IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Deb Cooley <debcooley1@gmail.com> Wed, 28 July 2021 12:25 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D523A0CB8 for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 05:25:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISKjwHBfVq_I for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 05:25:17 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72EB3A0CB7 for <spasm@ietf.org>; Wed, 28 Jul 2021 05:25:16 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id a19so3492937oiw.6 for <spasm@ietf.org>; Wed, 28 Jul 2021 05:25:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=J/YeCaFe501Y6bXI65vWjWMyQJYpC5Cn+tV3j1a6hVA=; b=Ux4yA1C21yCeSazQ5LMBydvObW7Nr1x8GlAilSrZ39fR3bSmVEnMSK04jhM+FyB1DJ U489XoiJ3HaGEhZO1L6ZkPaLB9kHdMmJlyraIJ/9I3PkLEClk/MoNt8ebKI56C/N6B6b fEAxNHEBIGipi93TdL4xSw5o5W6JjPphHC25wGPkhaYWYJzvYi5QPcQ6srzukzn6pEoy s7jfy2h6mfPjXIn2Guam768OfZ6GAzD2nSSdRNKfeNDSu5yLDGMY68hnXFU37aFPxvaK YoEQZ4zTjfiBF42696UP06oU1ScoYa7g4HuxXYgSMCmoeLUy08/oflhZbFrMeXNnISIA OFmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=J/YeCaFe501Y6bXI65vWjWMyQJYpC5Cn+tV3j1a6hVA=; b=iniYhs3U0AkyiIdDgkUtg2253mlFIOy4GxnC0D20dU5lB1dGNiDFZ8PLaKECJPuv+c 0JK4aYYev2nFB5Gljkwvf6FWJBo3/OzrF4UfMrTlqQY4qmm+7wLGuDwqngz1XUGDwyjg T25EwfMjvqY6Vxx252BKkj3sWvX01Js8TsN0Ym48+vzz4JuYGQoE0D/haQl75aJJm4rR JfJ+ysyeOrXh71lkdNFxoODWDkBCylJj6+MRQ/osetrM2LbhXlOXqmsN0HVrCqV6kA1w cmQhm3qrKhO70839y+3DuCLpoqIONHFNWDUYx2TdBQB+XBkLoonp4HNOSnMHqrcCiQUf FzOA==
X-Gm-Message-State: AOAM533IGrm7wrGUpouVxBIoI0TUgr8woNbdf+EzvJhg3/T2kya7pCZM VsQcAZXuufQ1iVDxmNvkFzHGlBqIhgpqePkiDLGDRJ0Saw==
X-Google-Smtp-Source: ABdhPJzaatru+s38IL9BtGIpJu6sAk37zo8I9rCae7QBsbaVkhoyw86sbU8YH6WNvnztnvTOHK7gPWEowjYUoTO3SU8=
X-Received: by 2002:aca:4355:: with SMTP id q82mr6245692oia.165.1627475114587; Wed, 28 Jul 2021 05:25:14 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch>
In-Reply-To: <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch>
From: Deb Cooley <debcooley1@gmail.com>
Date: Wed, 28 Jul 2021 08:25:03 -0400
Message-ID: <CAGgd1OevYYZiRj2f4kJMtwWP_qjvPisD-VOqOjKnB7brqJvr2Q@mail.gmail.com>
To: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000015fa0e05c82e143c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/s2rqvI4h_3LWn5aO4SSi0nrEs7w>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 12:25:22 -0000

While I understand that relying parties often do not/cannot validate fields
like certificate policies, EKUs and even KUs.

I do, however, think it is important to have an EKU between
id-kp-emailProtection and id-kp-codeSigning.  Clearly the code signing EKU
is inappropriate for document signature, as is the email protection EKU.
There is currently no general purpose EKU for 'document' signing - however
'document' is defined (and I don't believe boiling the ocean is required
here).

If there are CAs that are issuing code signing EKUs to enable document
signing, I do take issue with that practice, it should not be condoned.
Code signing is an extremely sensitive function and the use of keys to do
this must be limited.

If there are multiple private EKUs for document signing, I also take issue
with that practice.  They just create silos and are a barrier to
interoperability.

As such, I am in favor of this draft.  Providing the authors can pin down
the definition in quick order.  Charters can be changed, I don't find that
to be a barrier per se.

Deb Cooley
decoole@nsa.gov

On Wed, Jul 28, 2021 at 4:03 AM Eliot Lear <lear@lear.ch> wrote:

> How about the second paragraph:
>
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working
> Group is chartered to make updates where there is a known constituency
> interested in real deployment and there is at least one sufficiently
> well specified approach to the update so that the working group can
> sensibly evaluate whether to adopt a proposal.
>
> Eliot
> On 28.07.21 03:32, Ryan Sleevi wrote:
>
>
>
> On Tue, Jul 27, 2021 at 6:31 PM Tomofumi Okubo <
> tomofumi.okubo@digicert.com> wrote:
>
>> The section will be referring to an existing RFC which is currently in
>> use.
>>
> I eagerly anticipate waiting to see which part of the charter [1] you’re
> proposing this new work item fits under.
>
> I cannot help but still be concerned, despite the stated belief, that is
> is a clear abrogation of the following language from the charter:
>
> The LAMPS WG may produce
> clarifications where needed, but the LAMPS WG shall not adopt
> anything beyond clarifications without rechartering.
>
> [1]
> https://datatracker.ietf.org/wg/lamps/about/
>
> _______________________________________________
> Spasm mailing listSpasm@ietf.orghttps://www.ietf.org/mailman/listinfo/spasm
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email