Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 29 July 2021 20:14 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE0E3A086C for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHEA7C4a8oyh for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:14:40 -0700 (PDT)
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F96D3A0868 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
Received: by mail-pl1-f177.google.com with SMTP id t3so6194283plg.9 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ruV2/4va1kI1ARQzm9JsRri4zBRhd6YNB5mlgNlbRo=; b=IUWtCA3hgq833NpZLIsOacmFRKbav+Bom+rY+eq0YIGXSAG1QIUWDDHXSBMwpqAOc8 grjNiaewxm+FvXtewDnKvVCUXjt5/NtWP/mxjQFw+25S9khveAMGUmioZR/XTQAi4PZ3 kSVaLmlFhAoDm86mAYuPSNjzlvK6jsVzoB6GHnTGkWo/ZkxqdyPX0Bx78f16v1o6/5su H5qzOC4GOu/6VA9ajhcnkT8l/AlRHHXrqeK1yL6s/gkCx4FtMvG/y3CpjX4q15G2OyUI bBvcgrkCyY4s+pdMqaf9w1Lc5Rz9DxuTTZh5uF0Y1zsOgsbr6y2E5kYfUfklVx1BXJHq b+3A==
X-Gm-Message-State: AOAM5317ipbwi5XsUYOvIXg/jPBrh85Fg6FkVv9av1TBvwppxVtBY9Mm tjx+F8rKqpHO0Wc3tx2GN/4ZnV0JGz8=
X-Google-Smtp-Source: ABdhPJwG9GgUx0oYDp7D3T91TiR1jDvOwIZ81VP2BP7/BneUgj87ZBeRB4sIUc2oGAq0rk7wUtPosw==
X-Received: by 2002:a17:902:9a01:b029:11a:d4e:8f4 with SMTP id v1-20020a1709029a01b029011a0d4e08f4mr6184542plp.52.1627589679083; Thu, 29 Jul 2021 13:14:39 -0700 (PDT)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com. [209.85.216.45]) by smtp.gmail.com with ESMTPSA id e4sm5079834pgi.94.2021.07.29.13.14.38 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
Received: by mail-pj1-f45.google.com with SMTP id mt6so11936314pjb.1 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
X-Received: by 2002:a17:902:9a41:b029:12b:8e55:d2b1 with SMTP id x1-20020a1709029a41b029012b8e55d2b1mr6218962plv.78.1627589678570; Thu, 29 Jul 2021 13:14:38 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com> <32A91405-D391-49A4-8BE2-BE103F8369B8@redhoundsoftware.com>
In-Reply-To: <32A91405-D391-49A4-8BE2-BE103F8369B8@redhoundsoftware.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 29 Jul 2021 16:14:27 -0400
X-Gmail-Original-Message-ID: <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
Message-ID: <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a1a21905c848c08a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Kmz0oT7foahDSNBTwDT1S9cqlpU>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:14:45 -0000
On Thu, Jul 29, 2021 at 2:18 PM Carl Wallace <carl@redhoundsoftware.com> wrote: > Do you share the same concerns regarding certificatePolicies? > > [CW] Isn’t this apples and oranges given there is nothing like > user-initial-policy-set for EKU? Maybe there should have been, but there > wasn’t. > No. It's a fair comparison for two points: 1) The concern about multiple certificates (with different EKUs) is just as applicable to multiple certificates (with different certificate policies). That is, if we accept certificatePolicies as designed (e.g. with user-initial-policy-set used by relying parties), then we're implicitly saying we accept multiple certificates. I'm aware of policyMappings as a way to try to reduce that, but that doesn't remove the multiple certificates risk. So if that's the angst for Uri, then it's an entirely unreasonable position to hold in light of RFC 5280. 2) The point is that, as widely implemented (e.g. in virtually every modern OSS library, as well as the widely used OS libraries), EKU functionally behaves as the user-initial-policy-set for the relying party application. That is, the industry has *not* widely adopted certificatePolicies for this purpose, and has long used EKU - predating the work of PKIX itself, initially through custom vendor-specific extensions (Netscape and Microsoft, respectively), and then through EKU. The "rough consensus and running code", as it were, already uses EKU as this set. So that's why the comparison here: We can disagree on abstract spec purism, but that doesn't reflect the implemented reality, and an argument against EKUs for fear of multiple certificates is logically inconsistent with the very design of RFC 5280, and so is equally irrational. If certificatePolicies are accepted as a RP-specific community attribute, then EKU poses no further additional risk for proliferation than certificatePolicies. And if they're somehow rejected, that's logically consistent a position, but inconsistent with the specification and reality.
- [lamps] Call for adoption for draft-ito-documents… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Salz, Rich
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Tomofumi Okubo
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Tomofumi Okubo
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Santosh Chokhani
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Salz, Rich
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- Re: [lamps] [EXTERNAL] Call for adoption for draf… Mike Ounsworth
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Daniel Kahn Gillmor
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Russ Housley
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Mike Ounsworth
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- [lamps] Call for adoption for draft-ito-documents… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Yoshiro YONEYA
- Re: [lamps] Call for adoption for draft-ito-docum… Corey Bonnell
- Re: [lamps] Call for adoption for draft-ito-docum… Brown, Wendy (10421)
- Re: [lamps] Call for adoption for draft-ito-docum… Stefan Santesson
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley