[Uta] RFC7925, 4.4.4, interpretation, MUST-MAY

Achim Kraus <achimkraus@gmx.net> Wed, 12 August 2020 07:21 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151843A10CF for <uta@ietfa.amsl.com>; Wed, 12 Aug 2020 00:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LVw9hOGz8lm for <uta@ietfa.amsl.com>; Wed, 12 Aug 2020 00:21:13 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5704F3A1070 for <uta@ietf.org>; Wed, 12 Aug 2020 00:21:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1597216870; bh=UkIgSbnyM7aBuNtI8ERgWACbEKVKiEFYqRPkkMilJaI=; h=X-UI-Sender-Class:To:From:Subject:Date; b=SOKcIPfO9LBCTDnKEWZkcmY7rQc9RKWy7Nx1Vi99QcGeHYcfImsFxngP8TFPUPyJE NdbimZc5pdQJ6I0uE4k1cNfnzzrfu+uCuumGB8yYzATJaramGFccBLt+RqnLsWv/Ng ZX+uYy66+wPYGVUiUV7JQXvs70y9KKx+0FGcaveA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([94.216.254.152]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N5VD8-1kkwpA1XQo-016vda for <uta@ietf.org>; Wed, 12 Aug 2020 09:21:10 +0200
To: uta@ietf.org
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <2f8f0df5-331b-e286-c365-7e8e27195d50@gmx.net>
Date: Wed, 12 Aug 2020 09:21:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:+/llNhoVYxbXtI8dACRk7p4zE7qcK38Dds6x6QpqDKRevw1BmZv bXAaRwndZPUW3ubYOhF4dodQ20+CCZSIdYn1SJCpanRYauzRt9J8MAo14USaVhxdQTXYPzQ roN00TxJ6Df2GP5W/VnGW12iubQlTVIoGQICudSG5FnI0iidZD+j0uFHRxTeWoKctY/e1eN 71g6j/MH4q9zR5FjgP07A==
X-UI-Out-Filterresults: notjunk:1;V03:K0:eFtIns4bABQ=:nXSERWdcnZle76jdNyming nHJHA3Ck+5wIbmYhLtu1sos9IqN0jmcYqxpG85o/KyFdS2NPS5Z7g+QewvwRmVA+q3XkzrJML vSVzEeipP2KZyMWB3rqqMqai9VLgCG3zVFfpGIpro3vMl1krjeqY8yDwaU8xFHntzEY6Fh7lA 4Zr254TE2i7KCqxqE2ON0BYjUWLoKjUut7lkuVhBYtftaY7OAKVonc/z7u16eFxp6PkH2UeMQ 0CiCUefZvoMRPporeJgRC9Ugvmx+NUAyAcx216Gb7Wyyuu30Q6dPKzU4+htYUIzwdi3HxM+bz RD5Jb1CLT5Ps8l62NXTEdBX+Sd09ZqIgRNZ0dWBd4V9vnzgjLgylZwTNozPR4bLIZnwxxlB7C J4u10/ICunLQoz3i8BVL5EAxEpuaTcST5yHL1GtMCQ44wvG7+ShsbQCh86hZ6dBjU1ybUvxzu P3uVQxSxcus/EFMlWYyZEf70BdIZAnzkzV8a8rk3FfOmjTnEaDOQO2LJsmWuNBszRJpb1L9uM 2V1E36JPeKnJvASEVAuaajDGpHD89HehSpUsOVuS6Qmf7HvEBCzTQDDJC0yxZmS5aZlX44JH5 pnthGRQ5khsosDKB667JTc/pUt7zzL49NRz2vanfIrnCkZ9Bf5nz/z2rUyJrSbbzXeS5vi/6y PRcCKrIGXJuNFvHVflC30BTgzEH3dOYimqpAF94bprU/Vjja6Lxt02jIU2lvM3jynTQIH7kbC XqpUopBN6M2WE1hhGNUnOjeLclMmUprwUZb/01Fs47hcnPe1v9/RymO4422FeABvxSDq9GE/Y nhSp0cJ+ZTW1ou+COY/1dB6R6vSwtbwAwodhQyO0hCwMQuGR5xOzJT66BYmfcAw4W2KXWR9IR QuF/y2VMmjG7+TZpYMZIngOrgHRPIMCPtxG3QbxgNOVXsGRXg2xaSrh/H+5u5jL6R1LKk+h+d /RSSEkf5u9mpgScILZBiCrJ6mIZ9hs6YscDyxlM6at4zY0g8GJv6rHGo6EOOgzdFed8c6o2Ll blDu1mBdKxwhtaLw/yRtM5lUOB+1sBaf9bPmFC+FNXxZPYS+lz2dNUKVJy7m+iI1gobURlMgn BD0u9Y7eOy6WccRDGUmmN5pFwrZL59EYTLmyXfy67SjR3Y3DjGkhf1Tejrf2SAzQl3SyoGquA wOb7WY/ohQVj3ZuK2AMua8Ks5YNRuX1fuhb2iKKIPSncYsp6HDfp7n6bGWHQEuIWAAcgwdDLU C/naYBLjIxgTbCCcv1If98acI6SeARkq/WBy0YQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/jgmCuiRw7cx6CE-sdEvflegeZ5k>
Subject: [Uta] RFC7925, 4.4.4, interpretation, MUST-MAY
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 07:21:15 -0000

Dear list,

RFC7925 mentions in 4.4.4, that

 > All certificate elements listed in Table 1 MUST be implemented by
 > clients and servers claiming support for certificate-based
 > authentication.

and then in that table:

 > Extension: Key Usage
 > The KeyUsage field MAY have the following values
 > in the context of this profile:
 > - digitalSignature or keyAgreement,
 > - keyCertSign for verifying signatures on public key certificates.

 > Extension: Extended Key Usage
 > The ExtKeyUsageSyntax field MAY have the  following
 > values in context of this profile:
 > - id-kp-serverAuth for server authentication,
 > - id-kp-clientAuth for client authentication,
 > - id-kp-codeSigning for code signing (for software update mechanism),
 > - and id-kp-OCSPSigning for future OCSP usage in TLS.

That results in different interpretations discussed in the Eclipse Open
Source project Leshan (LwM2M), see
https://github.com/eclipse/leshan/pull/869.

FMPOV, it means the extension MAY be used, and a implementation MUST
support it, if used. Others seems to read it as, "the extension MUST be
used".

I would appreciate, if someone could help to clarify the intention of this.

best regards
Achim Kraus