IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 16 April 2024 19:14 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 938A8C14F60B for <spasm@ietfa.amsl.com>; Tue, 16 Apr 2024 12:14:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.994
X-Spam-Level:
X-Spam-Status: No, score=-6.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NILb6vvp_OHl for <spasm@ietfa.amsl.com>; Tue, 16 Apr 2024 12:14:23 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7C2C14F71F for <spasm@ietf.org>; Tue, 16 Apr 2024 12:14:10 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 43GFD7aP016264; Tue, 16 Apr 2024 14:14:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=qAzVDL0RzdJdpW2vb4rk4Ppd VcNhvfaEecHRZuRZVbM=; b=TyFqkgLcn3OxRUTrV1xUkM3XLaEFPtTMWz8Ht6Zu 5eR23xpikKlqXdgcqEGwkDehMtcRNItJ6iQgSOugi3yWoD8Z2xfh3WSBUlV9oHUa Y6XnNlPuBdm4Idh6rr9HoiEQiGDMQVS4ilUmmlZIlFHAtq4HrQ9c1+3rj73K959B TCfJS1gkyrUmWPAkTj+nER4tEWRvsemrWVswXNkQpEeNh7XWYqcsIBdLqv+OBi8+ Rb1AWbr8qkS3xfe2ROo+trMZUc8yxNPvfYMaRM0t3+8Cl0IXw1jU8vXZQc8CMwb3 CMrzIKlf6P0g/9JEugfo6TQp5VblNXZHTbNKQaXk7SSFYg==
Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2169.outbound.protection.outlook.com [104.47.73.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3xfn1my5m1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Apr 2024 14:14:05 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=efhrLrAhCEwY23ACB8KmNQK1xa9gfuhd5sU2qffnxl1YUy2exU1CyVlMbUjXtYXeajl6D6P9iY1y1mAOxO58AY/RiRX1o913Jb4yqt9S18tl914hmOozR/3cSm8UDMO1iFor3/l06K2mU5beUjzwykC6OQqyKX69LvZBLPLUB6KWw+ZaJdVxa9QhvBvXqzYhvfG63MnC1YlJipWHL0w2BUEdRBOBKvLQn+Ic5Cg9AGytU2fBPMcdGEHAqr3rb4tLXvfgfTVarjQycdWTfA1R9mzIQbnhxXseI1d/Kap7JgNuxZ8ZowtBAKnbWzsPgxuT4SnV2Sp8o98fJm6kUTNHfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JAlQXrlR5s+MgkTWAka3DU+V1LseB2dxajFOYs3heBw=; b=iuAeHdXTuDIBwMimViTtdJTwPpNxQTOWGCSCt0bozy98pF3agE1tzMQjC900iTsj4WhtuPLSL/6lkbcT3l2SdfdpWiQKFmFGQrvac6VarWPAI6ge0SmqRgd2GsTNDN/uDaP83CD9z88pt2lU9m4GS7WuqoRSaMsZMWY8X09IqBOdICaDl90Vtdjo6l2OO/IcVLlD5mVK4vcPI7N8cT+kTzJwAvFgOeRlx91G4MQxtXK5XxdD7ZunCiNgjY3xDn3gz2b55OFOZH3I0ekwjLL1lKCITze4CCt1DknqtSAGS4oYSQk4Jrb4dd+PxozrKOtw5hvdmRj82c5/vBvX0Qo/gA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by IA0PR11MB7378.namprd11.prod.outlook.com (2603:10b6:208:432::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Tue, 16 Apr 2024 19:14:01 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173%5]) with mapi id 15.20.7472.027; Tue, 16 Apr 2024 19:14:01 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Russ Housley <housley@vigilsec.com>, Rohan Mahy <rohan.ietf@gmail.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] I-D Action: draft-ietf-lamps-im-keyusage-00.txt
Thread-Index: AQHaj2K/Z6MrXXukZkyhEzxBIY0fbrFpze+AgAAJFYCAAWpP0A==
Date: Tue, 16 Apr 2024 19:14:01 +0000
Message-ID: <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com>
In-Reply-To: <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|IA0PR11MB7378:EE_
x-ms-office365-filtering-correlation-id: 156e7a71-583e-49e0-697e-08dc5e495fd0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BGnaRPGABRUuKnPSlbkO2+3dfbWFTvS/6L7VrRPnMoHWeRoWpYmLb782nvL+zAf01WYCeFRl86uZS4WBsg5ENumwtUZ/JlW15t/D7IfjvFkk5rN3SmDpoVFJIePoshAqP1X8SivPwouHVNunjgfjcWrtlAuqbya2DHsvl8pOiIJ1h40JDtIVlRlrQ0QzLJCP8prhDAOb+RQDhRhrZ/ev4fxKjksmJkOxx6QuBffj6ucGgCKJpvEcxm10MPci2i4BUhD1L2NVikhcbIzD3Em4YgIpl1qaqRM+t8PXOEvwrqRBji1n3BSrnMo5Fdqa9aj+UoKAhuMlIVtd2NQDguSL8D3IXineVOO1QiVcJAlBva1RydBXPSdbKgyub/nWG5hMPikzr/l5GegoMWq3/bY1f3Hh0BExB+NrEUnGLJPTHgma5LwnOK1KrQciOuFXz4nKvhLCKR1wJ9GiNYFNDhKBfq+az1sCdkzse7zsZZLjGPDZq98a4NmjNcp9hphEWTsrmj/evF0+kWcALeAPzg4VqH6T4Z/VkzxBjeQ8DPTw0ujvOeQtQV/hdLv0X3AO55SKGt5OL3OBipf1ND8ECG8sWZvtSOv8eUBp3ZTIzcZa6Pv8pdPSnlnXo2zFCtYeuL9WtlO/ZQgHo3yIVi2C8TwpSSBgn272gXaWy7VKilDCs9hoK1O4LFDEiOI3zbvrvJoZUK5kz2bB+8yzVkjpCL14xAGoJ0oOW/GAsbZ5kcfn9SM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0/eaVVY+39uvyLx6IGpld5WqgP52E/3uic/Beq1haEM5EPmyg4OjjOi9Kj99XrGhO9bUm4gnfu3chIp5b1mdU7Iv/BqQ/JTSM5iuJMrPSt6qinJkLzEGlSqVUzdNOIblwRmM0fbIoI9WIFJPF7SJNpM9KXs7R+riHQPVf0YkEfpzKMOkz+IMvlz6/8lNZWaJDDGv4tHfJBy8K3iSd3y7y8uAeBs46s1Gy59K5Tjf4i1bxAd7dm0BAoxL2KM/Ti3wlXOhtH9sQZvUJUc5bhbgtSKdLjsvjBnn5gCSDEbgLVuTLtYLJ9KOUtRXEpbxrf41h6QPEX5HkkkFRS/AFG2IMiH3fiGMbCdBDXJLeo7WTAK99wE1JAtLKlrH9/a7DhO7lqywX5Y9+RK6ksUEaWp5VwwMc3tdH8hBjd/NOn+HdxE5fCxbtQzqsQOzcHldRIJoxRok5dRtD2pDZxSFxQhCODGHOzmGh/qVvHJeXih/jxK1av8Gl+c8UTpdBgSDSR5qifVYGhm+OYwZ3RDPl62Nz303Qbw/gtE098CQB5uc0YmaK/WfaQQDfcjrPQwsyPonmyzM5mP04NX2FV+iV+mZim1u4gN2Qvq/DMeXUZkw5oscZXXVSR9RyyolNnKmudVT1puRFKRYski1k41K3Zxriyy/+bS6ZzBZ9TplgCeU/RNSsxlbU1b1YksX1iN2b+nTSildj4ZFX0Q5HZ6BeQF9MeTjeHjHtu6XGPrqZPEhvkx5fitOUtcxTV16Q8MTHTeMIrr/TNaLzFXWdybV/HuQ2tOo1tlcvC06GfSfjjUoP+zR5QoQmnCoAqfCKHOTPIxgTzb9MwqXJG8tgSkXlImx7jF5G41ikKrR3dDgKVyUTKGXeLljncGjo7llf6/dEEKKiEkG72MYOAilfPbmx0ixniAhjDWGunQdsb6DtooMwwe1FEHOJmEw+DawOXsY+zjG8pcy6tk59ttTbKyjrUi7nEFSqj1/VJEWMK7ysoMtiPsa40107kr0rOO5ByGfLy80t6YqNQOu4pKFHYS6CLbYPmYauW62ShoAYNjHkxmlP+7KDsaokTal3CicYAc3YPZl3/Bo9DpVEVe+QkJJfCrsCVdRPuBRa5jCGt8Ibkt9aVpd7qkgxubVElTz+LNJ9Hu4/FWsyrEri1KuVrMH4fUCTb9uvzZEonWcg6453467aslA1/SqXQPLdHkM8UER2cTIXQli5hcX0A6Naq50xMnbuQRhfIBg1MrCALozsl22k2OZGBUOwE6KIzwXzbacAfkuwi7tDUZj6IznP/2MW7xH4jYPwycgpJigoJF+Rg+/vM1gTvjmen6p9gRdZ06urBsYMsI0wyl0An9wNKYMIKOiocw8TlNVqbF59GkzAhyL8RzROifo2jym84AWRUmrhlHJXJ/Dccwekl2xOsHuES4rJcbONePxIgVsGyzGS06+IP+W6mu3uGJBy86PyhGXY59RaFYJtCulY+Txus0X4ZKEY+EU+J/9uXq+bB8vpCdIKrEodZv0IjVXO0LxKJR+4D8mwrtQ/Pc7CzMgfcfk2WnJ95dO7qg9Ms5k+hW/qes7UwxQ2FEB7hya2UdXb+ALIMCnuLbEjPpjweAslO9S3Qbn31G9anJMnzNKcOaKRyDipMn0BSUmkOzU3c80GmEBv8oBYWNMsKGSY1QlNS22dQcGww==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_011F_01DA9008.53AA0380"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 156e7a71-583e-49e0-697e-08dc5e495fd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2024 19:14:01.2545 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kzMUz25ba5w2ODhEhCe1qqUK5CPjf7KTKmIgBLXLYiKXzfJ3lZz4Xe2ZDHajYXED2dny5oHrnWrT1Yy+lBs62WBQCDh9lg2VEWRXRgd4SnA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB7378
X-Proofpoint-GUID: pbNgoW_tS432GS1ZcWwyu2kA8nD_--FK
X-Proofpoint-ORIG-GUID: pbNgoW_tS432GS1ZcWwyu2kA8nD_--FK
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-16_17,2024-04-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 mlxscore=0 suspectscore=0 adultscore=0 impostorscore=0 spamscore=0 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2404160122
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TQ5P2n3yhM-OJpTcKW76thiAQQw>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 19:14:27 -0000

Hey Rohan,

 

I’m a novice on the IM topic, but I’ll provide a review of your document anyway (feel free to ignore).

 

The introduction mentions that the driving motivation is IM apps built on top of MLS, and then says “or others see: MIMI”. Are all IMs considered equal, or is it important to be able to say “This cert is for MikeGram, and that cert is for RohanChat?”. IE would it be better if this draft created the specific EKUs that MIMI needs for the specific IM protocols that you’re designing now?

 

It would be good to expand the Security Considerations section to be clear about what security is gained by using the mechanism, including what the expectation is of verifiers who are looking for this EKU. Again, I think some discussion of using the same cert across different IM protocols would be good.

 

 

Why is it called id-kp-imUri? Why “Uri”? Perhaps this is clear in the mimi arch docs, but could use repeating here.

 

 

Typo? The IANA Considerations section asks for “id-kp-im-eku”, but the ASN.1 Module defines “id-mod-im-eku”. I think the latter is the better name, to indicate that this is the identifier of an ASN.1 module.

 

 

To Russ’ question about whether this draft should also cover SANs: the intro already says

“The subjectAltName of these certificates can be an IM URI, for example.”

Out of curiosity, which SAN type would be used for that?

 

---

Mike Ounsworth

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Monday, April 15, 2024 4:22 PM
To: Rohan Mahy <rohan.ietf@gmail.com>
Cc: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] I-D Action: draft-ietf-lamps-im-keyusage-00.txt

 

I thought it was worth asking. I think the xmpp: URI in the SAN would be a very reasonable solution. Russ On Apr 15, 2024, at 4: 49 PM, Rohan Mahy <rohan. mahy@ gmail. com> wrote: Hi Russ, I don't understand why an XmppAddr identifier type 



I thought it was worth asking.  I think the xmpp: URI in the SAN would be a very reasonable solution.

 

Russ

 





On Apr 15, 2024, at 4:49 PM, Rohan Mahy <rohan.mahy@gmail.com <mailto:rohan.mahy@gmail.com> > wrote:

 

Hi Russ,

I don't understand why an XmppAddr identifier type would have been strictly needed, since anyone could have put either an xmpp: URI or an im: URI into a SAN without any extensions (as a URI type).

 

I'm happy to go look at some old discussions, but I don't know the history.

Thanks,

-rohan

 

 

 

On Mon, Apr 15, 2024 at 11:28 AM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > wrote:

Rohan:

RFC 6120 defines the way to carry a client name (Jabber ID) in the subjectAltName extension.  Should this document be expanded to address subjectAltName as well as extended key usage?

Russ


> On Apr 15, 2024, at 2:18 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>  wrote:
> 
> Internet-Draft draft-ietf-lamps-im-keyusage-00.txt is now available. It is a
> work item of the Limited Additional Mechanisms for PKIX and SMIME (LAMPS) WG
> of the IETF.
> 
>   Title:   X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs
>   Author:  Rohan Mahy
>   Name:    draft-ietf-lamps-im-keyusage-00.txt
>   Pages:   5
>   Dates:   2024-04-15
> 
> Abstract:
> 
>   RFC 5280 specifies several extended key purpose identifiers
>   (KeyPurposeIds) for X.509 certificates.  This document defines
>   Instant Messaging (IM) identity KeyPurposeId for inclusion in the
>   Extended Key Usage (EKU) extension of X.509 v3 public key
>   certificates
> 
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKqOy538S$> 
> 
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKn1iEEOp$> 
> 
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org> 
> https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$> 

_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$>

v2.23.0 | Report a Bug | By Email