IETF Logo Mail Archive

Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

Carl Wallace <carl@redhoundsoftware.com> Tue, 28 June 2022 11:21 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0966CC131828 for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 04:21:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-YyIyp0Q-QU for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 04:21:42 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E56C131824 for <spasm@ietf.org>; Tue, 28 Jun 2022 04:21:41 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id n10so5879603qkn.10 for <spasm@ietf.org>; Tue, 28 Jun 2022 04:21:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=YJPHqFq0FdCFY719XDA846h51edLLKYQt4lOy+3Zaj4=; b=v+zoGX97iiZzzWH+luTTT+9oJTYr9L00qPGvdALKS9Lb6FXxrjbS0sAx/4Lroqphgk /cl6H5FUHnRRZGdBnONz1dweHcIaLJrXQkzYUkq1bhmbkE86xc3hWZ/HBvCNtJQay80y ejnIuLxBSAFe8HC0dWMs8yrnurWF5PBqT+fGU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=YJPHqFq0FdCFY719XDA846h51edLLKYQt4lOy+3Zaj4=; b=1n2gb6BXgJo3kFpIPaLf+I/0ITxGjjw47NiXsZIts5lP7t7t1LshUYHuaBW7ZhR+eN BMrB70DN51R4SVNwwkK9ljsKV1k/O5HJNCxdlCjjrkvVyk6mZv56pkQMulfdGujQEcFO +NhTuBehEJCfjRnRII74ByqIZAYSEAmQc0RtVOMktjEpl2GgHidGYPQWbuGCkB9vays6 PvLW5BR0ZP3ANldsC+uFH6Ma3VXbN2HaZskmFmuuAkcRn+X3kOjtB+i3gEnIr5rbn14q avNL7duJ7DGoXE7DeUdmqu48lK9R1H1My6VooCLUe9nYLeFcgzh94Fd8zU/AQyyxOpy2 tQKg==
X-Gm-Message-State: AJIora9R9dmxPRuRh+JpBaOWKCgLd02xjwjAC5lX9/IhL8CZdRBswYlB UDI43FpMF0uq5nVZCvpPVyJXBw==
X-Google-Smtp-Source: AGRyM1t1drr/Ktk4Nb0QS2HjopVpbQcblxfD+yUKrTIOfHAf6dXag5iYEYsBevhhLHGXKHzAfMak9w==
X-Received: by 2002:a05:620a:112a:b0:6af:1bb9:fb91 with SMTP id p10-20020a05620a112a00b006af1bb9fb91mr8271652qkk.229.1656415300801; Tue, 28 Jun 2022 04:21:40 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-83-240.washdc.fios.verizon.net. [173.66.83.240]) by smtp.gmail.com with ESMTPSA id b12-20020a05620a0f8c00b006a34a22bc60sm10529007qkn.9.2022.06.28.04.21.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jun 2022 04:21:40 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.62.22061100
Date: Tue, 28 Jun 2022 07:21:39 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Message-ID: <B4A86599-EAC3-43B6-8E86-6797E8174281@redhoundsoftware.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com> <GV2PR10MB6210808831831E3E5110C9C9FEB59@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <CAGL5yWa=gcCcfpd9zEp6oZv0W_-P8Ze65VCW3Mw8aGH7MT0g-Q@mail.gmail.com> <GV2PR10MB62100E94B687A840DDA5E8CCFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <DU0PR03MB8696FA97410775D2CAEA7D4486B49@DU0PR03MB8696.eurprd03.prod.outlook.com> <GV2PR10MB6210A06E4A75EB19C7B5C60FFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <GV2PR10MB6210A06E4A75EB19C7B5C60FFEB49@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3739245700_1419165327"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/i8iNHGJEYSjuB0FdzazrGt2XFZE>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 11:21:46 -0000

Inline…

 

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Date: Friday, June 24, 2022 at 5:18 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Paul Wouters <paul.wouters@aiven.io>, Carl Wallace <carl@redhoundsoftware.com>
Cc: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Subject: AW: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

 

Tomas

 

Thank you for your feedback.

 

Initially I wanted to go without any concrete recommendation regarding the validity. I only wanted to point out the an undefined validity is not recommended.

I believe, it is not a CMP protocol issue to specify this max-validity, but it is up to the CA policy to do this.

 

When Paul asked for a concrete guidance, the only guidance on server certificate validity I am aware of is the CAB Forum BR. And you are right, the recommendations change quite often. As this guidance in not normative text, I can live with it.

 

I could also completely drop the text on undefined validity regarding certificates containing theses EKUs, including the newly introduced Security Consideration.

@Paul, Carl, what do you prefer?

 

[CW] I don’t see why the validity period concern should result in dropping the entire proposed new security consideration re: delegation via EKU. I thought the proposed section 8.7 text was a good addition even without the validity period paragraph (though disallowing indefinite notAfter where delegating these EKUs seemed like a good addition too).

 

<snip>

v2.23.0 | Report a Bug | By Email