Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)

Carl Wallace <carl@redhoundsoftware.com> Mon, 20 June 2022 18:01 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8281C14F75F for <spasm@ietfa.amsl.com>; Mon, 20 Jun 2022 11:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsrLQzZGwE_Z for <spasm@ietfa.amsl.com>; Mon, 20 Jun 2022 11:01:01 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 707EEC14F745 for <spasm@ietf.org>; Mon, 20 Jun 2022 11:01:01 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id p31so16939323qvp.5 for <spasm@ietf.org>; Mon, 20 Jun 2022 11:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=MgychAv4fSQxCkApVl5Fz0y20NXmgreMCpOheD7EV8o=; b=cQW9RexEp2C7qB6QSRjT9TS85cip87K9c8sR3bFgKlyIVOHeoJVqpftH/1Etn+GnYp pajKfgP3xtFiFgYttKoaQvLc2lxWR6XmGtf+BLtwcnH1iPpcjbQvMZX6SL6ovGYc5Hbs HY6SEZy9Le7ta6cklnPUR2D6PluhaGusob5N8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=MgychAv4fSQxCkApVl5Fz0y20NXmgreMCpOheD7EV8o=; b=srgFGM/uyn3y9GDY1+K5Hoij2OlEdgzK0VTf3PPcAF3sQAGJ6yhm2dJKVKmtaG6l4N bcnvJoKL8EUEp5tOfjncMYZsue46nlDbugB8f441T4m1zDSUeFR3KtOVP6WQL281xaUO m0pLEnLXBRhgnhBuP9PMHml7RfsARvUSK/m83EXiXxdNXzthZ0puhcOmm+ORomDQV9Nc PO9AnkXJYhTgxrrqfm1TsO/TYBOFHBqKY77ctq84iLDLmHaC1D3ZL/eeh0Y5k/DkufIQ jwq+uQYKHxIAa0e6apf/XUR4s3PEbPqjbzi2p9nr+//3l9I5z7d0sl71x8kI4tGxr0Ja yNcg==
X-Gm-Message-State: AJIora/oYO2B8ajKIaKOT7gLM/0t/PL503lkzv1xUw9+paMIe2haquJC 5tSx6tGznWwVgBUAD0KrJ7r04nNWIb2Sjg==
X-Google-Smtp-Source: AGRyM1t68yjroZcX87gDwLhAlkSPB0dKAeSC13jOIDQ0hfLSC9hHkdCHvVuZrlKEH4q9T2GV3+st/Q==
X-Received: by 2002:ac8:7f44:0:b0:305:3353:4111 with SMTP id g4-20020ac87f44000000b0030533534111mr20797165qtk.349.1655748060282; Mon, 20 Jun 2022 11:01:00 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-83-240.washdc.fios.verizon.net. [173.66.83.240]) by smtp.gmail.com with ESMTPSA id w17-20020ac857d1000000b002f39b99f69csm12546030qta.54.2022.06.20.11.00.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Jun 2022 11:00:59 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.62.22061100
Date: Mon, 20 Jun 2022 14:00:58 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: draft-ietf-lamps-cmp-updates@ietf.org, spasm@ietf.org, Paul Wouters <paul.wouters@aiven.io>
Message-ID: <4F14F2A5-C581-47D9-9A84-BD61A6EFE322@redhoundsoftware.com>
Thread-Topic: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com>
In-Reply-To: <165488656549.33195.4087333678068665768@ietfa.amsl.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jiThqU7g4NQJoEn8P3-5l_XVyok>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2022 18:01:06 -0000

<snip>

    #1:
                 This is a
                 very sensitive service and therefore needs specific
                 authorization.  This authorization is with the CA
                 certificate itself.  Alternatively, the CA MAY delegate the
                 authorization by placing the id-kp-cmKGA extended key usage
                 in the certificate used to authenticate the origin of the
                 generated private key or the delegation MAY be determined
                 through local configuration of the end entity.

    These two MAYs are related, you MUST do one or the other. The text as it
    can be interpreted to not perform either MAYs.

[CW] I recognize this is a late comment and that there are no words to borrow in either RFC6402 or RFC6960, but adding a security consideration that highlights the need to authorize certificate requests including these new EKUs (not just id-kp-cmKGA) may be worthwhile. This would mirror the "therefore needs specific authorization" in the above snip but apply to the act of requesting delegation via the EKUs.