IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com> Thu, 18 April 2024 06:24 UTC

Return-Path: <Tomas.Gustavsson@keyfactor.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F49C14F6B1 for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 23:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=keyfactor.com header.b="RV8FsDAv"; dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=keyfactorinc.onmicrosoft.com header.b="Ok3rUVC/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBXNut39ZOfb for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 23:24:11 -0700 (PDT)
Received: from mx0b-0041f601.pphosted.com (mx0b-0041f601.pphosted.com [148.163.143.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2914DC14F5EB for <spasm@ietf.org>; Wed, 17 Apr 2024 23:24:10 -0700 (PDT)
Received: from pps.filterd (m0365590.ppops.net [127.0.0.1]) by mx0b-0041f601.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 43I6IF4i026400; Thu, 18 Apr 2024 06:24:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=keyfactor.com; h=from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=pps1; bh=e4Pc7cZVO75Y7C9SmuHrtCU5p Z3fX+BKNXrt25/A/40=; b=RV8FsDAv1SWTwbyd85QLtpWiSlCuA0v/TJWl153SS HaDYY3vMK4AYRURqaxPxQRVShxnBKwljjTZOkyvBbND/pCPzZ2MQjuSGTmnZBT+Y DYh0EZ/Pa2xAxvx28F03rx5mVkz5T6fXOEy1oVv28bOwNPhJ7BxyVqblDDHKWXVV zlGW/YDEKoBXaRQO8dbP1QU7sIHHfIsJ3wHWoNHijExEnOsrxl7eup0TAS5rVHdI 0PchugDGGd+dcyVhmwNMZJGuv8BkPCY9PrW3Ixmk5BfsHVaKJIDxtPpDT7aVH7ky Y+CVZoemTefP2CexlcwJnEabUNGBHB+HOLFudVaQfkVNA==
Received: from eur04-db3-obe.outbound.protection.outlook.com (mail-db3eur04lp2051.outbound.protection.outlook.com [104.47.12.51]) by mx0b-0041f601.pphosted.com (PPS) with ESMTPS id 3xg5v6tpmw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Apr 2024 06:24:07 +0000 (GMT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q5jEXSorxcetpHsdGkKdycxNmX73A48C4I/TBlRqvYvwa1SOqkoxMRdwTj6Zmlw2rObPao+PLpvmIYby2RdPJEu75yhN/kzF2Omo0zCyKxYgDIdmoqkpLaZU4wkw0fe3uw2AeQQeuio4ZoI0jyQ98vadtiXduAM6CMRChkJGp2ISKHKQiN+7eewFZKbb6HycoFr2fM8QuMdrnpuV/6RwnkgTTgvZ2Mxbfhkkv/Alzx9g3EYi3++y5jCTr+dBbmzcams6jFQSfHPPX7ZZzjjwOEZ51Kj9DEmwgN9BJe3gsRN7UBY2Z1eCL9OZZy2UegWJEMFvgGDb0NB0RdNwZnlRCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LjM1kNWsUNq8Yer+dkoVllKbdZK+vs5FT5yVtjcexEc=; b=AZsh13cX3BiTIZWaDox8O/7cFwUS86nIIQiPVN7p4c+J6wgfcD0+N2B2kguIIP+q070Xs29RnMDMNiPuILT11FsJly0RLreFHMOT7am2pWLFzK5/jvR7TqBg3EssonygBHK56GOLeJLY1PyMnRz9Sh4HmoRH3T7J5RNWGIcIITb3wjxUpW9PhWRWAAKWkY0pQQpoBJqdfSVX2vRj3a4o1o6gUpT6j92wOOiM4cuSzWsYnpse7sMJfYim26jynCZ5SHmvGBNXXpYq8hP+YOgHsr5iAroCs5bJS73PGKdsRj+WNL7At1lVuvTk/k7cMObKE1lGmTrPykUTud/nWsTFxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=keyfactor.com; dmarc=pass action=none header.from=keyfactor.com; dkim=pass header.d=keyfactor.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LjM1kNWsUNq8Yer+dkoVllKbdZK+vs5FT5yVtjcexEc=; b=Ok3rUVC/zdWjKy67feC4JJ24qy21Xbdj43I5QIIkzrM+6INuTHJOM88t/AzVOjwQ0TZicPOc7X6qUIhg3s7c61X7UMx6n7JaRzQcwCcHOAHGMEiRIL4K1YWqTpq/jOd4cENQB6oDqD6taW0axNHkoCapTr/En78ILNg90GUb2tIZQ6c4VsrzKykcOu9f0O29fuEYHS2h2qVQb3+sv9z1VUqU+PwTkTYR80wFf4LbMQwku7Xg5eKZFHGZWNfIGZ0gfbmGSs76+UK1YHFi2HcKser0pi7C70cu48ssux0kt8EVmNqCXXM1hjJVYRULgZqk0tRaFdHiaweyN/doLtF6Sg==
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com (2603:10a6:10:3ef::5) by AS8PR03MB8321.eurprd03.prod.outlook.com (2603:10a6:20b:50b::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Thu, 18 Apr 2024 06:24:04 +0000
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::5d90:a9cc:8cf5:15c1]) by DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::5d90:a9cc:8cf5:15c1%6]) with mapi id 15.20.7452.041; Thu, 18 Apr 2024 06:24:03 +0000
From: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
To: Rohan Mahy <rohan.mahy@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
Thread-Index: AQHakDJrSRxFWy2Ph02KOzHH5IR7k7FsgWmAgAAZ7oCAAAQ6gIAAB9GAgAADd4CAABB/AIAAAn8AgAAlKQCAAA33gIAAAWGAgAAHjACAAJZk0Q==
Date: Thu, 18 Apr 2024 06:24:03 +0000
Message-ID: <DU0PR03MB869660000AC1965BF022ECD0860E2@DU0PR03MB8696.eurprd03.prod.outlook.com>
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com> <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com> <CAKoiRuY5Caq_61+99RQiaRkeKUAou=fiLj+HadajzhwhLKOdAA@mail.gmail.com> <CH0PR11MB5739A5999D59A046D056812C9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739690323861CECECA630AF9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com> <SN7PR14MB64927E6AB1914083C485E0EA830F2@SN7PR14MB6492.namprd14.prod.outlook.com> <CAKoiRuZeuDOG+Hm97mE2jwJ7w4gXjyvpTj7o3nOykQuufRDv_Q@mail.gmail.com> <16632693-C3FB-4018-88B4-EFE7C0F2A85B@akamai.com> <CAKoiRuZGW691Fq-gKf_my53viicE7Fq056Y8oVQVnpTsGm3v9g@mail.gmail.com> <EB58BE46-DAA8-4A7B-B26F-C1A8FC652D8B@akamai.com> <616D42A2-7E6C-4089-8F90-4E9572E49FB5@akamai.com> <CAKoiRuYBg-JVi65NppkhRvB8JzpZf17MhbH1wqN0DeyLJ-kV-Q@mail.gmail.com>
In-Reply-To: <CAKoiRuYBg-JVi65NppkhRvB8JzpZf17MhbH1wqN0DeyLJ-kV-Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR03MB8696:EE_|AS8PR03MB8321:EE_
x-ms-office365-filtering-correlation-id: 5b064415-c45e-429a-b966-08dc5f702468
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TLzT/9t3PN+9mSXN1b1r/NKKZT31fspWF8m9wzOMz8qO893si7EBik4cfRMZ+muy9sBuhmWzcY0Z6GNjOkFEW41ZERc8DV+GraofRMz9ZhFmIVMGcwAd80ZlnyFKJlo7jrIXkIL03k+u2jJQTtARLlwJcsr9tgYhYaAwwaIv7QSL3E4hU5rqgLRza+GSjU4uY/XqhTDhsEEMYm0O+0+D1C4ZXFwIUcQ7jNAUp9Lb9ldGqHk6B91+lZ28J9q8mbVTZMFD3+1WczrkZMiwF7GmybXSAtDJm9TNnkgo3wO4fdP4BzokjhkwkeZuB6x5gvKQABgPJlIUkS9r5GClvH2Jt0X4K1Cg5k0/UzcT15A6JMgPbKrrniravnOoM9/29uS78UTHziqbCJ4YNk6eesPymiLy0HsfOTQ3+rYMii3ZYOR5Y/ILD9l0Py6Bx5EgaIX+pZH7vpIOsw/+MoHNUP2UwuAUtJEnoWT19t7nVUwkRMGf0Ie7u9WUjDzb8vJ1aOsg6iUSuJlJrY1ypM+1aPPWf65/D2bFsow3hzsCTHhfUPx5+2jPC9kCOBRR77NW/+uaGQ3pvFc8qP5gOxXZX3kPRuYK9kHQ4+gF9uSYReR9T95BFXi6MBjlTZhvceaaPge3MVJx2PoKIMYrsUsCnDa7lVJQet06VVmuruVu7Ldssss=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR03MB8696.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X2teCKszBYRq8Qeb2Niv5CPPwz/C2ByqlHZVo7qcycA4FaDBDrcP8OCVy/OawxNQ4JiFZD9U4p2tiG7Gp8OaHqCpbRYyvCHFXMqxqKEXeYzMXnoLS45qpRrqcphUMqQQP5zMqqEYPebei8za721NIrw1wHyEBBL5aaAyD01IinmvzA2pSXFwtcH029gBOPqw9fdcc8/pZGd9UzU+e1ccAdn8bMGbLLQGlLGySilAZo3N+W4vGbjacwWnz7KyzicvcWid+l1HratZqGyW4wKa+2OoboYjp75jSCCEgJbOd+5A2vdaghqa5+aXzpOQ1WiXwAgalosnOkLXjthhoZjQnxXR7KPAnj2ra29/a1ZXIuL3eTxAtNjLJsugHKB8FwsSd8E8HgwDQy66frGR3IOWLWK41csYtRCBZa6UrscVuQgCbLAm95gfyxcwkXCqWcKC5CnQXaEwEkx4tTiB902b1mzeOAyGdapWGr6SLjuY3B9tmslVQBlSAyOJQq+s8im5TL/jigLAg4azbRz7qiSuudqY5hnZZY8kKIaWXmQo+iKRFzN5Gw8ygxhbah1De8i5Nx3TnFdytQgPVZCzu5nQfKZ8cL/BNPqYGu5YDRDvoP4GBsceyizcgkPcyLXFvdCFt75NoXBDd1aNSSIXrVGjsdiUa51mFjbwt6dGwMwzbTtPb2LuA3i8dooIrLCqvhlREnBzE+o6Dg5+2B3YeOfxaktVyziG3ND01CUo0Fl6mO2nGANJz/QtqIxoY6p82v/I+NFfu64ktJUpmQe2tfd+cLPodeklSrOfT5FTF8R1L8ouYu0xWXAZ+636x5egspNSwdyCjjTquXjW+tbMp2sALq6j8yNSFnZH2AZh2N8qThzaaF//EML9NADtPk3QVPG6PE28DjadsYMM7AisJe46NLJUiZ+D8vRKnGcxEOFBVD09HkiQD0fEmREme3Wov5mlafd+53dHk3NlrVyjCCoi8NJ64r0bHxSTXhhSXScMD7W00vYXktlN02hSl9AFZudhiz63zeDpDy3Oi+kGYcgAP7PP6NSTDl+XyxyCTsmw9px9XMwn8bQGfj9nAEAy2JRl9L7NKyrPNFuC6G9m+tP6mXCrMWomZi0VJilFGW9YX5bFl9/C6/mzvchIOu05e2JP63STzv9w9mKKqYUaFYZg08YflsUFHjUlx1vrZwJ7V4znQ47mI17H39X/AsYW95/+S6e6AquHjFq8PbapvPzOvLeFL+gh60DtyoQf/vZHrISkp+2Hvc/qJ+0AFXrvojXa9fzGHGQjV8odZ5MThVkbpUwWzK9d1Hs4Ur/U4I21OQmgoZmQK0ZFFZnKAQLlj3nBCMH5XsaG1wTgxxfYJls1nPN8W6wHsu0/4YbLSM96sN/HxMtVoeWfHNwwrGQdmEPY4M34CrGAZIQPX1/BDufXCJRbEwqsov8KuYlTugOws7GOSH+3/2crKLgKqsedTphsOUf4z0jHQVwy3pxiln7PUaixcNLRAlljSFBJKeyN+mKzpbFa+YYKsPeqG4K2IrFgpn9y8VYvG2qULvAnOpIfIj2k6YmUu/V7hvJcVt9CN+SnKVESGCeL41GtUI0sVbOoRvEp2uIb+rMr+zl0NZb5+P8S4kOPbRDWigpdgoegLpw=
Content-Type: multipart/alternative; boundary="_000_DU0PR03MB869660000AC1965BF022ECD0860E2DU0PR03MB8696eurp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: k3AGR4p1I2i8Mo2BqpgOUrjNJrtkulC5zLwRpdD+e1ckEyGoeZHD7IQC+prCsikbvdQ6xskKQN5R/uefMlBBu5CRW5TtRbEYirGuVH/3Hi23/HKeMvtJa0I9RA9dDdhJbUb959ovKpzzTwvJRVBq1AAyP2S3ah1myWJWfM/Kw3nosegIuZZog7BIQSwoHTv4IEoyXJYmBIlUviBunEBG9+W2uKysd9C7CpP7RIztyzX1bL+5k3837/To8si7PZeBYZQNw7gNvNTuWjdKp9eJtTSKyYgIzQ1EpZTm5hJ1K/Aqam9D8Ny0BjbrhgpkfW0Y3SR+zx+iUP78TTGlA08ooNtytZdbh71p6OW41KE/DDmOhgRiA+YTlr6qJMjNm5Pp5KykAmKulge6rEfvJHrHQInRSriZxCJzliZ3EB0d94q6tOajAWnNH/CEnWWrwUCG51M9CVX6livHFQe/r1S2J5tjZSfOfEZslz8KdOP4WIjLeQ3EmmxN/UqnuZ1eV3np2H+kZGolXX4jGBxpqy3ELuEvGOn2lAI8C2uWkn3AfM6oyqnWqHyYQNuvW4LwkZg4loDBvu8zlhDDuMMC44eSRulmX5dih4QVVvWPhReky5PGmomH58jGJvH7CJ8leNyd
X-OriginatorOrg: keyfactor.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB8696.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b064415-c45e-429a-b966-08dc5f702468
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2024 06:24:03.1207 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HW1KCHa2ZbFqa/2sE1Us71nP5SnuPXQL1o7LCGaGmQCALCRiX8bJ7n61C+ryDSAPStbSwMZGYUvUmdDfMvISbRxuKQNBt3da2xso0KfGZR0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB8321
X-Proofpoint-GUID: oAWoOzr9Ov_kCgfBOlr8WbZGIekM-Gwg
X-Proofpoint-ORIG-GUID: oAWoOzr9Ov_kCgfBOlr8WbZGIekM-Gwg
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-18_05,2024-04-17_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ic0BFVe8RMQSSvDnFYJL1_LLxvk>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 06:24:15 -0000

>From an implementor perspective. I like extended key usage implementation wise. This is dynamically configurable, just an old in a list, and I have not experienced bad side effects.

I don't like custom DN attributes which is much more work to add in a user friendly way and can have much more unintended side effects.

Cheers,
Tomas

________________________________
From: Spasm <spasm-bounces@ietf.org> on behalf of Rohan Mahy <rohan.mahy@gmail.com>
Sent: Wednesday, April 17, 2024 11:21:00 PM
To: Salz, Rich <rsalz@akamai.com>
Cc: spasm@ietf.org <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

I used to work for Wire. Wire added custom automated cert enrollment to Smallstep's step-ca (an open-source certificate authority and enrollment server), and bundles it with Wire server. Adding this extended key usage could be deployed

I used to work for Wire. Wire added custom automated cert enrollment to Smallstep's step-ca (an open-source certificate authority and enrollment server), and bundles it with Wire server. Adding this extended key usage could be deployed in step-ca solely via a change in certificate template configuration, and would satisfy concerns raised by specific customers. Requiring the extended key usage would require a small change to the client validation code.

MIMI will soon start considering specific credential formats, with X.509 and W3C Verifiable Credentials being two obvious contenders. If we use X.509, I believe this extended key usage will be a useful addition to the toolbag. Time will tell.

Thanks,
-rohan

On Wed, Apr 17, 2024 at 1:54 PM Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

The target usage of an IM identity is not TLS, it is end-to-end encryption applications where a user or client (say Alice) wants to verify the identity of another user or client (say Bob), and often have no transport encryption link to.



Oops.  Yes, of course.  Sorry for the noise.



And still would like a reply to my more first question: Have any IM providers/vendors/open-source groups said they are interested in deploying this?

v2.23.0 | Report a Bug | By Email