject: Re: [EXTERNAL] Re: [lamps] I-D Action: draft-ietf-lamps-im-keyusage-00.txt

 

Thanks Mike, The semantics of the EKU is an Instant Messaging identity. It should be perfectly fine to use this with XMPP, MIMI, or a proprietary messaging system. Unless you have some reason to do otherwise, a very natural way to express this 

Thanks Mike,

The semantics of the EKU is an Instant Messaging identity. It should be perfectly fine to use this with XMPP, MIMI, or a proprietary messaging system. 

 

Unless you have some reason to do otherwise, a very natural way to express this identity would be to use a URI identifier of any relevant scheme in the subjectAltName. (XMPP already has a custom SAN identifier type but that was not strictly necessary.)

 

I'll take a stab at some more generic text for the Intro and Security Considerations.

 

Thanks again for the review. I will fix the other small errors as well.

-rohan 

 

On Tue, Apr 16, 2024, 12:14 Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com> > wrote:

Hey Rohan,

 

I’m a novice on the IM topic, but I’ll provide a review of your document anyway (feel free to ignore).

 

The introduction mentions that the driving motivation is IM apps built on top of MLS, and then says “or others see: MIMI”. Are all IMs considered equal, or is it important to be able to say “This cert is for MikeGram, and that cert is for RohanChat?”. IE would it be better if this draft created the specific EKUs that MIMI needs for the specific IM protocols that you’re designing now?

 

It would be good to expand the Security Considerations section to be clear about what security is gained by using the mechanism, including what the expectation is of verifiers who are looking for this EKU. Again, I think some discussion of using the same cert across different IM protocols would be good.

 

 

Why is it called id-kp-imUri? Why “Uri”? Perhaps this is clear in the mimi arch docs, but could use repeating here.

 

 

Typo? The IANA Considerations section asks for “id-kp-im-eku”, but the ASN.1 Module defines “id-mod-im-eku”. I think the latter is the better name, to indicate that this is the identifier of an ASN.1 module.

 

 

To Russ’ question about whether this draft should also cover SANs: the intro already says

“The subjectAltName of these certificates can be an IM URI, for example.”

Out of curiosity, which SAN type would be used for that?

 

---

Mike Ounsworth

 

From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > On Behalf Of Russ Housley
Sent: Monday, April 15, 2024 4:22 PM
To: Rohan Mahy <rohan.ietf@gmail.com <mailto:rohan.ietf@gmail.com> >
Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org> >
Subject: [EXTERNAL] Re: [lamps] I-D Action: draft-ietf-lamps-im-keyusage-00.txt

 

I thought it was worth asking. I think the xmpp: URI in the SAN would be a very reasonable solution. Russ On Apr 15, 2024, at 4: 49 PM, Rohan Mahy  <mailto:rohan. mahy@ gmail. com> <rohan. mahy@ gmail. com> wrote: Hi Russ, I don't understand why an XmppAddr identifier type 

I thought it was worth asking.  I think the xmpp: URI in the SAN would be a very reasonable solution.

 

Russ

 

 

On Apr 15, 2024, at 4:49 PM, Rohan Mahy <rohan.mahy@gmail.com <mailto:rohan.mahy@gmail.com> > wrote:

 

Hi Russ,

I don't understand why an XmppAddr identifier type would have been strictly needed, since anyone could have put either an xmpp: URI or an im: URI into a SAN without any extensions (as a URI type).

 

I'm happy to go look at some old discussions, but I don't know the history.

Thanks,

-rohan

 

 

 

On Mon, Apr 15, 2024 at 11:28 AM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > wrote:

Rohan:

RFC 6120 defines the way to carry a client name (Jabber ID) in the subjectAltName extension.  Should this document be expanded to address subjectAltName as well as extended key usage?

Russ


> On Apr 15, 2024, at 2:18 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>  wrote:
> 
> Internet-Draft draft-ietf-lamps-im-keyusage-00.txt is now available. It is a
> work item of the Limited Additional Mechanisms for PKIX and SMIME (LAMPS) WG
> of the IETF.
> 
>   Title:   X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs
>   Author:  Rohan Mahy
>   Name:    draft-ietf-lamps-im-keyusage-00.txt
>   Pages:   5
>   Dates:   2024-04-15
> 
> Abstract:
> 
>   RFC 5280 specifies several extended key purpose identifiers
>   (KeyPurposeIds) for X.509 certificates.  This document defines
>   Instant Messaging (IM) identity KeyPurposeId for inclusion in the
>   Extended Key Usage (EKU) extension of X.509 v3 public key
>   certificates
> 
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKqOy538S$> 
> 
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKn1iEEOp$> 
> 
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org> 
> https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$> 

_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$> 

 

 

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 



_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!fTAJ3wcdr6L5x_g1jpfx7Yw6DRfRuOs4sYlhtEaRlSd3-xBgorfSTJJ-Gn5QSWKcs5aC98DQXIWDOvyuThL8QO-CCWI$>

v2.23.0 | Report a Bug | By Email