IETF Logo Mail Archive

Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

Carl Wallace <carl@redhoundsoftware.com> Tue, 28 June 2022 11:33 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F54C13A23D for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 04:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44Hi6vfxOENE for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 04:33:40 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6268FC15C7DD for <spasm@ietf.org>; Tue, 28 Jun 2022 04:33:40 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id o43so19500627qvo.4 for <spasm@ietf.org>; Tue, 28 Jun 2022 04:33:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=hRSLza8GXCDqSnEu3M7OlKxRyQrfTJ7AMGCkooN7X+g=; b=Wtje3vZWkMvdOvGeLK6ApKP0HaURegLs5R/hOzRHzFaN11GB8lV5dVWY2oJd3M6gq/ +F5m9I39i3e90VP+GeEhQx+B4hLT5NlJG5nCYwRzQr9xG1D2L1SsTTfmDH27FVP53yiR 0YQJjB+ioFfm4KiceVx1iZWCy2oH67P+Q0nu8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=hRSLza8GXCDqSnEu3M7OlKxRyQrfTJ7AMGCkooN7X+g=; b=GcIyY4HY3D8YaiEkQtPRcfwvAJr3dElP4hg4P+c/8bgZ63XEWz3p9CBVMaWdspmwBP gjQrdqjpIGmnAhUVHLtLXhYQDrQFtmJi2QAh5ex8q37RkjcSOFOeRDZWYl6ol2gK7sGG PR1gS6NC0SF4KsS5kwAUTy4d8nYP9zXB61Ff4QibcvmQRFQMFLxj4oC2p3Pehyyohjny C1Wo0a3pGseu9AA8Q8Z0fKfEiqnwO2isV9sui5VqGlSadKg8iFFxWtGjvMyH97Vn4BmX kDZYaJjlsdlTSQoW8tMUQAQpYLw6GZVdy3AaPvHH4cJvaak6ZsExlQ+wuPkz00kKatTy x1hA==
X-Gm-Message-State: AJIora/limcEXgez01CwBi/NE8kQwC2F/gE65HfG1eT02tSnqZqbD4Fk icy2udCj4ucemz0CZtmVTkRhFw==
X-Google-Smtp-Source: AGRyM1sBfq9vxfoRPIlqQUde6Cl7ubcO/TEU09ncB8cp3VZGaQiL5VIWIHL9rhzz9u/NyiyfIg3BPA==
X-Received: by 2002:ac8:578d:0:b0:31a:e1d7:952a with SMTP id v13-20020ac8578d000000b0031ae1d7952amr5914443qta.103.1656416019155; Tue, 28 Jun 2022 04:33:39 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-83-240.washdc.fios.verizon.net. [173.66.83.240]) by smtp.gmail.com with ESMTPSA id x8-20020a05620a258800b006a75a0ffc97sm11102255qko.3.2022.06.28.04.33.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jun 2022 04:33:38 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.62.22061100
Date: Tue, 28 Jun 2022 07:33:38 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Message-ID: <7A1C89B2-99EC-4D40-A757-A8333E5A7123@redhoundsoftware.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com> <GV2PR10MB6210808831831E3E5110C9C9FEB59@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <CAGL5yWa=gcCcfpd9zEp6oZv0W_-P8Ze65VCW3Mw8aGH7MT0g-Q@mail.gmail.com> <GV2PR10MB62100E94B687A840DDA5E8CCFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <DU0PR03MB8696FA97410775D2CAEA7D4486B49@DU0PR03MB8696.eurprd03.prod.outlook.com> <GV2PR10MB6210A06E4A75EB19C7B5C60FFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <B4A86599-EAC3-43B6-8E86-6797E8174281@redhoundsoftware.com> <GV2PR10MB621042E0D9F2A41EA4A7A625FEB89@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <GV2PR10MB621042E0D9F2A41EA4A7A625FEB89@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3739246418_1457066388"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ccLKveZGM-Ldr0Qbd13njQfwuvc>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 11:33:44 -0000

Yes, putting the new section back with the paragraph you reference below is what I was suggesting.

 

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Date: Tuesday, June 28, 2022 at 7:31 AM
To: Carl Wallace <carl@redhoundsoftware.com>, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>
Cc: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Subject: AW: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

 

Carl

 

Thank you for your feedback and comment.

 

Von: Carl Wallace <carl@redhoundsoftware.com> 
Gesendet: Dienstag, 28. Juni 2022 13:22
An: Brockhaus, Hendrik (T CST SEA-DE) <hendrik.brockhaus@siemens.com>; Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>; Paul Wouters <paul.wouters@aiven.io>
Cc: draft-ietf-lamps-cmp-updates@ietf.org; lamps-chairs@ietf.org; spasm@ietf.org; housley@vigilsec.com
Betreff: Re: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

 

Inline…

 

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Date: Friday, June 24, 2022 at 5:18 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>, Carl Wallace <carl@redhoundsoftware.com>
Cc: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Subject: AW: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

 

Tomas

 

Thank you for your feedback.

 

Initially I wanted to go without any concrete recommendation regarding the validity. I only wanted to point out the an undefined validity is not recommended.

I believe, it is not a CMP protocol issue to specify this max-validity, but it is up to the CA policy to do this.

 

When Paul asked for a concrete guidance, the only guidance on server certificate validity I am aware of is the CAB Forum BR. And you are right, the recommendations change quite often. As this guidance in not normative text, I can live with it.

 

I could also completely drop the text on undefined validity regarding certificates containing theses EKUs, including the newly introduced Security Consideration.

@Paul, Carl, what do you prefer?

 

[CW] I don’t see why the validity period concern should result in dropping the entire proposed new security consideration re: delegation via EKU. I thought the proposed section 8.7 text was a good addition even without the validity period paragraph (though disallowing indefinite notAfter where delegating these EKUs seemed like a good addition too).

 

[Hendrik]

I see your point. Probably I was too quick also removing the whole Security Consideration again.

 

Did I get your proposal right to add this section again to the draft?

 

New text:

2.25.  Add Section 8.7 - Authorizing requests for certificates with specific EKUs

   The following subsection addresses the security considerations to follow
   when authorizing requests for certificates containing specific EKUs.

   Insert this section after new Section 8.6:

   8.7.  Authorizing requests for certificates with specific EKUs

   When a CA issues a certificate containing extended key usage extensions as
   defined in Section 4.5, this expresses delegation of an authorization that
   originally is only with the CA certificate itself. Such delegation is a very sensitive
   action in a PKI and therefore special care must be taken when approving such
   certificate requests to ensure that only legitimate entities receive a certificate
   containing such an EKU.

 

 

Hendrik

v2.23.0 | Report a Bug | By Email