Re: [lamps] draft-ietf-lamps-samples KU check
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 25 March 2022 11:38 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A9A3A1122 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 04:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=n+Bth9r8; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=oTcAUcz6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJBjn0wVj1pt for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 04:38:45 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB943A1112 for <spasm@ietf.org>; Fri, 25 Mar 2022 04:38:45 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1648208323; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=E4NQuMNQEnFAczj3Cm5KcrcbXIPZaIIWLMzag1569Mg=; b=n+Bth9r8dlvTmUOir82bcUhlXrxxx85R4EEvTtlgOMERMQ3UUf3Oekz4x9km8MH0LWVXQ YMgrub0vV1RHIJDDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1648208323; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=E4NQuMNQEnFAczj3Cm5KcrcbXIPZaIIWLMzag1569Mg=; b=oTcAUcz6L8FR+B6ecYOah+rjO19n/ZtO6guKUmzNJudkO7yy5dy9jPEKsExFFgqiYfzh/ kQSLMn0uKphJnW0XfA69Qrf3bDjltb7m29ehaPyUAyZYD9WuA60VQYNfGQw9bySLhIYZ6xm 40O+NDmAHWIC6Sw64ALBG7aRid6PTf0+/uMuVhFsBHUITYOOZ14aVYej5elMG205HevQdC1 2OAnm9IL1F1+HWLySIe6e7ZzIA18P/M8wNaoz8GxpGJXi331UyZ0LOnUjxOvjNUMrhAkB6W YIprJloVrnVw79FLvgy+ePBwGcvmYCo08lwh60cCbZuE2dzUAajVPU1+WRXg==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id EC83AF9AD; Fri, 25 Mar 2022 07:38:42 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 71BE0204B0; Fri, 25 Mar 2022 07:28:28 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Sean Turner <sean@sn3rd.com>, LAMPS WG <spasm@ietf.org>
In-Reply-To: <17DD8ED1-ABFF-4B6B-8DBF-5C2AF937F5AE@sn3rd.com>
References: <17DD8ED1-ABFF-4B6B-8DBF-5C2AF937F5AE@sn3rd.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 25 Mar 2022 07:28:27 -0400
Message-ID: <87bkxuw9t0.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/gDzYr_DxbZL5u1TMcF5sNFxilGU>
Subject: Re: [lamps] draft-ietf-lamps-samples KU check
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 11:38:51 -0000
Thanks for double-checking the KUs in draft-ietf-lamps-samples, Sean!
On Fri 2022-03-25 06:49:54 -0400, Sean Turner wrote:
> tl;dr: looks good, but I didn’t check the P12 blobs.
The P12 blobs are just generated from the other material, so that should
be fine.
> s7.1/s8.1 an ed25519 sig cert has KU set to 11. This sets both
> digitalSignature and nonRepudiation. You can set one, the other, or
> both so this is "good”. I have a slight bias to drop nonRepudiation,
> but the choice is “compliant”.
The draft is in AUTH48 now. The hope is that these keys and certs will
be used to test implementations in MUAs in the future. It seems
possible that their parameter choices will be cargo-culted into
some certificate profiles for S/MIME at some point.
I'm inclined to leave them as-is, but if there are scenarios where you
think that the inclusion of nonRepudiation is a bad idea, please let the
WG know. i'm willing to do another round of revisions on the draft if
there is a compelling reason.
--dkg
- [lamps] draft-ietf-lamps-samples KU check Sean Turner
- Re: [lamps] draft-ietf-lamps-samples KU check Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples KU check Sean Turner