IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 29 July 2021 20:45 UTC

Return-Path: <prvs=78446e036b=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4368D3A0A0C for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ityPaTZ6eSGW for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:45:52 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DD3D3A0AD8 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:45:52 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 16TKjjTN032253; Thu, 29 Jul 2021 16:45:45 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=sdNzvF+E0NBnKJfFekqHm7tFHno0cQNZKdendRluBIK2fx7tnSmOBoVv+zzzJg9lwW991XtPiuUXXbJ/VuoV3L9gRQ2XzBETVdLd9m8a10xD68xBkHJW2TQD3xY7pO5HqsrgZ8GoWobsF2Huv4FBF1EMlkVfmBUck+my0cSSS7X+UMFWPB5j7yh9ZiVz6d2RgOv5iqXMxX0NnRWwGLAXLpH3vAMHJwpLsFvHWqoaBL/HhNMy73SaRb85Kg092VTgwpe56CBeEVT/vIBUqC+n61gWPIJA2L1I9dodtz1bQJ9WcnWEqVa0cpHgD56zzN/zMTAy86huBfNys4M0Udq7Mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CXcYidV60lH7QAwWyi0sLY46nwQ199ATk8O7tCO/0Fs=; b=R0Q5awTJwm8IQ7lGOh8MObDZprtBIYDl27vvrv0vk8ypvGFRBqfMq7oLBlDU2d9fMymQOZa6fLSmFXNA7P7Y2HHQ3Yrqak7AYuUMU4xyyZL/gj8Zua9d6kSOCXjvai4oQmlMaEFaNpAivR0e/xDVrTuQaSKuf4BPYxEMK3znyO/OAr6lzmISh7NLV1SsWdOOBehonGeQDDUU07LIosqSt6MM8Pb4v/MZLQ8Lkgg3eBKsXfYNVLcNSVu32jyvRyokcX3Wn4nt5EQoQfgJrzNgR0Nou9lAl51SadW/6RTsciBvF56prUYGF4g1LOVn5keIH+CMlze9txc3EHYvDcpJTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Thread-Topic: [lamps] Call for adoption for draft-ito-documentsigning-eku
Thread-Index: AQHXgmuKk2sKcjNKq0GeFl8+0k2LC6tWBn+AgADxCACAAAmlgIAANoYAgAArGACAAAakAIAAMrYAgABs7oCAAHTeAIAAE4SAgAAtRICAAA0eAIAAVOyAgAC7XACAAGdbAP//xgqAgABe3QD//8UegA==
Date: Thu, 29 Jul 2021 20:45:42 +0000
Message-ID: <7E7B23A7-0C80-4FDF-A441-0F882B41AF89@ll.mit.edu>
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com> <AE094786-3902-40B5-B9FA-2629788B2F0F@ll.mit.edu> <CAErg=HFmBupU78TZ+P4Q4GUQvR_=T3uJyor-zywuYP1buJswrg@mail.gmail.com>
In-Reply-To: <CAErg=HFmBupU78TZ+P4Q4GUQvR_=T3uJyor-zywuYP1buJswrg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: sleevi.com; dkim=none (message not signed) header.d=none;sleevi.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aac54354-e4d4-4ed6-7c29-08d952d1d53d
x-ms-traffictypediagnostic: DM3P110MB0393:
x-microsoft-antispam-prvs: <DM3P110MB0393586BBBB1AACC835FB14690EB9@DM3P110MB0393.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YJZv1CTqfBAvJ3AEAQTwuBGHDaWwdSwvCXKXZhpsbws7iV7LAFFhFnlQ5A8bulHNK4eVHOj8rGu6J67Ph4qY5X9rWbMYV/HIMaA7OxtWx4B9RHbuCbS31iuNO7bU+rQcJC2Eq+RyRrpokxx2EH9iVCBoWeQrzSBo5zwTBvomtcAsZTvpai9uql4jT8qIr7GX2WB/FFiwyaYMtaDf+YZcAI+8FzrU/B6vlUZWSnaEfRsbiRI9McA0VnuSpC+PM13JZEfn5wD4HIijV8++4ugGhhcISQR2076pwTF19bZG7QAwTEzD/hV2c5os7IhnwWqmW4JQuObMvv/Twww7LB0v9kleCh1akv0FGJ4pVUPdFvHbGaoOPc40QAEf3hQSpOVbzi02yvgez/S6oSQDNUmjj35Cyw+2A86dHYzkMMUqdxaaU9nuvRoen1bC//3LdM2rLUb9Uj5Np3eti+QOCueRvJLH+2nI/Dc1Y3TGC0u3JvZtiEfT4HT+VrwPJ9IfeRYjLDjEDF5hAKHQngRPJarF0Q+crgPW9jCZJEe8ppbci37qbDzWKuvhpeIO12U/9grvatO1NSgnidhrL2wvUq5IULXcnbY/kf7DtFcmKp9zm1B255MtSjyXc2LJjlU3ipMJfnYb0feHiHKfCW2WnmTFfV6dSVSM1xB75fGeoa8bGx4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(396003)(366004)(346002)(376002)(54906003)(316002)(5660300002)(6506007)(75432002)(4744005)(99936003)(71200400001)(478600001)(8676002)(6916009)(122000001)(26005)(66616009)(76116006)(186003)(83380400001)(4326008)(66556008)(8936002)(86362001)(38100700002)(66446008)(6486002)(38070700005)(6512007)(66476007)(64756008)(66946007)(2616005)(2906002)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MW4FYRnBFGPejHtFKnFVkre4KNMtQynYfGsVTUjjFxb841wyvia6LFOAUdjV7mNbBhA6N03BaUFtz0VyfZKynC/bcXB6z8M6wu4w2uMW17iIFgr3x/6fUf43zaTASh5wIKXc7iy8LlLTYO/P6C0rxBt36cSz6VcMhf0HeIaCVJX+k1tgNNJH/migy76xugED2iaGm1IeYurU/CFQajf3QL4vfeOsD84k545dKCYGaDrffeUWtBHbEzFN2qsVQOBkMv63REh4ygcgOfadyIM3G6y66BDE3IFswGeQGCeq78AkR1nLjHIGmG78zLBX5v+SDL7yCsCXUZG6ssifhMDQNOFviGG2hEYyfvShCl3EMnWmzdPmqgt6AepUiwlfXnUMKq8BznfMEZNtE2qp9GqqWHfGgFCGiSUjrsPVMXYOYFmCmncCYYmKU4yNM9xuETZHcHPBTcPCOdrL2BrzvNnq4ykyRMv+Itv03tRKHphEjW23A21ewHtR2wri9O5BKreSb3ua+gc8JhR4OIM8vWJPitEQ2050R9DvpLBA758E5O9uCWdU0FOf6DBIkgfuxIWdk1f7cBekY1UoTdLpumY3U4jXWHpS3X+MUz2gZ5PAkpnY2v5j19hJGBuTL239prdJbog3q+uh7cWiFd/lmly15CmzdsFUTr9rLqlX8rfOZC+ZPGl6FlKKLMZfYXeq6mxhxLe19fZSRIp/PrccezhYsw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3710421941_1446418564"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: aac54354-e4d4-4ed6-7c29-08d952d1d53d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2021 20:45:42.6715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0393
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-29_16:2021-07-29, 2021-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2107290127
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/q96KmitWAFt6G4jfsKkK847T2rU>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:45:57 -0000

As a matter of fact, I do not [share the same concerns], and here’s why:

· KU usually is marked Critical, and everybody is expected to correctly grok it or die;

· EKU is sometimes marked Critical, and everybody should grok it correctly – there’s reasonably small set of them, covering reasonable expected use cases;

· Certificate policies are rarely marked Critical, they cover <whatever>, very often admin domain-specific, and if an app cannot grok it – the common practice is “just ignore and proceed”.

This is not an accurate reflection of what EKU is, then. This at least helps me understand the disconnect, which is a misunderstanding about EKU and its semantics, at least in terms of what implementation reality reflects.

 

OK, fair enough. While I’d argue about which (or whose 😊) view is a “misunderstanding” of what EKU is, the fact is that our visions re. what EKU is and how/what-for it is used, differ.

v2.23.0 | Report a Bug | By Email