IETF Logo Mail Archive

Re: [lamps] Document Signing EKU

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 26 July 2021 21:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852FC3A14A2 for <spasm@ietfa.amsl.com>; Mon, 26 Jul 2021 14:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enGDiDModkGm for <spasm@ietfa.amsl.com>; Mon, 26 Jul 2021 14:58:09 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F223A149B for <spasm@ietf.org>; Mon, 26 Jul 2021 14:58:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 62AA3389B2 for <spasm@ietf.org>; Mon, 26 Jul 2021 18:01:49 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LP09NbHA8JDG for <spasm@ietf.org>; Mon, 26 Jul 2021 18:01:46 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 052393898E for <spasm@ietf.org>; Mon, 26 Jul 2021 18:01:46 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C61C6E7 for <spasm@ietf.org>; Mon, 26 Jul 2021 17:58:02 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: LAMPS <spasm@ietf.org>
In-Reply-To: <CAGgd1OdFj3xJitTeWgbc1Lc8j2WfOJrBh3fRjb=fn7L2PQmSZQ@mail.gmail.com>
References: <33645B15-4906-4E1F-8134-201D40C4502F@sn3rd.com> <871r87gxm5.fsf@fifthhorseman.net> <858878ef-552a-3052-06e1-e574b360a075@lear.ch> <102b3a49-bbca-e806-bd6f-32ffe9ba894c@lear.ch> <7DAA171E-A6FC-45C7-B4D2-D43F6EE81CFC@ll.mit.edu> <5d9fd7a2-6a32-f1ee-b088-c1cfc8eae4d0@von-Oheimb.de> <7C1A8312-3E9E-4B71-8339-7617CEA4B5BE@ll.mit.edu> <e53cff4f-2131-9d86-463d-8104ecbb8d97@von-Oheimb.de> <87y2abfn7u.fsf@fifthhorseman.net> <cd91d512-620c-36e2-250a-e95f4da4e5ad@lear.ch> <87pmvmeykj.fsf@fifthhorseman.net> <E3D049B3-4309-4E75-90D7-E36F0B46FE88@deployingradius.com> <44405C85-DD9B-427F-93A7-1F8300F3357B@ll.mit.edu> <CAErg=HFgrOCzhrh9_c+OV9J-vFxKfsE7BGm9_ObKjeZ_=_ppPA@mail.gmail.com> <87fswgfvrc.fsf@fifthhorseman.net> <DCEF8DB8-2647-417A-93AB-03B85E4AE565@ll.mit.edu> <CAErg=HFCKMf0T77WsdbEZXyZgxde1KDo7RKXYeF9m14xPRsD_Q@mail.gmail.com> <1126FADA-FFB6-48B0-9913-A55076028C2C@ll.mit.edu> <6a41a50e-f81d-e695-b034-8ebc7a64c991@lear.ch> <CAGgd1OdFj3xJitTeWgbc1Lc8j2WfOJrBh3fRjb=fn7L2PQmSZQ@mai l.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 26 Jul 2021 17:58:02 -0400
Message-ID: <7175.1627336682@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MeIGW2TNO6GgBSUIBcIawfwrgVc>
Subject: Re: [lamps] Document Signing EKU
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 21:58:16 -0000

    > On Thu, Jul 15, 2021 at 12:44 AM Eliot Lear <lear@lear.ch> wrote:
    >> bingo.  That'd be a really good discussion to have.
    >> On 15.07.21 05:43, Blumenthal, Uri - 0553 - MITLL wrote:
    >>
    >> ➢ Certs - and keys - are cheap, whether they’re for meat people, legal people, or machine people.
    >>
    >> Certs are cheap. Managing them, unfortunately, is not.

If I may summarize my understanding:

1) some people say that we should never mix certificates for multiple uses.
   That EKUs are good, because they force people to mint new certificates
   for new uses.

2) other people point out that while integers are infinite, managing the
   certificates comes at a significant cost, and so allowing people to
   use the same certificate for multiple things is good.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.46.0 | Report a Bug | By Email | System Status