Re: [lamps] LAMPS WG Last Call for draft-ietf-lamps-5480-ku-clarifications-00
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 08 January 2020 20:38 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9889612080D for <spasm@ietfa.amsl.com>; Wed, 8 Jan 2020 12:38:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-56jdqrvHH0 for <spasm@ietfa.amsl.com>; Wed, 8 Jan 2020 12:38:12 -0800 (PST)
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90E9112020A for <spasm@ietf.org>; Wed, 8 Jan 2020 12:38:12 -0800 (PST)
Received: by mail-ed1-f48.google.com with SMTP id f8so3754880edv.2 for <spasm@ietf.org>; Wed, 08 Jan 2020 12:38:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AWDZ1iL86/R3/6VGgPHaNc778yrvMxKBbL82qLetDu4=; b=JJGplKIQBPE+ey4WXkkrv4WHWxF69TmuQupKPinTCQelZFZLsHm1xxaaXbxXsyZJ3y WbKQA92Nkx3MhIJ1pGeCdA4e2B5ZqG8scVMKWyZMLQd8UvaFpct53oCsOmvRWog2WGHk lvDpVvBiXmt61ATm2/PMIt22eDBFTJiqzdIciZHwUjPQILTFV9hQ1hAR4EL6nGmNXtZb 76DsBWP4QSdQuTfCSegb3L6rh0Md4F/AdrZRO1fIV2XaPjXeUlOx09UQfAV5RwPBxHrj mSNgPYPuRJ371a4HvCtuvtdLiwX0NsDLbli1Q54V/91m2t16j9rNNeGth6IhUBrbGjA4 pQlQ==
X-Gm-Message-State: APjAAAUPgqtEHIDDqQRKgVJuqP3bxY2lp0WWKdDAHDCm2WXmBgCYUoTx n9XERf//PZ7tEA6O0HBBC43Mv+3Z
X-Google-Smtp-Source: APXvYqzZUR5uelY0y5Hxv1c0QdlJMOGCbjktJ+Ax3vgdXvCN9Cv6JspNubmNdJU7R82vwF1ACsxpcA==
X-Received: by 2002:a17:906:d7a6:: with SMTP id pk6mr6665589ejb.234.1578515890812; Wed, 08 Jan 2020 12:38:10 -0800 (PST)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com. [209.85.128.50]) by smtp.gmail.com with ESMTPSA id dd17sm111391edb.9.2020.01.08.12.38.10 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jan 2020 12:38:10 -0800 (PST)
Received: by mail-wm1-f50.google.com with SMTP id u2so332296wmc.3 for <spasm@ietf.org>; Wed, 08 Jan 2020 12:38:10 -0800 (PST)
X-Received: by 2002:a1c:407:: with SMTP id 7mr487569wme.29.1578515890288; Wed, 08 Jan 2020 12:38:10 -0800 (PST)
MIME-Version: 1.0
References: <157850673005.22571.2917503256026347682@ietfa.amsl.com> <BCAD6A75-B6B5-4593-B621-C959E268C057@vigilsec.com> <25634a41-e5d8-20c4-a0b6-ed3744820b6d@cs.tcd.ie>
In-Reply-To: <25634a41-e5d8-20c4-a0b6-ed3744820b6d@cs.tcd.ie>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 08 Jan 2020 15:37:59 -0500
X-Gmail-Original-Message-ID: <CAErg=HGOV8Wj+C3jd+YFpK1XUJnsmqRJOJG1pYiODkMDSz=uQA@mail.gmail.com>
Message-ID: <CAErg=HGOV8Wj+C3jd+YFpK1XUJnsmqRJOJG1pYiODkMDSz=uQA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9bfb9059ba6ded8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mSDS2rOYWoX6jb-d9TmXug3OgPo>
Subject: Re: [lamps] LAMPS WG Last Call for draft-ietf-lamps-5480-ku-clarifications-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 20:38:15 -0000
On Wed, Jan 8, 2020 at 3:04 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 08/01/2020 19:51, Russ Housley wrote: > > This is a very short document, and it had some review prior to WG > > adoption. So, now that the document has been adopted, I think it is > > ready for WG Last Call. > > > > This is the LAMPS WG Last Call for "Clarifications for Elliptic Curve > > Cryptogtaphy Subject Public Key Information" > > <draft-ietf-lamps-5480-ku-clarifications-00>. Please review the > > document and send your comments to the list by 24 January 2020. > I re-read it and support it. I would support publication if someone tells me that > they've done a survey (via e.g. zmap/zgrab or crt.sh) > and found that there are zero or only a tiny percentage > of issued certificates that conflict with the draft. > > If that happened already apologies and great! > > If not, shouldn't that be done before declaring success > on WG last-call? > Could you explain the objective? =) That is, part of the reason for this is to clarify whether or not it's expected or not. The suggestion was rather than the CABF profile to explicitly say it's not expected/allowed, to address this and clarify in the IETF whether the omission of elements from the extant MAY implies a MUST NOT. This is part of a broader effort in the CA/Browser Forum of clarifying that if things are not explicitly allowed, they should be interpreted as forbidden. In the context of ECDSA, is there a situation where those keyUsages makes sense and aligns with those key algorithms? Arguably, no, hence the draft to make it clear ;) That said, you can run a Censys query with the following: parsed.subject_key_info.key_algorithm.name: "ECDSA" and (parsed.extensions.key_usage.data_encipherment: true or parsed.extensions.key_usage.key_encipherment: true) https://censys.io/certificates?q=parsed.subject_key_info.key_algorithm.name%3A+%22ECDSA%22+and+%28parsed.extensions.key_usage.data_encipherment%3A+true+or+parsed.extensions.key_usage.key_encipherment%3A+true%29 For what it's worth, a number of PKI libraries will reject these certificates as invalid, which will not even allow the user to bypass the error, as they've interpreted the extant language as being what this draft codifies. The quick summary of those results, run just now: 46.36K Never Trusted 39.72K Expired 38.95K Unexpired 31.48K Self-Signed 1,628 CT 1,628 Google CT 1,217 CT PreCert 840 Leaf 828 EV 774 Previously Trusted 416 DV 299 OV 66 Currently Trusted 17.76K Freebox SA 14.03K Philips Hue 9,942 Caddy Self-Signed 5,927 CloudFlare, Inc. 2,261 Docker 1,551 Mesosphere, Inc. 968 Mesosphere Inc. 927 McAfee, Inc. 920 NoEnv 808 Jungheinrich AG 640 Gemalto 488 Bird Home Automation 477 GlobalSign nv-sa 449 Developer Certificate 406 A1A Car Wash 399 StartCom Ltd. 377 Entrust, Inc. 342 VirtuallyLive 274 SpectraLogic 248 DNSFilter
- [lamps] I-D Action: draft-ietf-lamps-5480-ku-clar… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-5480-ku-… Sean Turner
- [lamps] LAMPS WG Last Call for draft-ietf-lamps-5… Russ Housley
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Stephen Farrell
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Salz, Rich
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Ryan Sleevi
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Daniel McCarney
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Stephen Farrell
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Sean Turner
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Daniel McCarney
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Russ Housley
- Re: [lamps] LAMPS WG Last Call for draft-ietf-lam… Russ Housley