Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-clarifications-00.txt
Corey Bonnell <Corey.Bonnell@digicert.com> Fri, 25 March 2022 12:22 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DA33A1075 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 05:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzI4YS3VyjZS for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 05:21:57 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam08on20729.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8d::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66A903A1068 for <spasm@ietf.org>; Fri, 25 Mar 2022 05:21:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZkqhP/wRw10fe7SSCoCUFzGJbtXm9dH7ANk3DLx9FWmC6a5Xgq5JH2msk8qwsMlndyJQSQ5HvacvVAL1DDvAqXDY7l6E3zp+LM3rrUM4wVrPFWZtTeWFci+2aeXTWvLZFwygyHN0M5D0GySp22yV8tb8cxLjT2pkCDX1d4bSaDbcwj0snwQ72t8X+o/eSuF4LUcZ4nozEiE7ZRooKc6LtpoHfhm9+Clz93xgKen/VOCgntpBJ2CHNiFKNKTYY4VOD5VxOLBxkSEwqBYE9h4TKRSxfGIWawDa4bnB05DGEBaDTL3LJwBG9dbDrLqcYImkQnu/7sp78K6PVx+oQ5A2QQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZzxHWgWWUrX1N4AiCCgvjrMN4VlnRg2zrYJNNudmqq8=; b=DKeYnLBfveSkl84wolPI9wT3VYeKzyJEGg7D7DAkbNuupn/zfryRHBU3GdON0F1eUr2i5GO0tAE+sSbGbWxhVHpgR3j56K5Xf5XiLkyIQ0dYCI9NPXd1elvakTr3z5NYFt/vTe58VSB5WNuBdVvdvoD8IjEPKWkPFJZCZDjwGd1UoHiDo5CCO0I6W1BcX3Aed/dI8SrJdopia919U+fyboU1+RPjNErxKfgrBjYH2Vu0fCYgxk4uSY88yvcPRKokwUYtc4OvMr+CzqMmBQpfr98NE9q0XwCTaJIqYOklQLx7VhWgxUosqL6rPM2M8ZE7Fz5zQ9QL2vSR60RGe7wX7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZzxHWgWWUrX1N4AiCCgvjrMN4VlnRg2zrYJNNudmqq8=; b=Q6EawKsHpCM4Jxt9OEqzG89yBJZGLY6UIvubgUvXvXp7o0N4GMoZUHbai0oKv9OZITKa24UwaOrl6/XigVuNt5i5fw8uQITQA9SNJlbFj0CPHJDRqQr3W7G0xxR+DvvwT77usA1Vw1RSe6jEC2hZ94od/E90geuhGT/rUtf6VwgBlvXIUOSd2s0i6tTq2cqt4MtZJdZTWepfAwFfiTV9sCpueo4SBO1o45qAHjRA9fnGaJXHKWzIr2uoN7PDnoAl3gZxPV4/q9kNlm0nH4bjRvuXmOvLa52BIUccUofdIgTzx+49VFUbJUPs29OEaCh3LeOljZtatZ8xOJDW8HoWyg==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by DM4PR14MB4861.namprd14.prod.outlook.com (2603:10b6:5:388::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17; Fri, 25 Mar 2022 12:21:52 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::ec2f:35ad:5318:ed03]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::ec2f:35ad:5318:ed03%6]) with mapi id 15.20.5102.019; Fri, 25 Mar 2022 12:21:52 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Sean Turner <sean@sn3rd.com>
CC: SPASM <spasm@ietf.org>
Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-8410-ku-clarifications-00.txt
Thread-Index: AQHYP+pvt3cTJf4BmkuvJHaHqfjWdKzP6fYAgAAAaACAABC9AIAACQsA
Date: Fri, 25 Mar 2022 12:21:52 +0000
Message-ID: <DM6PR14MB218663E6DE9B04A03287AE84921A9@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <164817288285.30519.6466200484239941325@ietfa.amsl.com> <C43AC9C7-E616-4D8B-815B-658A632498CF@sn3rd.com> <DM6PR14MB218639CC518A2F43C60DB314921A9@DM6PR14MB2186.namprd14.prod.outlook.com> <74D95966-EA0D-45A2-A3FC-9D91F211275B@sn3rd.com>
In-Reply-To: <74D95966-EA0D-45A2-A3FC-9D91F211275B@sn3rd.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c6e48aab-1790-4917-44c9-08da0e5a0b15
x-ms-traffictypediagnostic: DM4PR14MB4861:EE_
x-microsoft-antispam-prvs: <DM4PR14MB4861BEFDC4A20AB224B63D3C921A9@DM4PR14MB4861.namprd14.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: g24nC6bjcg4cgyeiandHmzuDQHQ2ABxDWJXJ+1XhyWrKYXBc2+kUqrc0umMJo+OkfN0+X8q89y2l7tN0ZROS5s4cRyWCGwqhe7KmwQtVlFCGn7xVRCyLM+Fk5pEmf+BaWp0ywDB/uW7ybzO/fUDObV6LbLyV1WY7znCy4ZCFXswr9D+yGHj4F1ePC6ha6FM+J93L3fT8zCOEMEjE89dlzzBORYIorm9JFnGYVMVm9jGT98UEe+NwHsklbZtbkDRWxgEkErx6E7aYjUEfeR7jbkUPlroy0wgmaLVhWJQgiObvGIqjPC6t4tmg65Qs7inT2q+xe0I0Px15+0iq20gmUd4esz5E/dZO2yfGJHnYVDBD/RK6/LhZwXhFTBiwLYsfK5n/+iMb5J0nwpwhofTjdnsNWz8qPaMUJub3o0f5KRKSkBS8WPLtlpKhncN7/J7DjUJ14hhDGnRqdXV5sqF48ZR+mN2uKl+OMeCQ6+yMUis7KTWuZGNWbLdAkd04klkR60KaufzkCbKR1EGPmNSEnU7YMG90DF1GRubNC8KANy4ZlMTZiOwENnRcFT+VAVJuewCFNZwpuZJFahRmXz+1yTeAQQf0cXOfIpCHS5nDmzBo156XTS8xqEVw7pAiZSV0TfUHIqUPRLo1mJLa/xnP1IPVzxfQ7ycifu5g3ch9hl8Ju3RcsAYdhqxZboEwoELxaxB1yeW7Vl3JW5Hs7ckikWNdT7zitCAXkdR4ChyW5vs9cyIWRWm0RNS6GzzSzfGMi7ZQuzGSHDWZ+tcAiZ/aYzROadEowR/9nj5N4f/ctQ0alF1Xtj+f9+Zm1YaY3ApE3wYf+P5WyAG5r7thsN+wog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(99936003)(83380400001)(66574015)(26005)(186003)(66446008)(33656002)(508600001)(966005)(86362001)(8936002)(66556008)(38070700005)(71200400001)(66476007)(9686003)(66946007)(76116006)(122000001)(8676002)(52536014)(4326008)(6506007)(53546011)(316002)(2906002)(64756008)(7696005)(38100700002)(55016003)(5660300002)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vNd3CrYJuNaMw7irsPpFPcVlQdi71kb5FMd3rKswXIx+vtPmRz51XYiNaMqv1uzb3Xeghk55EP4a8WFBUsYqP6bPHEy3CfX7voKyvbOEVrTn4coQeMHtJZ5UBrE6jYUnC+Y3Wyat7S2NByVzkSkbQ4yBNc5dd0Nm4jQn33Pm1AqCUFci8NwV/8/PjkdiHWozn3hutP+3Epk+OK3iE/uXeexkkAeQ2BqeaIFD8igDszurunQ9Qw2oc1l5GJsVxbp9GWikxPiKFlgbbrRDqyBjgj108eN0/P6k4yeezoUqxI2GIvbrDHkYY/5CiEcqmSrYitHbbWrIOJiHn7GG4gNDHtIP7ZZyikK9a5hMLEdfsNADEdxbjHHQailE3ly90Hu0M3iLBAEGEkD+CodEJCqCgpnFpJ1FNB8T1QEqs0Pv2zSYFE8FDZgAIUg400zEGgdFegfEet4Uy6jJDCRthAqG1e8Yz9XiiRmC/83rt0RbCNTvrqahWjZzAB6Ecb1NmW90M87MMh3sB+6S6t3gBBSIxS9x7KgvQgF02H2YzE/iQ9sZ6JcEz/3oeYWj9+Oxl6Urf/gFJUYO+pEeEDEiMZVD7XaiM0w8CupIBRWZFBvK3Q6pTe7/vU3pJp2yv7LJeGC8LiZK3wAB/Cxb73PI0uQ4A6oZoc9HilJY6fVZT6NI4hVacZyW+TESQSdyBRTvfi8Jqt3AgOTTzQfg+ZaKaQ2Gdy3TYU4v5m8+4+NiSG/roGjcHA23SNYfziQmJwKeZvPKK1BPWVsWWNPziGXMmP5CwJG2yZ+5cF6tI4nUeNAx8yrdOJ3yTAI/TOtcEBAxB90/jCyEKOkdTgW6S5TU8cKJMj0nMPH6Ro6s2IOkWE23jlj8bUGT7i02jssYcY0UeGjKY8HYYRFWlqzvwE48YjZ6sjgcd6Tu3HQKn0oR8WuTCp/pO/fcMm5QfgX2REig53ZUR+33CnnMRU/dLjSqYUEyYe8VoCWWawY/RBiSuo3w9qvbQnKC88WBpriXQOJ7dDMu7JjwfWMr+TzPqdBhW01eM1Fen8B6Q9Gksq7PBn30cY6gnCcmU7aRaMCUH/B8o/JfkHtj/j77S0U6QTwIGGNLzmdefiFwPsDqi3eIPrOEarKAMcjxa1LB08XVumCKTAof4t60OXW9EB0S8IPv0Zi2+XSYP4s6NvNeEiP6SLgqP95+l6FANBJ1fQkz4L7MKJC3AX16zRt2cYGZfhgq/Bd3P1dVEncMMCgCv8RvxoxB5pd4iv+fVqHkC6Fx2g5Vaw+6G2iB0ohfucIRdLPbXYxZljLzh1y/NQcK//MaTima1QxdUMilq27tzPB39UI6jnLJb77blOxvf3jKMlotXRgqPNmfCS+XGZ/2+VfpjLRLWNuoX//sfkonHFv6xlLXMsx9kLDDSY1eyay7N2ug55ZKYzG/kLX4OqeAni1B6tvubfu8H6fuCCxNO964PiNezo2BI2uvqaas2idXFKX+EfElm/dOULZdb7lRteykR2dyIC3QAaOHHkpoWhx/4wBo1BxWn7TmhU5yMCVtvstyGX7NrhNYRjWlqUy1u9XURDgA/aeK141DJpserKkKd51ZgnkOmK4Z5fMZekHOP00j+hCMZDn3Tm3YUN99W2ULkZfCaVmuvnSH+cbRBr5yJWR50xxCLKtOi2YrUSiL0Zx4qr3dogAblC1TV2T8gOAbNPr8/zdOAOyahY5EqUcPD6jtnhdkZcQJK5IQ/JQEFoesHSur62Ll1l2ona5QHn8z2wX6mtg=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0220_01D84021.60997DC0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6e48aab-1790-4917-44c9-08da0e5a0b15
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2022 12:21:52.1197 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EN0ck2JVCReqrRhcQZjMv30d/ZpA8wq0us8G3Dk80bl8vWxN0IUbocG8JTugzScIAqCX7qjtvkJFr8fHRMMDNCHIYvhEUb2FL8f2zGXNIGs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR14MB4861
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/L1XK-_PHhR_a5eUY4r0ZKtYe5xo>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-clarifications-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 12:22:03 -0000
Hi Sean, That proposal sounds good to me. Thanks, Corey -----Original Message----- From: Sean Turner <sean@sn3rd.com> Sent: Friday, March 25, 2022 7:43 AM To: Corey Bonnell <Corey.Bonnell@digicert.com> Cc: SPASM <spasm@ietf.org> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-clarifications-00.txt Corey, How about make it align exactly with RFC3279 and add "or CRL issuer”: If the keyUsage extension is present in an end-entity or CRL issuer certificate that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then the keyUsage extension MUST include at least one of the following: nonRepudiation; digitalSignature; and cRLSign; spt PS: And so ends the concern about sending a -00 to the IESG :) > On Mar 25, 2022, at 06:54, Corey Bonnell <Corey.Bonnell@digicert.com> wrote: > > Hi Sean, > Section 3 says: > > "If the keyUsage extension is present in an end-entity certificate > that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then > the keyUsage extension MUST contain one or both of the following: > > nonRepudiation; and > digitalSignature; > > the following MAY also be present: > > cRLSign;" > > > In the case of CRL issuer certificates, it is acceptable to solely > include "cRLSign"; the NR/DS bits are not needed. I suggest rewording > this passage > to: > > "If the keyUsage extension is present in an end-entity certificate > that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then > the keyUsage extension MUST include at least one of the following: > > nonRepudiation; > digitalSignature; and > cRLSign;" > > Thanks, > Corey > > > -----Original Message----- > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Sean Turner > Sent: Friday, March 25, 2022 6:42 AM > To: SPASM <spasm@ietf.org> > Subject: Re: [lamps] I-D Action: > draft-ietf-lamps-8410-ku-clarifications-00.txt > > Hi! This is the initial WG version. The only diff from the individual > -01 is the editorial correction noted on list: > https://www.ietf.org/rfcdiff?url1=draft-mtis-lamps-8410-ku-clarificati > ons&ur > l2=https://lamps-wg.github.io/8410-ku-clarifications/draft-ietf-lamps- > 8410-k > u-clarifications.txt > > Cheers, > spt > >> On Mar 24, 2022, at 21:48, internet-drafts@ietf.org wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts > directories. >> This draft is a work item of the Limited Additional Mechanisms for >> PKIX > and SMIME WG of the IETF. >> >> Title : Clarifications for Ed25519, Ed448, X25519, and > X448 Algorithm Identifiers >> Authors : Sean Turner >> Simon Josefsson >> Daniel McCarney >> Tadahiko Ito >> Filename : draft-ietf-lamps-8410-ku-clarifications-00.txt >> Pages : 5 >> Date : 2022-03-24 >> >> Abstract: >> This document updates RFC 8410 to clarify existing and specify >> missing semantics for key usage bits when used in certificates that >> support the Ed25519, Ed448, X25519, and X448 Elliptic Curve >> Cryptography algorithms. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-lamps-8410-ku-clarificati >> ons/ >> >> There is also an HTML version available at: >> > https://www.ietf.org/archive/id/draft-ietf-lamps-8410-ku-clarification > s-00.h > tml >> >> >> Internet-Drafts are also available by rsync at > rsync.ietf.org::internet-drafts >> >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] I-D Action: draft-ietf-lamps-8410-ku-clar… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-… Sean Turner
- Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-… Corey Bonnell
- Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-… Sean Turner
- Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-… Corey Bonnell
- Re: [lamps] I-D Action: draft-ietf-lamps-8410-ku-… Sean Turner