IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Tomofumi Okubo <tomofumi.okubo@digicert.com> Tue, 27 July 2021 19:33 UTC

Return-Path: <tomofumi.okubo@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5B93A0CEA for <spasm@ietfa.amsl.com>; Tue, 27 Jul 2021 12:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tp2fmnP4DJqa for <spasm@ietfa.amsl.com>; Tue, 27 Jul 2021 12:33:32 -0700 (PDT)
Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [170.10.133.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B963A0CDA for <spasm@ietf.org>; Tue, 27 Jul 2021 12:33:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1627414410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sZRfPHYiWxkcAwVsjztqfxLSxyoolFy1Crrd2vmP9HY=; b=ZbkvEKppbzim/8Wm1x57pXfVPnQ/jhtRezF9T7iX1w+pQvAtBPunjBh2rXjpMGUQMdO11v Dpk4fdNkU57pWLK2FeGs8rhdnHsdSLhe6+IWKCDJ2hmqteMAvyurimvPCE9Gszq+MmRdKF lJLrLWPlwSo9n6zbL73flBgLvV9pxyo=
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2107.outbound.protection.outlook.com [104.47.55.107]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-100-tAmshS8INJSVTc7jIxZvGg-1; Tue, 27 Jul 2021 15:33:29 -0400
X-MC-Unique: tAmshS8INJSVTc7jIxZvGg-1
Received: from CO6PR14MB4468.namprd14.prod.outlook.com (2603:10b6:5:341::18) by CO6PR14MB4449.namprd14.prod.outlook.com (2603:10b6:5:34a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Tue, 27 Jul 2021 19:33:26 +0000
Received: from CO6PR14MB4468.namprd14.prod.outlook.com ([fe80::446f:6607:41a1:d345]) by CO6PR14MB4468.namprd14.prod.outlook.com ([fe80::446f:6607:41a1:d345%9]) with mapi id 15.20.4352.032; Tue, 27 Jul 2021 19:33:26 +0000
From: Tomofumi Okubo <tomofumi.okubo@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, Eliot Lear <lear@lear.ch>
CC: LAMPS WG <spasm@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [lamps] Call for adoption for draft-ito-documentsigning-eku
Thread-Index: AQHXgmt0QMupuIW3ykGko7ZvhDnMWqtWBoCAgADxBwCAAAmlgIAANNYw
Date: Tue, 27 Jul 2021 19:33:26 +0000
Message-ID: <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com>
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com>
In-Reply-To: <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0f8e700-04a0-4dd7-ede2-08d9513567bd
x-ms-traffictypediagnostic: CO6PR14MB4449:
x-microsoft-antispam-prvs: <CO6PR14MB444939473944EB2AEA7ECD85EAE99@CO6PR14MB4449.namprd14.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: XNVzuqf+qFEwV/slxwLa2a6gFP83rzBKrOWGijQ4tOe31CydlAoPy/zgS+piceG+Ok1J6oSlUuodpPbabcndDVYnSXkfRJu+BUtJuwJitbHq6zI46gTiDSN5XZ052DCp8MDHjb/i0VLREARM66F4wj9kZlLR9/umplTc2nzKHGIaXknZB/XkeTcV45A8DH9wc5oL9yNoVHkclQW5W98ornZXZDPLKjpspoF4/8lWqgZc2Bh0EXeAsqwAGSeM2lSF2OlRZ2MVU2VOt/cDEfY8ac40jgkdkqPEJ7igwkiIyM7/gIFY6cHV4T+Is27q36JI3nKeQrP+q1w412v4mmurnoli3pFMYAruhb0HCKb83DgvBhdrawxSdXnmkNWn79T7EyusL5BjcxTjM/PISHjTee+6d+kppMjTJ/R3szjd7dDCoaB+groEK82b+f4rdGGEEopXrOHFMSGpcYK4BDFjbnkGv2zT2A9R0Wc90ZqFJwB4jeJg2xAjtmnLINvaS8a8xSh+XWhgxCcWhrJxRhrkStnppWOORqwz0q+EwDVvGudS5GAlg1wJmFJnG4ZU8ifyoyb06NamVVdVfoZFBD8XbvchD4ZOVNJvwt03vLzwVd+4Z7eAWW6H4fc9EXt6TBltlTW3SHsTqUm2HSRaxlcl3rdgQyWixDHWxuQmS1jVSm1SQrDwWudp3vGHd4bwuNpwre+4EWyDqdrdHPCBLM/mOA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR14MB4468.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(346002)(136003)(39850400004)(366004)(376002)(478600001)(122000001)(4326008)(33656002)(6506007)(8936002)(53546011)(71200400001)(5660300002)(52536014)(54906003)(110136005)(2906002)(55016002)(38100700002)(7696005)(316002)(83380400001)(8676002)(64756008)(66556008)(66446008)(186003)(66946007)(66476007)(26005)(66574015)(44832011)(76116006)(9686003)(86362001)(38070700005); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xnEeemo56Hrf3kDBiW3nnM/3nwy3AtmrrKfDrMLNHksJ4XRY2Wc3orfX7evY0tGhKPlcVi9kFZxgagaPUE9iscfWs68noFQjoaXfmIT8XTkbfN1V2naOnki+CaBkeIZiGR9HUZbCT/9oNifZoCkr3lNYlaY7ULxWNaQitLjzCCC94gLkLs5VxDx7OLLTBx/YzBhohYKn4MaSqSAtLMqRFm+lz5Vcu1YexArRWlKD4H/3NeWjOl7JDM9mcCnK9qgWb2i4xr2Z84yFfsYhbwosEVK6zuFWViPZ35K495nUqsACPlA0XJCi1+jHGTHBtteWe5qxUBKg8tS1kqqJkcZp4NQEuIyXgQr88N/SRitS/bLHMzqB67EbnUJrWsINuUA0KFoknKGsWzAY8hqTEZnBJ8OhzJie9kow2IqWPot8F+iOwuzEf1mph7vQZ+E2HSMS6wyMC0RTNhe0XMtNgee2fQdXbaer9CatGBxyRqc2wOKWYy+DQs3oKhOvRsBZUDRQqel3FTXvSeEmmv4uYd0Ms/AO2XnJbdxZWSRs1iMtVMLWajbSMOrVOo475ky2stMsI121rm/E+tJB1TmLd2CGCdMs8pdcQJ4B5/0731QPWwKgLEVdmuIOQwZy6922BoMuEDuae1b32pXMB8hFzi9Pb47WgJSffWHoG/PZG4Ro0tADc8qxId87RrLQ0GkODf7bY0ypQ9Obn4V41cL7KIZneKLIXgPCjJuRMJByNgKyC2cVcL2jQFaZImeqweJrokDP2jAoYosdXOU3jsFhRc5h1x3e4xrU0MKmfjRMf/8sDiV+0MuoUI7b5YAny/9D+YYuKJIfpaDedzUjFJtoEUahrFML+WwTevnKHNgcJPrn4d9wBEkQ9/gfeo/eQtlRodgyjtGJVjTrznxhC4lkn/adzE9j9ajbXYWvGP8Nf2KLHqig7iDHfg94rQ38eiNNiXPY6PkG5Hdx7E7rVL1t3Ac/F+DfKwtY1ksiZcpD4aK3PSB2Idst0yToNhuDmLHGQMIG95X9rtbmvkPOGiP77wIbp/zHBQGDtmN/pjvSf/yn3p0o8Nc0/zClzhQx9EWlAX87NKCFjsOY9P0PbiA8w4Yzd9t8402m4QGgiqfODMJlU/SDdJLhiyFHEGRUDbbJX3A/cFuEpMWIHlGmIZecYTXYmLIo3LfEmPEbtlyPFR4gJMQ3XFAE+W8pbZpOnzmK3M9vUJy1XdzTDrAqjMAsglIMrQa4MyIqvzUPy87/vJJUx7YbpZh3Lgk/9QmJEfxUsF5FgDP7mWMu5YPeM4FgF9iZ/gGDltLfpcYexTpDHapUr7tI3vAnO2/GXliSqJSxpj6V
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR14MB4468.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0f8e700-04a0-4dd7-ede2-08d9513567bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2021 19:33:26.3072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AS6PB8fH/7P25nKVzqBoAH7k9Dp8CtFBxkX994SycuDflHnKT+ViaqU7UR2X+IjElFMREx8xNMngPiij6EreruX80Lh6vDbE2sQHju+1ilQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR14MB4449
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA73A393 smtp.mailfrom=tomofumi.okubo@digicert.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: digicert.com
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99CO6PR14MB4468namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HzOEz5_maeq-J2kz7hT7CMVxqPA>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 19:33:38 -0000

Thanks for the input Ryan.
We intend to add a section that addresses how the relying party can tell whether the EKU applies to a particular situation.
Cheers,
Tomofumi

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Ryan Sleevi
Sent: Wednesday, July 28, 2021 1:18 AM
To: Eliot Lear <lear@lear.ch>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>; LAMPS WG <spasm@ietf.org>; Russ Housley <housley@vigilsec.com>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku



On Tue, Jul 27, 2021 at 11:44 AM Eliot Lear <lear@lear.ch<mailto:lear@lear.ch>> wrote:

CAs can barely handle three.  Adding one more will be challenging enough, which is why I asked if there was an intent to deploy by CAs, and the answer was, “yes”.
I don't think it's appropriate at all to generically refer to CAs like this, given that we have ample industry evidence to the contrary. It equally seems to be mistaken of the concerns to think that it's a question about what the CA deploys, since this is a question of and for relying party applications.

On (1), RFC 5280 was written prior to the requirement for explicit IANA policies, but there is no basis to believe that a protocol is required to establish an EKU.
This is a very broad statement, and it's unclear if you're requesting to understand more of the historic basis for the {Extended, Enhanced} Key {Usage, Purpose} and its historic evolution. As the brackets note - this is a field that has had many names through its evolution, and while you're entirely right that RFC 7299 post-dates RFC 5280 and the previous work (e.g. ipki-part1-05 borrowing the field from ISO), and you can certainly examine the contemporary discussions around the intersection with keyUsage.

Finally, we do not want a requirement for more specific EKUs (or any other extension) to become a barrier to deployment.  In the end that just makes it less practical to use certificates.  If you're reading this as, “the CAs can't/won't keep up”, then you've understood my message.
Again, I believe it's misguided to speak of "the CAs" without speaking to the trust framework; your "CAs" are not my "CAs", and that's perfectly fine and working as intended. I understand and appreciate your sensitivities of concern with manual certificate management and the use of legacy smart cards; however, these concerns do not generically extend to all certificates or all CAs, nor are they sufficient to justify IANA/IETF action.

This document "could" be entirely reasonable as an Individual Submission; while that does not at all redeem its flaws, it also reflects the reality that what's being proposed here is explicitly not something that can or should be used in an interoperable way. It certainly, in its present form, explicitly conflicts with the objectives set forth in RFC 5280, Section 2.2:

   The goal of the Internet Public Key Infrastructure (PKI) is to meet
   the needs of deterministic, automated identification, authentication,
   access control, and authorization functions.  Support for these
   services determines the attributes contained in the certificate as
   well as the ancillary control information in the certificate such as
   policy data and certification path constraints.

Namely, that the objective of this EKU is, as stated, for non-deterministic, manual identification of certificates. This further contradicts Section 2.3's goal of ensuring the specification recognizes "the limitations in sophistication and attentiveness of the users themselves".

Concretely, our disagreement appears to be this: When faced with the question of a hypothetical new EKU, do the specifications provide sufficient guidance to relying party applications to make an automated determination about whether or not the use is appropriate or not? Explicitly, it does not: it does not provide a way, for example, to distinguish whether this "XMLDSig" signed thing is permitted, no more than it permits this "PDF-via-CMS" or "PDF-with-CMS" is permitted. It does not provide any further insight into either the CA's intended capability for the named subject, nor to the relying parties expectations of that capability, and intentionally so. A relying party application instead is expected to treat this as abstract, to be determined by each application whether or not it's appropriate, creating a fundamental disconnect between any CA that tries to issue such certificates and any relying party attempting to use them.

The solution for this disconnect is simple: relying parties and CAs to agree on semantics that are unambiguous as to what is acceptable or not. This is true with or without IANA/IETF action, as reflected by deployed reality.

v2.23.0 | Report a Bug | By Email