Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 09 November 2018 17:25 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E67FB130DC5 for <tls@ietfa.amsl.com>; Fri, 9 Nov 2018 09:25:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJeuUwgdNaB1 for <tls@ietfa.amsl.com>; Fri, 9 Nov 2018 09:25:36 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38D9128766 for <tls@ietf.org>; Fri, 9 Nov 2018 09:25:36 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 9DAAB3048DD for <tls@ietf.org>; Fri, 9 Nov 2018 12:25:34 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <79A3BE82-43DC-4A0B-A30D-726A5C507DF1@gmail.com>
Date: Fri, 09 Nov 2018 12:25:32 -0500
Content-Transfer-Encoding: 7bit
Reply-To: "<tls@ietf.org>" <tls@ietf.org>
Message-Id: <213A3CB4-8CE0-497F-BB3B-4333DA065EAC@dukhovni.org>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org> <m236seg80v.fsf@localhost.localdomain> <DE213706-285A-4FF4-BA25-3DFC69966BE6@dukhovni.org> <m2y3a4ebau.fsf@localhost.localdomain> <FF305E4A-B304-4C72-9D70-0D65116DD8B9@dukhovni.org> <F04642CF-132E-48EF-B17F-36CC57F245FC@ll.mit.edu> <1541716036588.29769@cs.auckland.ac.nz> <62FC16EB-9567-408E-B3A1-62B868F5A2BB@dukhovni.org> <1541744362984.15559@cs.auckland.ac.nz> <82B55ED0-06D5-416F-8EBE-CCA4808CC32D@dukhovni.org> <79A3BE82-43DC-4A0B-A30D-726A5C507DF1@gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GSByjIIuWQFH21bOjQj-wpbEgu4>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 17:25:39 -0000


> On Nov 9, 2018, at 11:52 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
>> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
>> TLS was a mistake, and glad to see them gone in TLS 1.3.
> 
> FWIW RFC 8422 also deprecates them for TLS 1.2 and earlier.

Great!  Thanks.  I see that in:

   5.5.  Certificate Request

   https://tools.ietf.org/html/rfc8422#section-5.5

Mind you, as that text is in the context of "Certificate Request" some
might not read to understand that they're also deprecated for the server
certificate, but we can hope that'll be understood implicitly.

-- 
	Viktor.