IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 29 July 2021 20:16 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767263A0890 for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRiNh55E6JeT for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:16:39 -0700 (PDT)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2533C3A088D for <spasm@ietf.org>; Thu, 29 Jul 2021 13:16:38 -0700 (PDT)
Received: by mail-pl1-f178.google.com with SMTP id e5so8297650pld.6 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:16:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1jmdG+5exT7v8cyzjoBMvxRFEqaqeWsFVEI+uSDrL10=; b=VLkCB7+sxcykKkfxj1YUgr3EIqNjjlpEhgYM8juhWYs75EYPv4nB/SVDe/JuiT+o2K oJ78KUmzbxGPITXwwMQOdZzK5+Kq2q+OuBYYKRo6e/KDSHXQ2+Chm1kMo8c2NGble8gq pSHFF/0oiXT70WN67tzPQRawZfZKGJYjfUjYRB7M7SriPiayZozvQf8Ll13qngpkXaWy 9aH3BOXl39/iQ+ADjzQOh1bolvxR/gKbtS7SE2n3xKHp4N0ZRSP2ncQNSUFLjf/gK+xv AboO8g9L+M64V/+6pcD/9UtTRcqrKFGfSYl8A2ty5woF+UZxQz6U42AgI26eIcTLIUOB Pv9g==
X-Gm-Message-State: AOAM533lczQwSFzqvWTiDZUYjFOhTyi0r3US2iIBjjnUs8RMUiD6EO+5 q7Hxdmuag+czLK/H3Tb7IF4ocbP/cCM=
X-Google-Smtp-Source: ABdhPJzXMvlhJbvWfL00CPUACIHccj0jy0NsTv8JoM4W/Da+kB7zu4xEBisvTD6Vm9WmAAnJZemCzA==
X-Received: by 2002:a17:90a:cf94:: with SMTP id i20mr16288713pju.219.1627589798219; Thu, 29 Jul 2021 13:16:38 -0700 (PDT)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com. [209.85.216.46]) by smtp.gmail.com with ESMTPSA id a8sm5135089pgd.50.2021.07.29.13.16.37 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jul 2021 13:16:37 -0700 (PDT)
Received: by mail-pj1-f46.google.com with SMTP id l19so11989376pjz.0 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:16:37 -0700 (PDT)
X-Received: by 2002:a63:515:: with SMTP id 21mr335642pgf.70.1627589797573; Thu, 29 Jul 2021 13:16:37 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com> <AE094786-3902-40B5-B9FA-2629788B2F0F@ll.mit.edu>
In-Reply-To: <AE094786-3902-40B5-B9FA-2629788B2F0F@ll.mit.edu>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 29 Jul 2021 16:16:26 -0400
X-Gmail-Original-Message-ID: <CAErg=HFmBupU78TZ+P4Q4GUQvR_=T3uJyor-zywuYP1buJswrg@mail.gmail.com>
Message-ID: <CAErg=HFmBupU78TZ+P4Q4GUQvR_=T3uJyor-zywuYP1buJswrg@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b9796d05c848c747"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/fO-1WfoTWY8PctG8-lJyxR4GW-4>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:16:42 -0000

On Thu, Jul 29, 2021 at 2:37 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

>
>
> As a matter of fact, I do not [share the same concerns], and here’s why:
>
>
>
>    - *KU* usually is marked Critical, and *everybody* is expected to
>    correctly grok it or die;
>    - *EKU* is *sometimes* marked Critical, and everybody *should* grok it
>    correctly – there’s reasonably small set of them, covering *reasonable*
>    expected use cases;
>    - *Certificate policies* are *rarely* marked Critical, they cover
>    <whatever>, very often admin domain-specific, and if an app cannot grok it
>    – the common practice is “just ignore and proceed”.
>
> This is not an accurate reflection of what EKU is, then. This at least
helps me understand the disconnect, which is a misunderstanding about EKU
and its semantics, at least in terms of what implementation reality
reflects.

v2.23.0 | Report a Bug | By Email