Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 28 June 2022 11:32 UTC

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
Thread-Index: AQHYfPnjzDEKO2coT0qkWxzM01uaJK1c9HCwgACFAYCAAKnZ8IAALkEAgAAIPPCABm69gIAAAP4g
Date: Tue, 28 Jun 2022 11:31:55 +0000
Message-ID: <GV2PR10MB621042E0D9F2A41EA4A7A625FEB89@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com> <GV2PR10MB6210808831831E3E5110C9C9FEB59@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <CAGL5yWa=gcCcfpd9zEp6oZv0W_-P8Ze65VCW3Mw8aGH7MT0g-Q@mail.gmail.com> <GV2PR10MB62100E94B687A840DDA5E8CCFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <DU0PR03MB8696FA97410775D2CAEA7D4486B49@DU0PR03MB8696.eurprd03.prod.outlook.com> <GV2PR10MB6210A06E4A75EB19C7B5C60FFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <B4A86599-EAC3-43B6-8E86-6797E8174281@redhoundsoftware.com>
In-Reply-To: <B4A86599-EAC3-43B6-8E86-6797E8174281@redhoundsoftware.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-06-28T11:31:49Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=efb03085-79ec-48f8-a444-f292ece4ad7d; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0ad3a16e-8242-44ad-bc92-08da58f9ce06
x-ms-traffictypediagnostic: PAXPR10MB4799:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H5GRGsI9wC3xkju3TnNmVnD7xNdsSGCBhZFR6+Z/KFW90rgByD5+snXdCIEdsQV+dA5zcmxoSYTEllPmNxgu2iNqkyyQdZ40aZwapRFEul1b6P4u0ErocRv+f6wnBuyEn6OHHtQhy56tne7Q59AuXBSZppdJ2JN9uI7fC9ck+XtDz1oikT0gMmeRGIiEG0FhYWruYYuzHwyU47hg8HrVlS4BhSnb3WGoZJp/TYtWwLhmQDjd26kIHoyN+xkcMDdvQBOca/0ozM/Bt5gs/6P64pgQQvYVHYGQmh0rz9Gpkvnl+U9ypCi7WKRnwIphmwpBUuBZgoUEEY3D+1QDsDiuF8KM3gRhlayqK4n921S/FL7uwEECrHWg1bOQvpuI+EWTMKTxeKPjQ1/1u4WRzMlOa1z9uIEkvukMTFZoIILs6TSgcIo9u1JgyzW521kMyrgTr9rbzwdQMWbag8b45U+mvjTuljHCsWevK+10ol1ETu63iWP2CFjC/1qesGtxQn40uI/TJIYB8jdVYnkrIwEjvV1gN4q7zxttcNxGAF4zj0JttIi4NAHOF/i6gTlqMCGVMta9TMSpbTQs8N3qH49ETrZ7KddlO0I8YO543jXRv42YOPS4EiuUILMkbXCyTD7sVOAYqlsktgpvuzbCTVX/Uheu83agAZ7yPlWkPASii6NFPEfoqBcS2Mi9nm5OJKsUumScS2Sfq5bg0nwIwIwEDOxVr89du2vur9mEmVrUfkrrX+QjjRZIBnStm97qUscXoiTBbXN2HgXZ/JgrZ7PpwoCi9vPHKRW1JWOHKmzQKPo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(136003)(396003)(376002)(366004)(39860400002)(38100700002)(41300700001)(76116006)(54906003)(33656002)(4326008)(15650500001)(478600001)(52536014)(86362001)(66446008)(316002)(2906002)(5660300002)(8936002)(66946007)(82960400001)(122000001)(66556008)(64756008)(38070700005)(83380400001)(71200400001)(53546011)(26005)(110136005)(186003)(6506007)(9686003)(7696005)(8676002)(55016003)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: KjQiyQWSGYrtqo/uRB6VYTjwDjzPJHwLZYvKon5ljgMPcH4b1K9tqEWnlPahDaYX3sR8fM6skhhbK2AqoxYCSDtVP9Yp/XojMuyVao/hRgCRRlhij72+rxS4kKnuDK6pjwoOA3MKvqsAg6OgpBS13rPd/0tUDwuVIT3srQ2+kvk+VHqmA7Q7nbic7LNidaLYbdqBy0Hk6MLDQq0cMkpRUXT9XF6xRAIKGuzrBvG1u9tm4tOmzve4UEQPxkhLCSAcAuYGcnuqhdvRS/667oIkifK38amFNd+vEPmoTCzpe3FqfNhBngJC1bZP2dLXYOsQvA1iUV8qS5/iw335zxvlgr+XNfyp1gQKK60ZkXLQGnsuHoDyoPLZJwI7RuVNJmmEJrrtGCJjGPdQXcRhkbk8B3ptNnonyY5dMWZELqUxRbGbXWPef9I0t5MPfnr7xI9B33BetBVap/iPOHZsZkXE/abMEoxK9mHMLFRGUZg0czzEb46E1QO2/l1VatI5i4FnRTk0f5UE+U3HBr3rUQA5Klm0aI6aahQT7kFtseDglI2i4pyi3/x7WUWiK6gfalWA6E0djOJR/wmH0baam5XD/Z9kkHijGzWhsHyxrRmuL3gNP+hlp51OxGQPsRI8b7h3MXPQLgRRzE4GphGzkLh9XzL1a7lsG7Enakpr3vlQcafreMsxQ1Ao7O+ntU62rQIGQGwMOQ2lGQ1TyKxk38non5Dzu4uzQ+W/E2+i3+mIyAKPhcPUOUbv0a95IQauabYlarejoF9yBzjtXV1r5neRHhDrY3NjntAKVF8im/iczXAdgWoQHak+MNGoNI0l7MTtoS2vvfC39x5U0Mu9FPZXoGPWZ5vZ0dA2VmLM82RUXpTnpAjQ6z2YWt2giTGE2pbBcTnRLwDO6oNDPiFiwEh+4opj22e1NGfu1ouh3Rot1E/7XoLuOb8I3Ez0oB36Fp0TfA7jWcHnBvb/M6NvwOIpFk7asdarhvDZE0zMprHMhSn2+OXqdjoxFZ/c8QD2763wpUP6iHJBbDkK3OY4J9Oqo3PjRTLYDuT4yIker+ZsXiu8WlIlaovSJappIx+RUCM4DRY6z9djWMPyzNk1iG9DWEvp5dfXh7BfRjP/PT6IKZ7mv3G/MPqaDkzDItU0WkAuWsyCUgw/zYaWjCsqlCYQWfn9+6UDPBdx3VXuBEK4zGgYzL+ZDjQCZL/szT1nb0zG4grJQPwKqANRM06tBvzerC3vwZPPI1ezOLC9P0todtmQKMPyYRYudWc/4/lyiUP6enulyMdJucnqdCNjMV/sbX7vt/jmhoJXGTvY5gpOUgOju8cu/r8J2NJk03/vj8CjrMxekynb128hD75jmFO6HdVXlPN+I0eDaFXF71P+b3f+qGl83teILAzCjFJqup0OSAgc+MJTMhqvbZlIMwVcO/O85lSXzigIkOd/wOowymJdN8J91VHTsKYNvEJ48I8xrMFZIJ0ruf2mb446HJUvZ8HaOlwvFlis2UYKLsLn8A444fL4JAZ9eQ0F1P/Gh+0pKPDFI0Fwf69FFSApTMFxd3eLXE1j7dlk8gG/UA1Blv3n9sr7vbqnzUodApFrDRgZNmx1QCRpFy7vpUnE9h22rQ==
Content-Type: multipart/alternative; boundary="_000_GV2PR10MB621042E0D9F2A41EA4A7A625FEB89GV2PR10MB6210EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ad3a16e-8242-44ad-bc92-08da58f9ce06
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2022 11:31:55.2838 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: apa2QkKmcwaqymugsIdwTTN/LFzVidBhYa1QDSZbUY61Ok8Mszd1MtmWC31nwqHYzi6IN4iEcsl9gLKYYuEOemrXe14RkcydJRqKaxYYTmg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR10MB4799
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vEtxivxoQ_CFZWwXcs3apvelImY>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 11:32:04 -0000

Carl

Thank you for your feedback and comment.

Von: Carl Wallace <carl@redhoundsoftware.com>
Gesendet: Dienstag, 28. Juni 2022 13:22
An: Brockhaus, Hendrik (T CST SEA-DE) <hendrik.brockhaus@siemens.com>; Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>; Paul Wouters <paul.wouters@aiven.io>
Cc: draft-ietf-lamps-cmp-updates@ietf.org; lamps-chairs@ietf.org; spasm@ietf.org; housley@vigilsec.com
Betreff: Re: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

Inline…

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>>
Date: Friday, June 24, 2022 at 5:18 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com<mailto:Tomas.Gustavsson@keyfactor.com>>, Paul Wouters <paul.wouters@aiven.io<mailto:paul.wouters@aiven.io>>, Carl Wallace <carl@redhoundsoftware.com<mailto:carl@redhoundsoftware.com>>
Cc: "draft-ietf-lamps-cmp-updates@ietf.org<mailto:draft-ietf-lamps-cmp-updates@ietf.org>" <draft-ietf-lamps-cmp-updates@ietf.org<mailto:draft-ietf-lamps-cmp-updates@ietf.org>>, "lamps-chairs@ietf.org<mailto:lamps-chairs@ietf.org>" <lamps-chairs@ietf.org<mailto:lamps-chairs@ietf.org>>, "spasm@ietf.org<mailto:spasm@ietf.org>" <spasm@ietf.org<mailto:spasm@ietf.org>>, "housley@vigilsec.com<mailto:housley@vigilsec.com>" <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Subject: AW: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

Tomas

Thank you for your feedback.

Initially I wanted to go without any concrete recommendation regarding the validity. I only wanted to point out the an undefined validity is not recommended.
I believe, it is not a CMP protocol issue to specify this max-validity, but it is up to the CA policy to do this.

When Paul asked for a concrete guidance, the only guidance on server certificate validity I am aware of is the CAB Forum BR. And you are right, the recommendations change quite often. As this guidance in not normative text, I can live with it.

I could also completely drop the text on undefined validity regarding certificates containing theses EKUs, including the newly introduced Security Consideration.
@Paul, Carl, what do you prefer?

[CW] I don’t see why the validity period concern should result in dropping the entire proposed new security consideration re: delegation via EKU. I thought the proposed section 8.7 text was a good addition even without the validity period paragraph (though disallowing indefinite notAfter where delegating these EKUs seemed like a good addition too).

[Hendrik]
I see your point. Probably I was too quick also removing the whole Security Consideration again.

Did I get your proposal right to add this section again to the draft?

New text:
2.25.  Add Section 8.7 - Authorizing requests for certificates with specific EKUs

   The following subsection addresses the security considerations to follow
   when authorizing requests for certificates containing specific EKUs.

   Insert this section after new Section 8.6:

   8.7.  Authorizing requests for certificates with specific EKUs

   When a CA issues a certificate containing extended key usage extensions as
   defined in Section 4.5, this expresses delegation of an authorization that
   originally is only with the CA certificate itself. Such delegation is a very sensitive
   action in a PKI and therefore special care must be taken when approving such
   certificate requests to ensure that only legitimate entities receive a certificate
   containing such an EKU.


Hendrik

[lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Tomas Gustavsson
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Russ Housley
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace