IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 29 July 2021 18:37 UTC

Return-Path: <prvs=78446e036b=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EEE73A1529 for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 11:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6w72zfkKzca for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 11:37:08 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC9443A150D for <spasm@ietf.org>; Thu, 29 Jul 2021 11:37:07 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 16TIb1Xn032922; Thu, 29 Jul 2021 14:37:04 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=qvUO8LWrI5gres5SBrXoJ/NUfnhG1kSEtxF+w3s0OjrGmDf3uA6i5dvJ/JRaKD3SHzn0sSQ/DvEG7kuekDL+yk9XDzpsv0JJHo8oU0w3QDgctVabmppCC8mUJ46VllABg7MVoabirCvFjwovgym2KnKmFN74ZchIruB64UqsnmIDfzl9z5RY7VxtZDvTMn7X0nm/i33++XrAfv5cQYu8NEICLOYTArm6KXIj7CEWgcRYrQNTLQ41GbPpgUf5vh1LvguaVNBfso5k8GCXgI0pwOpayhZRfPuNVgRAK5pQAGD4gH6FGWkoBmeRK5PT1lepSrhFPHE4CjH3wXSjJaxBnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yyaGAJzxl2QzF/fmyWDZ8+1njDGGJdPJBUI3zLnzzow=; b=v7v1JN1Uy/J1PlxOlDxBrluPY0hYkvSVNcQiOZItDpbWc7Qs7kdmaGDRljnXrwBuiximmV2FHxWRs5yWH2OZHmrPQMkuVuRErQ42fpXZFe8zT03QWgFwvI724R6j9sOgOUQ744586lfXqS5q+WfyK0msCXnfjs3hAvNEb0NLXg11NVdiBXqab3wt31vxcLngwN49Ojabonql0jrhokQrvapXnOfwkBQW3Il4jVJ4iDngx8Pjn3tjdMwTI3XHuvrh6XvPTFnn/WWmY5rtcDJ1kojrSxVXhFbCWREv3gMCppyQb1I9dTstb6jW08tkmpLlQyCqc+GhL37JLGiPijRzAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>, Deb Cooley <debcooley1@gmail.com>
Thread-Topic: [lamps] Call for adoption for draft-ito-documentsigning-eku
Thread-Index: AQHXgmuKk2sKcjNKq0GeFl8+0k2LC6tWBn+AgADxCACAAAmlgIAANoYAgAArGACAAAakAIAAMrYAgABs7oCAAHTeAIAAE4SAgAAtRICAAA0eAIAAVOyAgAC7XACAAGdbAP//xgqA
Date: Thu, 29 Jul 2021 18:36:56 +0000
Message-ID: <AE094786-3902-40B5-B9FA-2629788B2F0F@ll.mit.edu>
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com> <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com> <7F1B7734-6CC2-4BDB-B4E9-67E846197387@ll.mit.edu> <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com>
In-Reply-To: <CAErg=HF4aXAf8R5hqxwmrHQo=Rs2szWiueRwx+g+DK-tRwQ=iw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: sleevi.com; dkim=none (message not signed) header.d=none;sleevi.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b21bd86c-7932-4af6-ec6a-08d952bfd821
x-ms-traffictypediagnostic: DM3P110MB0476:
x-microsoft-antispam-prvs: <DM3P110MB047680004B9390A92AFB641B90EB9@DM3P110MB0476.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: joMcREFKzgOefZvySLfBbl7owQqxGThEGIL9UEcnt/XfRSgdTmLyyG4KjXM33wuYBnC1lc5fTfE/AhZzB+Y8nj7fh9eaHcUj8MgDwWml0rGFQFDBsWKCG1mdFdoXBOrqNt7VwgsbHlYw84EqoFGh23fHnIlNP9dwx21/JvtYYeY/UsMfz4XQXn6BRHQVQQZNZd5CrS+Z/vkH5wffh06kWLokhNrzUWZCO7jQvYzAQRcEdqPqyO2Y3HjhVzvTnW0ZcUiy/RT7z9FaSDUsUlLL5IoUqlbk0cxViAF8ATRawwA2zDmbgXu08IUMhb9hB9kxZzKkBonFflXwKPGE1EweYJwAo0J56sNohSgW4IEoznW49AgkCd624qXn55pvG4bbf9+wZ0hVL0g8JpsCvOY00Qpzujo5OVYzXCp2ta9efqwIfTbnRgfIW68v+rHc6eg6dQH1nVgyggz2xoEzyoA2gsFv6gkKACeTxQquArpeWrVFNsL2m+GQg/QiaZpFdO9RCTgSuqwUHtWjKvuERlFVSEBzJLUfwhr4A3i8qhaXCd7ILONSwJpN/i5O2TWmwEYOP2GDzkwJzttKLrPWiTEoSxzGB7yVXXabnEOJaWScoP5Nreoj5cqtIn+aHF+HHpkkn0iNQJGNzeyrplV9+AyQAVOCfu7bE5YlL37XJT/CxIc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(39850400004)(396003)(346002)(376002)(136003)(2616005)(6916009)(71200400001)(4326008)(316002)(66946007)(76116006)(186003)(66476007)(83380400001)(64756008)(66446008)(99936003)(66616009)(6512007)(66556008)(478600001)(54906003)(122000001)(38070700005)(5660300002)(38100700002)(8936002)(6506007)(53546011)(6486002)(2906002)(26005)(86362001)(75432002)(33656002)(8676002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fK4jZ7g3uT0Kgw/0kzL99d9PtCDxZ/zVjlu9QVXY/jvLBKD3f8jxaIqfZrVE3qh1ute26T7NZh4xW+ZHmxLexkxB8FNSst8qHVNpAkf2Om/ebaY6T/dsw3cy6FeC7504hGSduFv60UxQWA+aRXUeqJ9fQUMgzf15esIGdBXXzMZGMlzoUURszdAQ3xqH6HZv6Gp0qQA/v+P0Sp78aGvL80WRGR0SQE1S4YJ8TxF4kmqAvqO7lvfzx5baqJRf6Rgp/MZlbj2qttvTdE+lv/VeLl9zW4kz+TJouxQ/Su8pJ3V9J5aDOXCz+yswYuxMNnhZyLVJfvofTQTqbO0Sh6QMFsFB3Cod3Owg559Cykg4lbMkqFETAjJOTIzqDQL2kUxhLZOP0/Sgy/rGIkzsVf9Rxjw72UTOGLBvn/IvI7AjWyQrQLTIYgQnHTl91t8V1nGspCK6K5AzPTcR0x7tIp/HtRWuZ1bIaEJZa52VEwlIg3Shs6f0DlYv/H8F7WIBCMEYvAkVm9cfCoJn0ozotXSfy8uSAauOi54VNhq/b1qPVzy+mCQh7hpaVTwYS6J1VyUrpNe08f6iduJmEpe6dIpJi92u2IBelfV8rJCye+NxGsLCN+gci7mLjMSJnMqQ5N4TXCN+NdgMNMqlTRuLbqul29CujS8AZ9P2cZcourcekQAhQPVBR0JogjS3V1WXQIT0NJwc1vQ5Y50bLiiEqTv2NA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3710414215_412555249"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b21bd86c-7932-4af6-ec6a-08d952bfd821
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2021 18:36:56.7159 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0476
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-29_14:2021-07-29, 2021-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2107290115
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vMSYWuLl-ajysCKBGGSUaWerptQ>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 18:37:11 -0000

On Thu, Jul 29, 2021 at 11:54 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

“A bazillion of EKUs” is a much greater risk, in my opinion. Which I’d like to avoid at all costs.

 

> Since the scenario here is largely hyperbolic, entirely unrealistic, 

 

I think it’s very realistic, and only mildly hyperbolic. What I do think is hyperbolic and not entirely realistic is your concern of cross-format threats.

 

>  .  .  .  and I think reflects a misunderstanding of the proposal, perhaps you can clarify:

> Do you share the same concerns regarding certificatePolicies? 

 

As a matter of fact, I do not [share the same concerns], and here’s why:

 
KU usually is marked Critical, and everybody is expected to correctly grok it or die;
EKU is sometimes marked Critical, and everybody should grok it correctly – there’s reasonably small set of them, covering reasonable expected use cases;
Certificate policies are rarely marked Critical, they cover <whatever>, very often admin domain-specific, and if an app cannot grok it – the common practice is “just ignore and proceed”.
 

I would hate to see EKU proliferating in quantity and “degrading” in quality to the point of “I don’t really care …”

 

For me and my use cases it is very convenient to distinguish a cert for authenticating from a cert for signing documents and/or emails, but absolutely counter-productive to go OCD-route and distinguishing between signing PDF, signing Word, signing XML, signing ROT-13… Plus, as I said earlier – my use case involves hardware tokens that have only one certificate slot for Digital Signature. In theory I could load that one cert with 2KB of EKUs, but it makes zero sense.

 

It looks to me like there are organizations that have very narrow use cases, e.g., just signing PDF – and they’d like to be able to set one EKU on a single cert that they want to issue, to do exactly that and nothing more. I can understand that.

There are other organizations whose use cases are broader than the above. Their options are: (a) EKUs that are not “too narrow”, (b) cram signing cert with a ton of EKUs to address all the use cases, and (c) issue a ton of certs, each for specific use case. It seems that the preference of the majority is (a), and for a good practical reason. As I explained earlier, cert management is costly.

v2.23.0 | Report a Bug | By Email