IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt

Rohan Mahy <rohan.mahy@gmail.com> Wed, 17 April 2024 17:37 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF13C151078 for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 10:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.994
X-Spam-Level:
X-Spam-Status: No, score=-6.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Slj4NOZLj_i for <spasm@ietfa.amsl.com>; Wed, 17 Apr 2024 10:37:23 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34803C14CEED for <spasm@ietf.org>; Wed, 17 Apr 2024 10:37:23 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-56e69a51a33so5976889a12.1 for <spasm@ietf.org>; Wed, 17 Apr 2024 10:37:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713375441; x=1713980241; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=71soJZZK/bzF/k5yjKc+d7EwZSKLVuoUzp8QxMF0Y+Q=; b=XFMbgeoR3I5Netc6mlt/t+DO+3LFsH48FE1I19qDem5aMmuVtlAe37rPBUDbBbLk05 SFHE5kSQW4DHdiPyLbTABUq9w9/uDTkh59LA5v0/1Jz7KPTJNB3dugXkLkPUgUHH0TGt HHzapZvrEN9q/q77JsT4ui7Rga0qAQuKbX80s/oeQzjZyZ1w1LBAd7W7ZZMObkrNj/U3 9XmwwHG23q0X0ilSpUSaR3khqBthMsc00wOOayrnWZAI//UjLRtWGh0ZbFDl1vGJuzJM J1dJEwcxlMa1DbvyuzPmSQ/cD5S5T6SyMwEQaNaxn+w0mpVEA/7+qRrk5u/aV1TiG6w5 90bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713375441; x=1713980241; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=71soJZZK/bzF/k5yjKc+d7EwZSKLVuoUzp8QxMF0Y+Q=; b=jxRpd1S74q64domrXN5jk1W2Zc77ImborClyY1QIho/+iWneYP68UfqOOb+wYS6bbE oENzBAlU9Fo13M+hAths2B6sE/cLdCusyLYsaaopA5TEY5TWfxWc/6xtkeLl6RLOuqIJ uQocZ/HsfI0k9Da6b7szdPsnhomwTYnkq0Tq2ilqPodOOysQ4DRkdXhkMumyA3s/Jfiv XTFk/AuK57HoRDYiisFNlABNLKSXgDu+N17HWq7oWCgTTWHduALH1pAPFhvn9QHq1OYw QkFr9O8wZ3ct/Q4qUSitOWrbRv5Ad9j5SdUqIxqBXlooPlM9lhkv5NAEelWiBnAJVz3c Wq/w==
X-Forwarded-Encrypted: i=1; AJvYcCWbqU2w7LVP1KH0y4eHe8wtxv8SEXksn3tJto1oG6jUmebYtGU+EunQzpBY4n/e7QhD7sn7HZY509sDEWLgDQ==
X-Gm-Message-State: AOJu0Ywku6xRB2BhRSg52nv46d7UIik+b8SxefqGxLXCTE6ulnuXEjmk HYENvmliA+cNcegrRPKmKdnBR1viQSg/BppPD59d1NgRl7ZnrZplTmxkdhreScJhXifxh+8lOtz CcBOs+/pktZ+3Cpv1SzgtMRovPSG+zA==
X-Google-Smtp-Source: AGHT+IE6PHXQ+2gaq5GFyvvTAlmMBvfaj4SOJwtDvii5wUHiZgEsUIjbQtUvAT3HU4cVR857kksdsyAdc+yxdsgLFeQ=
X-Received: by 2002:a50:bb07:0:b0:56e:2daf:1ed9 with SMTP id y7-20020a50bb07000000b0056e2daf1ed9mr216763ede.23.1713375440240; Wed, 17 Apr 2024 10:37:20 -0700 (PDT)
MIME-Version: 1.0
References: <171320513468.22285.6899802433610546466@ietfa.amsl.com> <B508131E-0554-471F-94FD-4AA2A0A95346@vigilsec.com> <CAKoiRuYCSwdzwKwSXdyLCNm5Z3DzzzLZzSyDO7DGWHTSeUj-fA@mail.gmail.com> <2E8965D1-F0D8-4947-8A6B-19B822EEFA4C@vigilsec.com> <CH0PR11MB5739FF2B9A378DF7ADFF24E69F082@CH0PR11MB5739.namprd11.prod.outlook.com> <CAKoiRuY5Caq_61+99RQiaRkeKUAou=fiLj+HadajzhwhLKOdAA@mail.gmail.com> <CH0PR11MB5739A5999D59A046D056812C9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739690323861CECECA630AF9F0F2@CH0PR11MB5739.namprd11.prod.outlook.com> <0f7f609b-9283-4f59-bb32-375827d3e7a6@nthpermutation.com> <SN7PR14MB64927E6AB1914083C485E0EA830F2@SN7PR14MB6492.namprd14.prod.outlook.com>
In-Reply-To: <SN7PR14MB64927E6AB1914083C485E0EA830F2@SN7PR14MB6492.namprd14.prod.outlook.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Wed, 17 Apr 2024 10:37:08 -0700
Message-ID: <CAKoiRuZeuDOG+Hm97mE2jwJ7w4gXjyvpTj7o3nOykQuufRDv_Q@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
Cc: Michael StJohns <msj@nthpermutation.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b8a1a06164e4e31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/psVUH1hNZMWnVOUUGRt-yw5N9nc>
Subject: Re: [lamps] [EXTERNAL] Re: I-D Action: draft-ietf-lamps-im-keyusage-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 17:37:27 -0000

We clearly don't want someone reusing keys for multiple purposes. What I
think this allows is for example.com's root CA to delegate to the
foo-bar-messenger.example.com CA that is only issuing certs with the IM
identity EKU. and example.com might further add an X.509 NameConstraint
saying that foo-bar-messenger can only issue certs with a URI in SAN in the
msg.example.com subdomain. If example.com later merges with a company with
a different messaging service, it could create another delegation to a
different subdomain and both could coexist in parallel without one being
able to forge certificates in the other's domains. In addition, auditing
systems could be on the lookout for (for example) ordinary TLS certificates
issued by either of the IM identity CAs.

I can write this all down in the Security Considerations.

I hope this helps.
Thanks,
-rohan


On Wed, Apr 17, 2024 at 9:38 AM Tim Hollebeek <tim.hollebeek=
40digicert.com@dmarc.ietf.org> wrote:

> I was going to post something similar.  I’m a big fan of separation these
> days, and it always is hard to know how far to take it.
>
>
>
> What’s critically important is key separation, and that unfortunately has
> to be handled by policy.  I don’t think you can fix it by forcing more
> EKUs, because if we have more IM EKUs, we’re most likely going to just end
> up seeing lots of single certificates with all the EKUs, rendering the
> issue moot.
>
>
>
> Now, granted, having multiple EKUs DOES give people who want separation
> the ability to not do that, and it DOES enable policies that force
> separation … the question is whether people are actually going to do that,
> or are we adding complexity no one needs.  It’s hard to know without
> hearing from the IM folks.
>
>
>
> More concretely, is the IM community likely to be interested in
> certificate policies that say “An IM certificate must only be issued for a
> single protocol, so it must only have one IM protocol EKU” ?  If so,
> multiple EKUs will allow them to accomplish that goal.  If not, it’s less
> interesting and we’re just allocating OIDs because making IANA do more work
> is fun.
>
>
>
> -Tim
>
>
>
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Michael StJohns
> *Sent:* Wednesday, April 17, 2024 12:26 PM
> *To:* spasm@ietf.org
> *Subject:* Re: [lamps] [EXTERNAL] Re: I-D Action:
> draft-ietf-lamps-im-keyusage-00.txt
>
>
>
> Hi Mike -
>
>
>
> It's the responsibility (and the right) of the relying party to decide
> what's acceptable for a given interaction.  If you followed your argument
> below to its logical conclusion, you would want to have different EKUs for
> TLS1.2 clients vs TLS1.3  clients as they are - at least somewhat -
> different protocols.
>
>
>
> If you want this document to do what you're suggesting, this document
> would need to issue an EKU for each and every well known IM service.  Let's
> not do that.
>
>
>
> Talking about this in the security considerations section does not save
> the argument.
>
>
>
> Hi Rohan -
>
>
>
> That said - section 3 of this document is - underwhelming in its
> explanations of how this might be used and what a relying party might do
> with it.
>
>
>
> Something like: "An IM service operator MAY specify that client
> certificates used to connect to it MUST have this EKU, and that the IM
> service will reject connections negotiated with certificates missing this
> EKU.  This document does not impose any operational requirements on an IM
> service, it only suggests an appropriate use of this EKU."  and "Other IM
> protocol documents  MAY impose more stringent requirements on the
> acceptance of certificates without this specific EKU value than is implied
> by the previous paragraph." and "It is RECOMMENDED that a certificate
> containing this EKU SHOULD NOT also contain either an id-kp-serverAuth or
> id-kp-clientAuth EKU unless this certificate is specifically intended to
> also certify connections to non-IM services."
>
>
>
> And lastly, "This EKU is optionally critical" is just wrong.  Extensions
> are critical, not the tags within them.  An EKU extension may already
> optionally be marked critical so the line is not needed.  Excess EKUs are
> ignored within the extension by the relying party - so there's no semantic
> meaning for this EKU by having the extension marked critical. (And please
> don't try and change this interpretation - you'll break things).
>
>
>
> Later, Mike
>
>
>
> On 4/17/2024 11:57 AM, Mike Ounsworth wrote:
>
> (and IMO, that convincing argument should be in the Security
> Considerations)
>
>
>
> - Mike Ounsworth
>
>
> ------------------------------
>
> *From:* Mike Ounsworth <Mike.Ounsworth@entrust.com>
> <Mike.Ounsworth@entrust.com>
> *Sent:* Wednesday, April 17, 2024 10:42:00 AM
> *To:* Rohan Mahy <rohan.mahy@gmail.com> <rohan.mahy@gmail.com>
> *Cc:* Russ Housley <housley@vigilsec.com> <housley@vigilsec.com>; Rohan
> Mahy <rohan.ietf@gmail.com> <rohan.ietf@gmail.com>; LAMPS <spasm@ietf.org>
> <spasm@ietf.org>
> *Subject:* RE: [EXTERNAL] Re: [lamps] I-D Action:
> draft-ietf-lamps-im-keyusage-00.txt
>
>
>
> Hey Rohan,
>
>
>
> > “It should be perfectly fine to use this with XMPP, MIMI, or a
> proprietary messaging system.”
>
>
>
> I don’t know the IM space very well, but we hear a lot about
> cross-protocol attacks if you, for example, use the same key with S/MIME
> and PGP. Probably that applies to encryption keys more than signature keys,
> but regardless, I think it’s gonna need more than the words “it should be
> fine” to make a convincing argument that it’s ok to use a single
> certificate across multiple IM protocols :P
>
>
>
> ---
>
> *Mike* Ounsworth
>
>
>
> *From:* Rohan Mahy <rohan.mahy@gmail.com> <rohan.mahy@gmail.com>
> *Sent:* Wednesday, April 17, 2024 9:10 AM
> *To:* Mike Ounsworth <Mike.Ounsworth@entrust.com>
> <Mike.Ounsworth@entrust.com>
> *Cc:* Russ Housley <housley@vigilsec.com> <housley@vigilsec.com>; Rohan
> Mahy <rohan.ietf@gmail.com> <rohan.ietf@gmail.com>; LAMPS <spasm@ietf.org>
> <spasm@ietf.org>
> *Subject:* Re: [EXTERNAL] Re: [lamps] I-D Action:
> draft-ietf-lamps-im-keyusage-00.txt
>
>
>
> Thanks Mike, The semantics of the EKU is an Instant Messaging identity. It
> should be perfectly fine to use this with XMPP, MIMI, or a proprietary
> messaging system. Unless you have some reason to do otherwise, a very
> natural way to express this
>
> Thanks Mike,
>
> The semantics of the EKU is an Instant Messaging identity. It should be
> perfectly fine to use this with XMPP, MIMI, or a proprietary messaging
> system.
>
>
>
> Unless you have some reason to do otherwise, a very natural way to express
> this identity would be to use a URI identifier of any relevant scheme in
> the subjectAltName. (XMPP already has a custom SAN identifier type but that
> was not strictly necessary.)
>
>
>
> I'll take a stab at some more generic text for the Intro and Security
> Considerations.
>
>
>
> Thanks again for the review. I will fix the other small errors as well.
>
> -rohan
>
>
>
> On Tue, Apr 16, 2024, 12:14 Mike Ounsworth <Mike.Ounsworth@entrust.com>
> wrote:
>
> Hey Rohan,
>
>
>
> I’m a novice on the IM topic, but I’ll provide a review of your document
> anyway (feel free to ignore).
>
>
>
> The introduction mentions that the driving motivation is IM apps built on
> top of MLS, and then says “or others see: MIMI”. Are all IMs considered
> equal, or is it important to be able to say “This cert is for MikeGram, and
> that cert is for RohanChat?”. IE would it be better if this draft created
> the specific EKUs that MIMI needs for the specific IM protocols that you’re
> designing now?
>
>
>
> It would be good to expand the Security Considerations section to be clear
> about what security is gained by using the mechanism, including what the
> expectation is of verifiers who are looking for this EKU. Again, I think
> some discussion of using the same cert across different IM protocols would
> be good.
>
>
>
>
>
> Why is it called id-kp-imUri? Why “Uri”? Perhaps this is clear in the mimi
> arch docs, but could use repeating here.
>
>
>
>
>
> Typo? The IANA Considerations section asks for “id-kp-im-eku”, but the
> ASN.1 Module defines “id-mod-im-eku”. I think the latter is the better
> name, to indicate that this is the identifier of an ASN.1 module.
>
>
>
>
>
> To Russ’ question about whether this draft should also cover SANs: the
> intro already says
>
> “The subjectAltName of these certificates can be an IM URI, for example.”
>
> Out of curiosity, which SAN type would be used for that?
>
>
>
> ---
>
> *Mike* Ounsworth
>
>
>
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Russ Housley
> *Sent:* Monday, April 15, 2024 4:22 PM
> *To:* Rohan Mahy <rohan.ietf@gmail.com>
> *Cc:* LAMPS <spasm@ietf.org>
> *Subject:* [EXTERNAL] Re: [lamps] I-D Action:
> draft-ietf-lamps-im-keyusage-00.txt
>
>
>
> I thought it was worth asking. I think the xmpp: URI in the SAN would be a
> very reasonable solution. Russ On Apr 15, 2024, at 4: 49 PM, Rohan Mahy <rohan.
> mahy@ gmail. com> <rohan.%E2%80%8Amahy@%E2%80%8Agmail.%E2%80%8Acom>
> wrote: Hi Russ, I don't understand why an XmppAddr identifier type
>
> I thought it was worth asking.  I think the xmpp: URI in the SAN would be
> a very reasonable solution.
>
>
>
> Russ
>
>
>
>
>
> On Apr 15, 2024, at 4:49 PM, Rohan Mahy <rohan.mahy@gmail.com> wrote:
>
>
>
> Hi Russ,
>
> I don't understand why an XmppAddr identifier type would have been
> strictly needed, since anyone could have put either an xmpp: URI or an im:
> URI into a SAN without any extensions (as a URI type).
>
>
>
> I'm happy to go look at some old discussions, but I don't know the history.
>
> Thanks,
>
> -rohan
>
>
>
>
>
>
>
> On Mon, Apr 15, 2024 at 11:28 AM Russ Housley <housley@vigilsec.com>
> wrote:
>
> Rohan:
>
> RFC 6120 defines the way to carry a client name (Jabber ID) in the
> subjectAltName extension.  Should this document be expanded to address
> subjectAltName as well as extended key usage?
>
> Russ
>
>
> > On Apr 15, 2024, at 2:18 PM, internet-drafts@ietf.org wrote:
> >
> > Internet-Draft draft-ietf-lamps-im-keyusage-00.txt is now available. It
> is a
> > work item of the Limited Additional Mechanisms for PKIX and SMIME
> (LAMPS) WG
> > of the IETF.
> >
> >   Title:   X.509 Certificate Extended Key Usage (EKU) for Instant
> Messaging URIs
> >   Author:  Rohan Mahy
> >   Name:    draft-ietf-lamps-im-keyusage-00.txt
> >   Pages:   5
> >   Dates:   2024-04-15
> >
> > Abstract:
> >
> >   RFC 5280 specifies several extended key purpose identifiers
> >   (KeyPurposeIds) for X.509 certificates.  This document defines
> >   Instant Messaging (IM) identity KeyPurposeId for inclusion in the
> >   Extended Key Usage (EKU) extension of X.509 v3 public key
> >   certificates
> >
> > The IETF datatracker status page for this Internet-Draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/
> <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKqOy538S$>
> >
> > There is also an HTML version available at:
> > https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html
> <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-00.html__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKn1iEEOp$>
> >
> > Internet-Drafts are also available by rsync at:
> > rsync.ietf.org::internet-drafts
> >
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eOQUtDAA8uwHi6mlSlRXJVJrnm_r5CwAKy09oCl_Q3itf786AeEtm2xwcGhxxxWefFHr1_P4naZzm9xvxEoUKhkjFbRj$>
>
>
>
>
>
> *Any email and files/attachments transmitted with it are intended solely
> for the use of the individual or entity to whom they are addressed. If this
> message has been sent to you in error, you must not copy, distribute or
> disclose of the information it contains. Please notify Entrust immediately
> and delete the message from your system.*
>
> _______________________________________________
>
> Spasm mailing list
>
> Spasm@ietf.org
>
> https://www.ietf.org/mailman/listinfo/spasm
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email