IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Rohan Mahy <rohan.mahy@gmail.com> Wed, 17 April 2024 20:35 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F219C14F747 for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 13:35:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p8KScuYP50PG for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 13:35:36 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15FF5C14F681 for <spasm@ietf.org>; Wed, 17 Apr 2024 13:35:36 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-56fe7dc7f58so105360a12.2 for <spasm@ietf.org>; Wed, 17 Apr 2024 13:35:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713386134; x=1713990934; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TWhW9mKKSckijuCNiRlOmKAJTgxhit7cL4FtQyNam6c=; b=foCvM0Japag5mimM8CJaXth3YZm8m3hSpZhtlGA5avW+C8pW1U86IpMzKs22aeU1yY 0jbzIa7dj8rwXvgWD6i+r/7ct63E3qX20lpFUBm/BAB5A05vRaU1hECYC151E8ovrM9w WT4Sr6LDP81PWpx1jrGTwcI4uCYpjCyPObIZvy3Ny0SQ61i212IOU61KWOoMArW6JtTd bLilcXNC7vS8vEkLtU/6CrFinK609Ae/xVaIy1UBpDdwC3MeS4db01g1bSSe/8aigL/N kagkQpWrIoYirt7aXmcZgGchobqbj/xesLlFmeQalDYuQccTcd38XigtOWQS9m3x6RRn NcKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713386134; x=1713990934; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TWhW9mKKSckijuCNiRlOmKAJTgxhit7cL4FtQyNam6c=; b=WMXzS43IJQRn0c8HMxFR/7/9N6kgh/7JUeGMeH5ESmVGaQE31YyKF431SuJUl0n5U9 PqikkH2UMLqzrViLSCpcErB0IXWKUkxH0sXA2EmFUfuub+lhxLmyfQmVBn8uPvl/7iGI KTwwKZJ9TFtLP2pWGwnV3IYvKTBj2V5zR34oXFk6/pTWUAF/v1P5e9Q3+LBA8hncmDQ2 riXP9mh5z/iDtxpMdyrE98haF3k2/b8Tcbow6F0CE7855p+gsL2WOyUUEAMMlOc4rtQc keH8qk66qgWcUr6Y9DNruoSit6MQY2kD/TxX2MLceohqpiw18PN6JhjoP6ykN/s/bXbi slIA==
X-Forwarded-Encrypted: i=1; AJvYcCV4q8gFnfv6HZ6krl6nZDq9R2WeMYqdMdcQWhiu6M2/2ay3gzjCpkYsd8oswCC4dWZZMEvuYNOPb2+expE32w==
X-Gm-Message-State: AOJu0Yzhc7B8Ey6Kihyl/PX/p/syhM8V6E/02fy+MAFc68lRUFYE6LN3 n0Vv02dQ3k5U6m2/YsLZHeGjAz0BG7IHyPSkgnGJ6/3Y7sANll7h8TJX2UVcjT6h5v0wdQPJzIV 6o+DvtQIEHy0YJPvBAtUNMaHaJuw=
X-Google-Smtp-Source: AGHT+IEp68V1Ng/U2xo2SSH7gywNUkN8aUamDP9s7v++fA1lB4ho7TmB0rKMxqL+3uLJ5E+B6+c/4GHq6edSrvCO1E4=
X-Received: by 2002:a50:d493:0:b0:570:1ea6:e98a with SMTP id s19-20020a50d493000000b005701ea6e98amr551361edi.39.1713386133812; Wed, 17 Apr 2024 13:35:33 -0700 (PDT)
MIME-Version: 1.0
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com> <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com> <CAKoiRuY5Caq_61+99RQiaRkeKUAou=fiLj+HadajzhwhLKOdAA@mail.gmail.com> <CH0PR11MB5739A5999D59A046D056812C9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739690323861CECECA630AF9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com> <SN7PR14MB64927E6AB1914083C485E0EA830F2@SN7PR14MB6492.namprd14.prod.outlook.com> <CAKoiRuZeuDOG+Hm97mE2jwJ7w4gXjyvpTj7o3nOykQuufRDv_Q@mail.gmail.com> <f8d86a07-6008-4e8a-991a-ac879200b4cc@cs.tcd.ie> <CAKoiRubx4uQ_=USr2DXOHx6LYj9HsX9fNg7xxqF_b8WXexVEcQ@mail.gmail.com> <68fb3e14-701a-4bdf-a493-15038d4b8675@cs.tcd.ie>
In-Reply-To: <68fb3e14-701a-4bdf-a493-15038d4b8675@cs.tcd.ie>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Wed, 17 Apr 2024 13:35:22 -0700
Message-ID: <CAKoiRuYwVcDpgJLZ8_4fmLAPNcrmikwNvQghgt3-sSwDBYY-Ow@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Michael StJohns <msj@nthpermutation.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000de8121061650cbbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Lwg8ssU11c1LFnRVf33wR5PIp6E>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 20:35:40 -0000

Inline.

On Wed, Apr 17, 2024 at 1:23 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

> > Matrix clients could also enroll user @alice on the server
> > matrix.example.com with a certificate that uses this extended key usage.
> > When Bob's client receives Alice's certificate (ex: in MLS, in the
> > signaling that carries DoubleRatchet encryption, via some key
> transparency
> > protocol, etc), Bob can validate Alice's certificate.
>
> I'd still be concerned this kind of thing may make self-hosting
> harder, and would consider that a downside perhaps more important
> than the upside of enforcing a new EKU.
>

That's not what I expected. Could you elaborate a bit more on why that
would make self-hosting harder please?
I was motivated to write this because my experience was the opposite. The
feedback that I got repeatedly was "if we are going to setup a private CA
for IM user identities we need to make sure those certs won't be confused
with/interpreted as regular TLS certs" and related variations.

thanks,
-r

v2.23.0 | Report a Bug | By Email