IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 17 August 2021 16:45 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED7073A2234 for <spasm@ietfa.amsl.com>; Tue, 17 Aug 2021 09:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=z/eXKEA3; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=QoesFKq/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rU7Tsr9iEV28 for <spasm@ietfa.amsl.com>; Tue, 17 Aug 2021 09:45:35 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD513A222D for <spasm@ietf.org>; Tue, 17 Aug 2021 09:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1629218732; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=25hy+4beyUfoVgILAAxG2///a6z3oi+73PavEza5ti4=; b=z/eXKEA39X5eKqSjVmE5NT5dUK0wJi+dM8+st6zDha9i9nac0Z/eW5NHCiya8Ec8+rDZV QT8TppQcDcd0v75Cw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1629218732; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=25hy+4beyUfoVgILAAxG2///a6z3oi+73PavEza5ti4=; b=QoesFKq/ihOf1M8Qb96tYAmv5hmfvintr0AwgKbcI1muRn11IzS/SO5/3JOuS/9lz28oj xbZ8W7w1aoubTo1rCFQ3uqoAM+JbD6t74nkc0bvSIJieTbh47tQQP4114hufqz03ji9RKXx M2e4dytKk6XSUQEeWzZENKIftbz7rWEgoxsBrSS8GLfmh/8oCoJkWIo45cPJnrFdlXMqR1K TmhDdVVdXyA9/tIH2J3viooO3rHpfN3+WAqJJJ8GX2oMnioMIsnq1NHrp3h00OMEljr9KZW m105ylWSqZOzB+NsHfZISHdMhQ//pD2bUGPWCrmPEdS8/ZqTwPaT90iYBNiQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 62794F9A8 for <spasm@ietf.org>; Tue, 17 Aug 2021 12:45:32 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id DF741204BF; Tue, 17 Aug 2021 12:45:27 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: LAMPS WG <spasm@ietf.org>
In-Reply-To: <BE91DB62-683E-4AD6-9E0D-B11CCC247E5F@vigilsec.com>
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <19561F5C-1EED-4D7E-81EB-210A2B47556C@vigilsec.com> <BE91DB62-683E-4AD6-9E0D-B11CCC247E5F@vigilsec.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 17 Aug 2021 12:45:26 -0400
Message-ID: <87sfz8m34p.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bDBjYJJHDH_n69-MbHZtbhNYex4>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2021 16:45:43 -0000

On Mon 2021-08-16 16:39:01 -0400, Russ Housley wrote:
> Many people have spoken in support of this document, and two have spoken against.
>
> If it is to be adopted, an addition to the chart is needed:
>
>    The LAMPS WG will support new definitions of objects registered in the following
>    IANA registries: SMI Security for S/MIME Mail Security (1.2.840.113549.1.9.16)
>    and SMI Security for PKIX (1.3.6.1.5.5.7).
>
> What do people think about this approach?

The above strikes me as an extremely broad change to the charter,
permitting apparently arbitrary work within LAMPS as long as it manages
to touch those IANA registries.

Both objectors to and supporters of the proposed document-signing work
appear to be concerned about proliferation of Extended Key Usage (EKU)
OIDs with semantics that are ill-defined enough to produce interop
failures, and to potentially increase the costs of certificate
management.

I can see the need for a document-signing EKU that is neither for code
nor e-mail messages, and if relying party (RP) implementers are
interested in implementing an EKU check in specific contexts, i can see
the reason to adopt this work in LAMPS -- so long as the document under
WG control grows sufficient details to actually promote sensible
patterns of interoperability.  (though if the RP implementers are mostly
found somewhere else, i have no objection to them coordinating in a
different standards-body setting to specify a doc-signing EKU)

But opening the charter wide to encompass any work that happens to touch
one of the arcs mentioned above seems like writing a blank check.  Maybe
that's what the WG wants to do, but it doesn't look like it will help
the WG stay focused.

I'm not sure why the charter needs this particular update.  Would adding
"… in the direct service of the other goals in this charter" to the
proposed text satisfy the charter revision needs to consider this
document for adoption?  If so, it would help avoid looking like we're a
dumping ground for anyone who wants to try to claim a point in either of
these arcs for any particular topic.

      --dkg

v2.23.0 | Report a Bug | By Email