Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
Deb Cooley <debcooley1@gmail.com> Fri, 26 November 2021 11:50 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D0E3A0D6A for <spasm@ietfa.amsl.com>; Fri, 26 Nov 2021 03:50:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Plj1_OoStsc for <spasm@ietfa.amsl.com>; Fri, 26 Nov 2021 03:50:41 -0800 (PST)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26C513A0D67 for <spasm@ietf.org>; Fri, 26 Nov 2021 03:50:41 -0800 (PST)
Received: by mail-oi1-x235.google.com with SMTP id u74so18361595oie.8 for <spasm@ietf.org>; Fri, 26 Nov 2021 03:50:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cs0s5PI5eL3b6lWXBz+ilRrhgCdk6LV+rG40ZqKycpg=; b=UUKtWFynheM8akG8JXekA83+IZrHHSTyVcyT91U3P8VZzC3T0SmP6au8U33QvHHZNH EhFO6SdNA3qXtUc5IA5AwBNpjgjND2LbgVobBhO3uMuIhaZmA/ecILG3WFCPe/wAU3jH a7xBbcx2agf6NVepUI1LKnQkkh0AKae2oWt//lriJ+8I7/YEibQVzNQIVOg6s9AtPxJV QvE4iJFbCIpf9UaNEDfB5M74lsQDyRe+vTN0neaVokq7U3dVwG4rYW6oAAvJWlu75+p2 pEbi6GfJzGcv4T5oo03ZkiER9BSceV/VcgoVRhJgfi+sMgj/R1M4qB+MJO20AbFqthpJ 9iqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cs0s5PI5eL3b6lWXBz+ilRrhgCdk6LV+rG40ZqKycpg=; b=InT6BGPwfOZdayay81o6PMVSDHwDQVwtnJDHh5xhMI0GAPfacQP0/DUfcW/CfnShpy KOeJWMH4GTFIG9PSkhyEnm5CqqNOKOBmVMl5LMNEesKgC0kJHkLJEfIn2jtddaP6KtBN hoNlhL32bmv2zWsKZBWf5UHomonRqSeFt2CZBreNleDsz+moGiFL+6dgg+a/CzbjVADu fbMbpyPn7zw4jY94wW4yRHjr6cBZPRAszoBB4QAb7Ew1Ji1IwmUSukCDOeurTYLmp+Nl dC93nSQ4oPPM8G8VGgLiaD6Zm2ETL1dei/NfJVguoP2lfS29GGLD7fYrzzKnzJw0MI/V gdkw==
X-Gm-Message-State: AOAM530+H2AcO6gpQpcVe+5e25G4BCIZqDyy5Ao2+3nxNRUdzjP3Pxlq ajO0Q97ue/2S2cPhsPcQw+mwEd/piMfqJetdhDJyDWI=
X-Google-Smtp-Source: ABdhPJymVUF89dKKVTLaQX8T8q6MDIfytblMCJytyKnxebO88YewVsLmUHnkxWpHQ17b+rb1dkU6NVlaaZZ+/fmwC+A=
X-Received: by 2002:a05:6808:1984:: with SMTP id bj4mr22639793oib.165.1637927439575; Fri, 26 Nov 2021 03:50:39 -0800 (PST)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <1739DC01-D237-4080-99F2-1B82A4571C49@vigilsec.com> <SA1PR03MB66262B6CA20602F3417C0B7EEE949@SA1PR03MB6626.namprd03.prod.outlook.com> <df508f23-c7b4-a0ca-d552-51c2b1d9663a@aaa-sec.com>
In-Reply-To: <df508f23-c7b4-a0ca-d552-51c2b1d9663a@aaa-sec.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Fri, 26 Nov 2021 06:50:28 -0500
Message-ID: <CAGgd1OcfTU9JOhjZ6oKsDALpdbU2E_=PUvaSXQuWgdhgFVK=Cw@mail.gmail.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="000000000000342ba505d1afb3c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/s47owlFL61lU-3F4q97QWxRTNHo>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2021 11:50:46 -0000
Apologies, it takes me a week or so to catch up w/ my normal work after an IETF meeting. I'm not in favor for separate keys/certs for different purposes. The PKI I support (US DOD) already has 3 keys/certs (ID, signing, encryption), adding a 'you can only use this cert for one purpose' is a deal breaker. I am in favor of distinguishing the difference between email signing, code signing, and document signing. In particular, I don't want to see code signing overloaded. I happy for that to make sense. This mechanism? or another, I'm open to something that is simple and makes logical sense. As for the nonrepudiation issues, that is a KU, correct? And the KU extension is classically marked as 'critical', whereas EKU is marked as 'not critical'. One day, I hope and pray that the NR KU will no longer exist in our (US DOD) certificates. I would not be in favor of marking an EKU as critical, which theoretically makes it easier? But maybe not in Europe? Deb Cooley decoole@nsa.gov On Thu, Nov 11, 2021 at 11:12 AM Stefan Santesson <stefan@aaa-sec.com> wrote: > Hi, > > I just went through large part of this mail thread, the draft itself and > the presentation at IETF112. > > I would at least like to raise some concerns about this EKU. > > > My absolute biggest worry is that we will initiate the old > non-repudiation debate in key usage where we desperately attempted to > distinguish between usage of keys for something similar to "document > signing" as apposed to using the key for signing to support > authentication or just data integrity. > > In the wake of that discussion, many people started to debate how the > setting of this or that bit would affect the legal effect of such > signature. > > I think that the only thing we could agree on in the end was that it > probably was a huge mistake to try to bind a key to a purpose, as > opposed to binding the key to a particular protocol. > > > The main difference is that if a certificate is declared as suitable for > a protocol, then it is easy to just deny that protocol action if the > identifier is not there. That has no implications rather than the > end-points fixing their certs to make the protocol work. > > But if you receive a signed document, the harm is done and you can't go > back and ask the signer to sign with another cert. And the commitment is > done, and legally binding, whether there is a declaration of this type > or not. > > > So my question is basically. What are the signer and the verifier > supposed to do based on seeing or not seeing this EKU in a cert. That is > not at all clear to me. > > My biggest fear is that other standards groups in this area, like ETSI > ESI will start to update their signature validation procedures to check > for the presence of this EKU. I can hear the debate already. > > > > > To comments on the actual draft. The following text is problematic: > > "Inclusion of this KeyPurposeId in a certificate indicates that the use > of any Subject names in the certificate is restricted to use by a > document signing." > > This is not compatible with the function of the EKU extension. If you > for example add a second EKU to the certificate, the certificate is > equally valid to be used with the other EKU. An EKU can therefore not > limit or restrict the use of the certificate for just this purpose. > > > Also, the definition of document signing is problematic: > > In modern electronic services you cant isolate the signed document from > the process of creating, approving and signing content. This is because > what you see is what you sign is just a fairy tale. In practice you see > something, but you often sign some machine processable data that binds > the transaction/agreement to you, but it is not the visible content. It > is not even a document that you can make visible directly. This is the > case often when for example signing tax declarations. What you sign can > be an XML construct of codes and data that is key to the declaration, > but the XML data is only for machine processing. The data itself can be > visually presented, but it is a stretch to call that the signed > document. The world is simply not that neat and contained that we would > like it to be. > > > In the end. This EKU worries me. A lot. > > > /Stefan > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Call for adoption for draft-ito-documents… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Salz, Rich
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Tomofumi Okubo
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Tomofumi Okubo
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Eliot Lear
- Re: [lamps] Call for adoption for draft-ito-docum… Santosh Chokhani
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Carl Wallace
- Re: [lamps] Call for adoption for draft-ito-docum… Salz, Rich
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- Re: [lamps] [EXTERNAL] Call for adoption for draf… Mike Ounsworth
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Daniel Kahn Gillmor
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Ryan Sleevi
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Russ Housley
- Re: [lamps] [EXTERNAL] Re: Call for adoption for … Mike Ounsworth
- Re: [lamps] Call for adoption for draft-ito-docum… Michael Richardson
- [lamps] Call for adoption for draft-ito-documents… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Yoshiro YONEYA
- Re: [lamps] Call for adoption for draft-ito-docum… Corey Bonnell
- Re: [lamps] Call for adoption for draft-ito-docum… Brown, Wendy (10421)
- Re: [lamps] Call for adoption for draft-ito-docum… Stefan Santesson
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption for draft-ito-docum… Deb Cooley
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley
- Re: [lamps] Call for adoption for draft-ito-docum… Tadahiko Ito
- Re: [lamps] Call for adoption for draft-ito-docum… Russ Housley