IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 29 July 2021 20:14 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE0E3A086C for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHEA7C4a8oyh for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:14:40 -0700 (PDT)
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F96D3A0868 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
Received: by mail-pl1-f177.google.com with SMTP id t3so6194283plg.9 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ruV2/4va1kI1ARQzm9JsRri4zBRhd6YNB5mlgNlbRo=; b=IUWtCA3hgq833NpZLIsOacmFRKbav+Bom+rY+eq0YIGXSAG1QIUWDDHXSBMwpqAOc8 grjNiaewxm+FvXtewDnKvVCUXjt5/NtWP/mxjQFw+25S9khveAMGUmioZR/XTQAi4PZ3 kSVaLmlFhAoDm86mAYuPSNjzlvK6jsVzoB6GHnTGkWo/ZkxqdyPX0Bx78f16v1o6/5su H5qzOC4GOu/6VA9ajhcnkT8l/AlRHHXrqeK1yL6s/gkCx4FtMvG/y3CpjX4q15G2OyUI bBvcgrkCyY4s+pdMqaf9w1Lc5Rz9DxuTTZh5uF0Y1zsOgsbr6y2E5kYfUfklVx1BXJHq b+3A==
X-Gm-Message-State: AOAM5317ipbwi5XsUYOvIXg/jPBrh85Fg6FkVv9av1TBvwppxVtBY9Mm tjx+F8rKqpHO0Wc3tx2GN/4ZnV0JGz8=
X-Google-Smtp-Source: ABdhPJwG9GgUx0oYDp7D3T91TiR1jDvOwIZ81VP2BP7/BneUgj87ZBeRB4sIUc2oGAq0rk7wUtPosw==
X-Received: by 2002:a17:902:9a01:b029:11a:d4e:8f4 with SMTP id v1-20020a1709029a01b029011a0d4e08f4mr6184542plp.52.1627589679083; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com. [209.85.216.45]) by smtp.gmail.com with ESMTPSA id e4sm5079834pgi.94.2021.07.29.13.14.38 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
Received: by mail-pj1-f45.google.com with SMTP id mt6so11936314pjb.1 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
X-Received: by 2002:a17:902:9a41:b029:12b:8e55:d2b1 with SMTP id x1-20020a1709029a41b029012b8e55d2b1mr6218962plv.78.1627589678570; Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com> <32A91405-D391-49A4-8BE2-BE103F8369B8@redhoundsoftware.com>
In-Reply-To: <32A91405-D391-49A4-8BE2-BE103F8369B8@redhoundsoftware.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 29 Jul 2021 16:14:27 -0400
X-Gmail-Original-Message-ID: <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
Message-ID: <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a1a21905c848c08a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Kmz0oT7foahDSNBTwDT1S9cqlpU>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:14:45 -0000

On Thu, Jul 29, 2021 at 2:18 PM Carl Wallace <carl@redhoundsoftware.com>
wrote:

> Do you share the same concerns regarding certificatePolicies?
>
> [CW] Isn’t this apples and oranges given there is nothing like
> user-initial-policy-set for EKU? Maybe there should have been, but there
> wasn’t.
>

No.

It's a fair comparison for two points:

1) The concern about multiple certificates (with different EKUs) is just as
applicable to multiple certificates (with different certificate policies).
That is, if we accept certificatePolicies as designed (e.g. with
user-initial-policy-set used by relying parties), then we're implicitly
saying we accept multiple certificates. I'm aware of policyMappings as a
way to try to reduce that, but that doesn't remove the multiple
certificates risk. So if that's the angst for Uri, then it's an entirely
unreasonable position to hold in light of RFC 5280.

2) The point is that, as widely implemented (e.g. in virtually every modern
OSS library, as well as the widely used OS libraries), EKU functionally
behaves as the user-initial-policy-set for the relying party application.
That is, the industry has *not* widely adopted certificatePolicies for this
purpose, and has long used EKU - predating the work of PKIX itself,
initially through custom vendor-specific extensions (Netscape and
Microsoft, respectively), and then through EKU. The "rough consensus and
running code", as it were, already uses EKU as this set.

So that's why the comparison here: We can disagree on abstract spec purism,
but that doesn't reflect the implemented reality, and an argument against
EKUs for fear of multiple certificates is logically inconsistent with the
very design of RFC 5280, and so is equally irrational. If
certificatePolicies are accepted as a RP-specific community attribute, then
EKU poses no further additional risk for proliferation than
certificatePolicies. And if they're somehow rejected, that's logically
consistent a position, but inconsistent with the specification and reality.

v2.23.0 | Report a Bug | By Email