IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Carl Wallace <carl@redhoundsoftware.com> Thu, 29 July 2021 20:27 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB7B43A094B for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKBa6mAAMMru for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:27:31 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30D0B3A094A for <spasm@ietf.org>; Thu, 29 Jul 2021 13:27:30 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id x3so7265297qkl.6 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=5L8o0SfR5pv3F0Nbr4fpSAO+Msmt7uZTV0Ikw/6OQUk=; b=xRatg7WltweKUyz5+ZaJ4SNvOqQWNhtTCiyvMR8IGxLWaehgbDpjdAzmOO+1kojDt/ 6FIScTiPBLsbiuMuaHjKVodSkBNvQ+1cbbI2KAjLyfo0aFZE++p/h7PldcyQwqVqm0L5 O902UmnM1A3NOtHiArldE7Rkiy5DOEV56IpUY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=5L8o0SfR5pv3F0Nbr4fpSAO+Msmt7uZTV0Ikw/6OQUk=; b=eD6h/Ktn7dzY7BctcqecWroJ5+1qXyceBPCff4txSgp3D2cHboNyO6X9WDDQ6uUpK1 dUZEXIICWmh3iP34J9qg221Lc0+4IdCg246QQ6nq69JrmrZyuS1BcXQuZTwkZwR1gzPL UKonF6kLIm4V2NcM9vB1RsirVck6ZNFK6Aa3A/NUYIwclXsQMZG+EvIqfMP4ap45utFY 3iwNbe9wOvKXbBZqUb8TMq731xajMSytYwCnmVSVYQckTlDeYakGvm27b5kd73OLArMB i9XvPOrVn/KG/G+GH8akJPnY1cZiC7LLSSoAWPHv+HPQDz5lkxOvUigE+xUtpf0b7OBX /9aA==
X-Gm-Message-State: AOAM532UplMYMoURdY5mHkF0lT79MrLj7yBviZtVUEqGb3q3k2/rO2PI QtPtsitMCaXbJeKYTxX2+kezFw==
X-Google-Smtp-Source: ABdhPJzxyKYhlnr+Y6tzkxDtk9rUzKSE41RFxtmleOfwZr8UgsUyshopySdD27Blo4Wv/1aPCTiikA==
X-Received: by 2002:a05:620a:1242:: with SMTP id a2mr7059536qkl.443.1627590449372; Thu, 29 Jul 2021 13:27:29 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-73-191-214.washdc.fios.verizon.net. [173.73.191.214]) by smtp.gmail.com with ESMTPSA id s3sm2298640qke.85.2021.07.29.13.27.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Jul 2021 13:27:28 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.51.21071101
Date: Thu, 29 Jul 2021 16:27:28 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Message-ID: <D1591BA0-6B43-4C80-A693-86140BA24897@redhoundsoftware.com>
Thread-Topic: [lamps] Call for adoption for draft-ito-documentsigning-eku
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com> <32A91405-D391-49A4-8BE2-BE103F8369B8@redhoundsoftware.com> <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
In-Reply-To: <CAErg=HG9zxevu4X7CaBhHL1Yuf=Uiwhi0-_k+H9-SfE+ZD=zZA@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3710420848_1126268137"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QFIZxk1v2hEXSdBPaTPmm0HPMSU>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:27:36 -0000

<snip>

2) The point is that, as widely implemented (e.g. in virtually every modern OSS library, as well as the widely used OS libraries), EKU functionally behaves as the user-initial-policy-set for the relying party application. That is, the industry has not widely adopted certificatePolicies for this purpose, and has long used EKU - predating the work of PKIX itself, initially through custom vendor-specific extensions (Netscape and Microsoft, respectively), and then through EKU. The "rough consensus and running code", as it were, already uses EKU as this set.

 

So that's why the comparison here: We can disagree on abstract spec purism, but that doesn't reflect the implemented reality, and an argument against EKUs for fear of multiple certificates is logically inconsistent with the very design of RFC 5280, and so is equally irrational. If certificatePolicies are accepted as a RP-specific community attribute, then EKU poses no further additional risk for proliferation than certificatePolicies. And if they're somehow rejected, that's logically consistent a position, but inconsistent with the specification and reality.

 

[CW] Then write *that* spec so that we cut out the folklore stuff and all work from the same sheet of music. It’s not abstract spec “purism”, it’s what the spec says. Make it say something different.

v2.23.0 | Report a Bug | By Email