From nobody Fri Nov 1 09:26:53 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 294A11209B4; Fri, 1 Nov 2019 09:26:47 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.108.0 Auto-Submitted: auto-generated Precedence: bulk Cc: spasm@ietf.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Message-ID: <157262560712.31927.6791798644775959972.idtracker@ietfa.amsl.com> Date: Fri, 01 Nov 2019 09:26:47 -0700 Archived-At: Subject: [lamps] WG Review: Limited Additional Mechanisms for PKIX and SMIME (lamps) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Nov 2019 16:26:47 -0000 The Limited Additional Mechanisms for PKIX and SMIME (lamps) WG in the Security Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2019-11-11. Limited Additional Mechanisms for PKIX and SMIME (lamps) ----------------------------------------------------------------------- Current status: Active WG Chairs: Russ Housley Tim Hollebeek Assigned Area Director: Roman Danyliw Security Area Directors: Benjamin Kaduk Roman Danyliw Mailing list: Address: spasm@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/spasm Archive: https://mailarchive.ietf.org/arch/browse/spasm/ Group page: https://datatracker.ietf.org/group/lamps/ Charter: https://datatracker.ietf.org/doc/charter-ietf-lamps/ The PKIX and S/MIME Working Groups have been closed for some time. Some updates have been proposed to the X.509 certificate documents produced by the PKIX Working Group and the electronic mail security documents produced by the S/MIME Working Group. The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working Group is chartered to make updates where there is a known constituency interested in real deployment and there is at least one sufficiently well specified approach to the update so that the working group can sensibly evaluate whether to adopt a proposal. The LAMPS WG is now tackling these topics: 1. Specify the use of short-lived X.509 certificates for which no revocation information is made available by the Certification Authority. Short-lived certificates have a lifespan that is shorter than the time needed to detect, report, and distribute revocation information. As a result, revoking short-lived certificates is unnecessary and pointless. 2. Update the specification for the cryptographic protection of email headers -- both for signatures and encryption -- to improve the implementation situation with respect to privacy, security, usability and interoperability in cryptographically-protected electronic mail. Most current implementations of cryptographically-protected electronic mail protect only the body of the message, which leaves significant room for attacks against otherwise-protected messages. 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, and it offers a vast range of certificate management options. CMP is currently being used in many different industrial environments, but it needs to be tailored to the specific needs of some environments. The LAMPS WG will develop a "lightweight" profile of CMP to more efficiently support of these environments and better facilitate interoperable implementation, while preserving cryptographic algorithm agility. In addition, necessary updates and clarifications to CMP will be specified in a separate document. This work will be coordinated with the LWIG WG. In addition, the LAMPS WG may investigate other updates to documents produced by the PKIX and S/MIME WG. The LAMPS WG may produce clarifications where needed, but the LAMPS WG shall not adopt anything beyond clarifications without rechartering. Milestones: Nov 2019 - Adopt a draft for short-lived certificate conventions Dec 2019 - Adopt a draft for header protection conventions Dec 2019 - Adopt a draft for CMP updates Dec 2019 - Adopt a draft for Lightweight CMP profile Nov 2020 - Short-lived certificate conventions sent to IESG for BCP publication Nov 2020 - CMP updates sent to IESG for standards track publication Nov 2020 - Lightweight CMP profile sent to IESG for informational publication Mar 2021 - Header protection conventions sent to IESG for standards track publication From nobody Mon Nov 4 13:07:12 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC25012002E for ; Mon, 4 Nov 2019 13:07:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=gWubMUQC; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=V52c6/xB Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzbXnG0J1bSB for ; Mon, 4 Nov 2019 13:07:08 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23491200CD for ; Mon, 4 Nov 2019 13:07:08 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1572901627; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=ntB+jlkn0ZpCWobd2+zTABMO6DA+vmPs5xnbnNPikMI=; b=gWubMUQC2/g4x8sD58O1kwiDsNV7ek4U1zu8FDr1GkObCXW24oIngq1K C76QGGue29wPyMB6Lsfsg8oFhiHdAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1572901627; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=ntB+jlkn0ZpCWobd2+zTABMO6DA+vmPs5xnbnNPikMI=; b=V52c6/xBrDgcW5vPtMehAa7oyoBbM0pPIB4IEFzGdGdAFifKtOoldBW6 jojIh14mbtBOxzxdFiUvGknDC1n2Mz3oVlqYYpljSv5OEffKkcAY003ymj iWsfMwjO666he+cx01VryvY1jS9lI96si9RHZbA7IIrdefCL/cLT1r4VMT 0RPk8KkUfhHMgpTCywApeP1m9uJRBJcJLi98z7BVI3/pFOUNPMI0jDozFA VbwnbsPST0hOv81xpNaUPUw1MSrJZssUKtQXNB0055Z0lw9IwiQNHoPBgy 3z5Eg4ii/uVKZVr90Nr1gws8RZZ2nZb/GkX8/KV5F6o1C7aKAQV5Ig== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8A974F9A5 for ; Mon, 4 Nov 2019 16:07:06 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id CC48220403; Mon, 4 Nov 2019 16:07:03 -0500 (EST) From: Daniel Kahn Gillmor To: IETF LAMPS WG Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Mon, 04 Nov 2019 16:07:03 -0500 Message-ID: <87ftj3pczs.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: [lamps] Common Protected Header practice documented (was "Memory Hole") X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2019 21:07:11 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hey LAMPS folks-- At (and shortly after) the OpenPGP e-mail summit [0], a group of MUA developers went ahead and documented the way that several of us have been handling header protection in a backward-compatible way. This bundle of techniques used to be known as "Memory Hole" a while back but for a couple years now we've been calling it just "Protected Headers", since "Memory Hole" was confusing and weird for some people. Hopefully this document can serve as input for appendix A.1.1 of draft-ietf-lamps-header-protection-requirements-01 [1]. The new draft is at: https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-header= s/ (it's "draft-autocrypt-=E2=80=A6" because it's not a single-person draft, a= nd because most of the experience we have in this comes from implementations actively engaged in the Autocrypt project [2]. But it is not a formal part of the Autocrypt specifications at this time, and it is not intended to ever be limited to Autocrypt implementations.) To whet your appetite, the summary: =2D------ The Protected Headers scheme relies on three backward-compatible changes to a cryptographically-protected e-mail message: * Headers known to the composing MUA at message composition time are (in addition to their typical placement as Exposed Headers on the outside of the message) also present in the MIME header of the root of the Cryptographic Payload. These Protected Headers share cryptographic properties with the rest of the Cryptographic Payload. * When the Cryptographic Envelope includes encryption, any Exposed Header MAY be _obscured_ by a transformation (including deletion). * If the composing MUA intends to obscure any user-facing headers, it MAY add a decorative "Legacy Display" MIME part to the Cryptographic Payload which additionally duplicates the original values of the obscured user-facing headers. When a composing MUA encrypts a message, it SHOULD obscure the "Subject:" header, by using the literal string "..." (three U+002E FULL STOP characters) as the value of the exposed "Subject:" header. When a receiving MUA encounters a message with a Cryptographic Envelope, it treats the headers of the Cryptographic Payload as belonging to the message itself, not just the subpart. In particular, when rendering a header for any such message, the renderer SHOULD prefer the header's Protected value over its Exposed value. A receiving MUA that understands Protected Headers and discovers a Legacy Display part SHOULD hide the Legacy Display part when rendering the message. =2D------ Please don't be put off by the draft length -- nearly half of the document consists of test vectors that implementers can use to verify their ability to consume well-formed, protected-header messages. I'd be happy to present this work in Singapore if there's space on the agenda. Feedback, critiques, comments, etc, are all welcome. Regards, --dkg [0] https://wiki.gnupg.org/OpenPGPEmailSummit201910 [1] https://tools.ietf.org/html/draft-ietf-lamps-header-protection-requirem= ents-01#appendix-A.1.1 [2] https://autocrypt.org/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXcCS9wAKCRB2GBllKa5f +J22AQCfZYFzQbzviCVan+HsjcTYxiRetptH3UqqnM4dYBxU5AEAyrOebfrTZ99e ljM+0u4kY9VDadhKJ6SC1XkQDs9mJQc= =k6iB -----END PGP SIGNATURE----- --=-=-=-- From nobody Mon Nov 18 02:46:53 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4D6B120948 for ; Mon, 18 Nov 2019 02:46:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 704vPZBQVG8t for ; Mon, 18 Nov 2019 02:46:43 -0800 (PST) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A173C120963 for ; Mon, 18 Nov 2019 02:46:43 -0800 (PST) Received: by mail-qk1-x72b.google.com with SMTP id e187so13948121qkf.4 for ; Mon, 18 Nov 2019 02:46:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=8eJbDDgQDGIJ4OIucHw4cpicX6z37NwRka86NE1u3t4=; b=Cs7XKTEgGxO0jYmduueA7sBf0tmZ8AQtsrhFn+uuWtGC2UwpERTOp9nHAvy9t2y7Zg 9m1aR81DZNw3KcasxVIq2hQdO5XzkCEBsMR4gVQPr9tpTPY90BxdY19mOiNAUTOeFLU6 KJTxWotSR8cjer+fpA6xmnGAz5BpEvurnT0AA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=8eJbDDgQDGIJ4OIucHw4cpicX6z37NwRka86NE1u3t4=; b=tZXdK5vPlH+IEczqDcBuw5pvyuA43gpWf91iNweoSBylqtP8fg6DT2THWnTk0aq+Zj K018CpJ0Z8lAbESxJR2HshI07NjZtpNnQY8IaiB91Gr+ji5KHzJRpJh4yMGkmr9jeOtW Ex8h61dM3DKMhe6oS+CfC2tXQgUVB+NG7S9Z4NSiZ9R/s2i1hv59pCsqDax1YkwdeMSo ctCJ5EQrLKGYFwuikYMN5UpCdWV0ujQmrNDxmqTjMWIEnMcWOPgZX2V78n3on6J+RSIW +kTssHJMkYonrH01x9A0cCrza3pkoy5AK6kbuEa8BZWLUIb1xVu8ba0kclgvZGonnYme epmQ== X-Gm-Message-State: APjAAAUJiAgsbZPtfRyYU+emLDi9FKZ7Y8KnhDmB3Q338sspJmNwyTC5 hw0P1YFQLBHcOx9qYPIhLnNxuxzXzRiG2Q== X-Google-Smtp-Source: APXvYqw6126BYTHtIoeAVdHs1W33DoHL7KvwbpIuSI5aDik/zdqjF2jXZ0P0A9AsZYa3q534w/sddw== X-Received: by 2002:a05:620a:2185:: with SMTP id g5mr24094474qka.129.1574074002589; Mon, 18 Nov 2019 02:46:42 -0800 (PST) Received: from [5.5.33.169] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id x21sm2907286qkf.56.2019.11.18.02.46.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 02:46:42 -0800 (PST) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Message-Id: Date: Mon, 18 Nov 2019 18:46:37 +0800 To: LAMPS WG X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: [lamps] CMS implementation links from Interop report. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 10:46:51 -0000 https://www6.ietf.org/iesg/implementation/report-rfc3852.txt From nobody Mon Nov 18 02:49:44 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D201C120851 for ; Mon, 18 Nov 2019 02:49:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=entrustdatacardcorp.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvosklAqYYsU for ; Mon, 18 Nov 2019 02:49:41 -0800 (PST) Received: from mx1.entrustdatacard.com (mx1.entrustdatacard.com [204.124.80.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 343901200DB for ; Mon, 18 Nov 2019 02:49:41 -0800 (PST) IronPort-SDR: w0+snjQfDgy6p3/HlvKHvnWz1hSjrt1HXJRHkDAFev0f3gP2PMbEsCJ5B8IEzhCXxS5nxPnykT /1Z3ZM4A+vGw== X-IronPort-AV: E=Sophos;i="5.68,320,1569301200"; d="scan'208";a="61920614" Received: from pmspex01.corporate.datacard.com (HELO owa.entrustdatacard.com) ([192.168.211.29]) by pmspesa03inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 18 Nov 2019 04:49:40 -0600 Received: from pmspex02.corporate.datacard.com (192.168.211.30) by pmspex01.corporate.datacard.com (192.168.211.29) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 18 Nov 2019 04:49:40 -0600 Received: from NAM03-DM3-obe.outbound.protection.outlook.com (172.28.1.8) by pmspex02.corporate.datacard.com (192.168.211.30) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 18 Nov 2019 04:49:40 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JI3m0DoncYv1xsUROfAiZCuXwhd5oWBFDyqHbYq3Iob15CPe6Ddgxr2QL7hFycJwuHje18ONyp8QL+yHoyS0EIr/5K95GLTVP2LHKWgRx0+txvArlb+SALhrRnbP4TtzCgugtqoxftVHGnVIBAmQRJMAiJo5BXDU0r/8VQh6asI9vfy+dSxXLS0JdmYStVDyHeHTghUTh1bJcD6NJbSc+8wrPQAj2yL/jgX4g38U4XHb7gCNw4RekCxgDD5qQOIQGfmeB5am+GHLUsAMJgRC4afvgpcRWmyGuUriEbBDU0ptYqiRkx09V16cjReituGCXfXw7rtxAQ3XhFJJEQQ5aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mzqjASkLXQE15zsY4xyL3WUWyI/h+BFzX7oL3AfZdU4=; b=g8ke3RTvSay6UfRupVSYRv+dBDDJIV42L/67pF6v2ShkmP5ZGJ0VIc/SUVDx6zRb6nFTxoTPCeGtcbUtxFTPCa28TobWmQKnZ2UWtJWPO/IVX0nzjNMyXg5/ynyA+iIFOAFM8+dnlDZExlHPzmPfAyrNo2OY7e2dxPUhsNDIwMO0sqTlOJJLWmnXCLp3yKb0K8NAkBJSw5kneZ/g/bIMz5e2mDwOqdq6PALkPWXmGmywJ7qo5LJH85mjO4OUR+Sj38p7bxgwQWKwEpfNnZBzLG6qJCSYiLUvE2Hy5LPakqGyzaUZ7DsWWn0srf7Ma2e2lubUV3G3DWlUpyeRRfOMYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrustdatacard.com; dmarc=pass action=none header.from=entrustdatacard.com; dkim=pass header.d=entrustdatacard.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrustdatacardcorp.onmicrosoft.com; s=selector1-entrustdatacardcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mzqjASkLXQE15zsY4xyL3WUWyI/h+BFzX7oL3AfZdU4=; b=JDoQIg7EzjxTgNkBLkjDheBiak90WzZeN3+qlm7tiLoEDdkPYCVRm98GlDcyi6AOyk1hLx6yDGv35ufniYxQkn+KTkl9UWMio8ZGYkxt9WHlGfHfX532PwY7NMfvSGmMA6gESbx/mLzGp3TpQiFm1jVsiq009kLlGwCB2RUK8bM= Received: from MN2PR11MB3710.namprd11.prod.outlook.com (20.178.252.147) by MN2PR11MB3663.namprd11.prod.outlook.com (20.178.253.96) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.29; Mon, 18 Nov 2019 10:49:38 +0000 Received: from MN2PR11MB3710.namprd11.prod.outlook.com ([fe80::2519:63e8:ea00:11d8]) by MN2PR11MB3710.namprd11.prod.outlook.com ([fe80::2519:63e8:ea00:11d8%6]) with mapi id 15.20.2451.029; Mon, 18 Nov 2019 10:49:38 +0000 From: Mike Ounsworth To: Sean Turner , LAMPS WG Thread-Topic: [lamps] CMS implementation links from Interop report. Thread-Index: AdWd/d5jyZAxtK0FTjSkpAQV21c+Ig== Date: Mon, 18 Nov 2019 10:49:38 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mike.Ounsworth@entrustdatacard.com; x-originating-ip: [23.233.26.137] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4225f07c-544d-4471-538f-08d76c150223 x-ms-traffictypediagnostic: MN2PR11MB3663: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1186; x-forefront-prvs: 0225B0D5BC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(136003)(376002)(39850400004)(346002)(13464003)(189003)(199004)(305945005)(6116002)(478600001)(5660300002)(4744005)(6436002)(229853002)(26005)(66066001)(99286004)(316002)(66556008)(66476007)(2906002)(64756008)(66446008)(52536014)(3846002)(25786009)(110136005)(66946007)(86362001)(55016002)(33656002)(76116006)(256004)(7696005)(14454004)(7736002)(6306002)(966005)(9686003)(476003)(486006)(186003)(74316002)(8936002)(102836004)(81156014)(6246003)(81166006)(53546011)(71200400001)(71190400001)(6506007)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR11MB3663; H:MN2PR11MB3710.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: /+0aNkKmD8Bgiy+9hyx/vKfANguE0LoQS1bg2c0j+Fb4ONPIxN/smK1GDyLGJhgxOXm3nJDVsacfGTIhy8ejBJpTCeZE63feKRRvbLThtPTTooAf+F5+FzcDGMIKlMNhkTqjST2CMrkSkAGUKL9f79Z0hZNjAqFYgzleh2dOAPSfdXoq6brz6vT2leB/+QfT4w+H59JD8DoJ2JjU2/ptmjP9UUxDU1dQ/9/3UEDf+S4RkYWbQ21fbtDJrviSGM21u/P9VOgfIrUfdx4KnLEkY4drKMNtcNQJNsbr8aIPVgSSdHHHAXd2Ry667GaUirwrSilNpG/90KqVvax/h2EoIixx8VELEPZfvmNII2Y3hewyIayO0v5K9uTEQWrbhctxXPF6fqLz2gcbEAnDGAgRD7Q4mQcCFUTsjzQH8SrZb900+/ZayUd2wwGbjpfkBjAd x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 4225f07c-544d-4471-538f-08d76c150223 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 10:49:38.0787 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 1oF68TlFwNuLZQ0AcUSNRHxaTWIDniWp3EtL0nrGYsTXnQXDUAYfcz4tkJyKJnGZh+0HI21vNVMNzMdRb8iIZM1T330cuGaXnJkirhk7byJr4cGyxmDlx/SWZuzSDAZC X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3663 X-OriginatorOrg: entrustdatacard.com Archived-At: Subject: Re: [lamps] CMS implementation links from Interop report. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 10:49:43 -0000 Hey Sean, For those not in the room, can you spell out the context in which this was = brought up? - - - Mike Ounsworth | Office: +1 (613) 270-2873 -----Original Message----- From: Spasm On Behalf Of Sean Turner Sent: Monday, November 18, 2019 5:47 AM To: LAMPS WG Subject: [EXTERNAL][lamps] CMS implementation links from Interop report. https://www6.ietf.org/iesg/implementation/report-rfc3852.txt _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm From nobody Mon Nov 18 03:07:30 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E33120954 for ; Mon, 18 Nov 2019 03:07:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hG09UXcKYgUM for ; Mon, 18 Nov 2019 03:07:24 -0800 (PST) Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30D06120930 for ; Mon, 18 Nov 2019 03:07:24 -0800 (PST) Received: by mail-qt1-x82c.google.com with SMTP id t20so19701969qtn.9 for ; Mon, 18 Nov 2019 03:07:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=3aqEFyMQr4ZxydovkBd5lwvB/DmWUWMUPkIDWc+7Ep4=; b=CGyn5hOif37yYWhVagz468UePX0yahRHacNVaYWBA+pgANE0sMY5T7kCZjbq27J/I1 GEswCugppiNEDXqHFVA6pGfE+bwT/hzi1m65mJUB8suiDncMWVOtpsqgB/c1vNjWUR66 l9apOKyFCE1+SYyVttnLvBQErRBMnDQMEIlbs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=3aqEFyMQr4ZxydovkBd5lwvB/DmWUWMUPkIDWc+7Ep4=; b=mNNTL9518ocool+k1rfbdk9RTgzH/aX63chZr1M+8ry3ao8YCXONNMOY9uTpqcOYY7 r2dAjpAvpCXcpTcYQGpAeAfQHdaTTneNbPAB4crUcW60vOCFrkLps/LP6FR1KI7BkS7Y sBNcKtoROpnopWU5dg8BVMTqa/+Bo7IFvM7RZs0t2pW64tu5pklDRuMBrB2o28J4pWyP 4GQA/qj7UEtTY1cs98GkExT8mTE59ADqLwQpdhB0ktHCC1sOH/YP9EAfBSFp0W0w9Jz/ GTL/cDpHSxXpsCoesmiJHoBIMUhQW3X/I/jjB/HNE3z0OOS2tqNbEvkND5aj5mwp1jJi TkGw== X-Gm-Message-State: APjAAAVTwC9W+BFK02w6S9LVtkz4IEFDOBFiBERnQpZThjnbBj61aWYa zq05DUoLGTC/bnQGulgb2rbqpb/ASthGwQ== X-Google-Smtp-Source: APXvYqwZkJfgcT3PuFYD/chEvezrz5u2+nK53f6WAft7Khe8/u1NfSIemEMSZPOSOwiJjPQiRJbI5A== X-Received: by 2002:ac8:244e:: with SMTP id d14mr27226724qtd.388.1574075243079; Mon, 18 Nov 2019 03:07:23 -0800 (PST) Received: from [5.5.33.169] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id a6sm9958125qth.74.2019.11.18.03.07.21 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 03:07:22 -0800 (PST) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Message-Id: <225FC0D6-3447-4FBD-A8A8-5755BA1F3E2E@sn3rd.com> Date: Mon, 18 Nov 2019 19:07:17 +0800 To: LAMPS WG X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: [lamps] please adopt: draft-turner-5480-ku-clarifications X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 11:07:29 -0000 Just a reminder about this draft. It updates RFC 5480 to specify = semantics for the keyEncipherment and dataEncipherment key usage bits = when used in certificates that support Elliptic Curve Cryptography. I = presented at IETF 105 = (https://datatracker.ietf.org/meeting/105/materials/slides-105-lamps-clari= fications-for-ecc-spki-00). I asked (late) for a slot on the for 106 = (same slides as 105). Only minor changes to the -01 draft based on = list comments: = https://www.ietf.org/rfcdiff?url1=3Ddraft-turner-5480-ku-clarifications-00= &url2=3Ddraft-turner-5480-ku-clarifications-01. Cheers, spt= From nobody Mon Nov 18 14:51:56 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37075120BAC for ; Mon, 18 Nov 2019 14:51:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.408 X-Spam-Level: X-Spam-Status: No, score=-0.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=FB6PbT39; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=L2N7xtFa Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QeJlUYpyJbs for ; Mon, 18 Nov 2019 14:51:44 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B718120B9D for ; Mon, 18 Nov 2019 14:51:44 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574117500; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=qu0nwUqA58iHuWzWGgBqZkHY9JhTLGVcQR10UzoqDVk=; b=FB6PbT39dusyy1ha05/NY4IjtiGJ+ngDyiBAzJHzL++i7fZ3yohP07Kx qFfVWkDMmgB1nBp2UI1Tza4Fiuu6Cg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574117500; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=qu0nwUqA58iHuWzWGgBqZkHY9JhTLGVcQR10UzoqDVk=; b=L2N7xtFaAoJyDc4PHOZQdvaqomaNugiBnHGUA7O6Z9kd0yRUhbPchV3G TajxNIhp59rIJXrA2iDjeG7d9dKvM5/1bhE6Cf2HCpWSpON9aIDAg0JHGp +89GsHOeo3YM6V1gNH8uvGzhMlRn9LNq9Gufa7Bmy3THtXCLEUoWF4Ue93 kFQaZU+JWIia4kQUeDcQKsB0oVclB4ujqEFZ0Prz2/AA1P9fwLns7HxntF 0IfsUNoo/H1Va15FW59qIBVItYsPqRWxYSTB5Mr8vIE0r1m/4rNAQv27z6 uBaFWBVlZ56YU+PBZBKK4vM/xyxB45P0XTZDND3DwVGBCCxvCvGgdg== Received: from fifthhorseman.net (unknown [182.55.86.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 2A8DDF9A5 for ; Mon, 18 Nov 2019 17:51:40 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id E6740203C9; Tue, 19 Nov 2019 03:45:20 +0800 (+08) From: Daniel Kahn Gillmor To: LAMPS WG Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Tue, 19 Nov 2019 03:45:20 +0800 Message-ID: <878sodm0j3.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 22:51:55 -0000 --=-=-= Content-Type: text/plain Hi all-- I've just published: https://www.ietf.org/id/draft-dkg-lamps-samples-00.html This draft contains sample X.509v3 certificates, and corresponding secret keys for a sample CA, and for two e-mail users, Alice and Bob. It provides the certificates and keys in PEM-encoded form and (for Alice and Bob) in PKCS#12 bundles, so they should be relatively easy to import. My hope is that they are useful for generating and interpreting sample S/MIME (CMS) messages, and part of a larger plan to generate test vectors that will be useful in demonstrating protected header behavior on existing clients. I'd appreciate any feedback or suggestions on the draft and the sample keys and certificates and PKCS#12 files. I'm currently building the draft from the git repo at https://gitlab.com/dkg/lamps-samples -- editorial patches, issues, etc are welcome at the gitlab interface, though i would prefer if any substantive issues are also addressed to the list here. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXdL00AAKCRB2GBllKa5f +CLnAQDnQdNWXAx6LTpXTPXqI9LMtBGZNjEg7WygqK5hJ+IokAEAz5bV+U/qCT1r XbwFCWItcVEHTmJ6T+pI1bcxtRJKigg= =bWoF -----END PGP SIGNATURE----- --=-=-=-- From nobody Mon Nov 18 15:32:42 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F9B120B48 for ; Mon, 18 Nov 2019 15:32:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.406 X-Spam-Level: X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.244, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qu2w5od6mUko for ; Mon, 18 Nov 2019 15:32:36 -0800 (PST) Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D24212018B for ; Mon, 18 Nov 2019 15:32:36 -0800 (PST) Received: by mail-ed1-f49.google.com with SMTP id t11so9412395eds.13 for ; Mon, 18 Nov 2019 15:32:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ob02lV9W9vmL6OwdFi8vtkYkfe0ufS/aglXmb+rIG7E=; b=Aov197xwZ9EEeZDQkoJjn+bSbiX0udvJ8fADuSvfisYPbe8DXC59+gqSIvwpNyUpmR xDbQzQNaKJZriffSeKWbQAWQeN5W3IDNZbf8htrUjTGOw5j3MyYEGjyBGI6DLdOuxtwl uB6QajYKvqE/4NbqFtHqQyGGdhJjzSSztZdeA5mWHgOAPkyh6tg2K7qh3XB2gZfBI4W8 FMhjTRfuIOMvL+ZfQhfuDBtikJI9tYwJ0LNWz1GgeXjH/HyJ4WQ08jBNNVz+bGvz0yjS 6MKkYKPr/9wL4GckuTb76NxH8RbxdBHt3dan7OCBnu6c/U15bDi4b90y+vth5PHAw3Vn RWVQ== X-Gm-Message-State: APjAAAUgG0E9+dPNzlXkf4HvMLM8OWI8iQHzbIjFm1QQbPcydxtntAJQ KVAVPUu7BBfXa0kCOVgudGORsYVb X-Google-Smtp-Source: APXvYqyfMN9jTqZWDnUIE+TQC65DnmsKnFEMoahJ164oJ5t8rTuiyZ5XPXV6ze/sMpovfu68ex9IKQ== X-Received: by 2002:a17:906:1c59:: with SMTP id l25mr29882357ejg.98.1574119954207; Mon, 18 Nov 2019 15:32:34 -0800 (PST) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com. [209.85.221.48]) by smtp.gmail.com with ESMTPSA id 91sm1067035eda.1.2019.11.18.15.32.33 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Nov 2019 15:32:34 -0800 (PST) Received: by mail-wr1-f48.google.com with SMTP id l7so21594284wrp.6 for ; Mon, 18 Nov 2019 15:32:33 -0800 (PST) X-Received: by 2002:a5d:61c6:: with SMTP id q6mr2478501wrv.13.1574119953746; Mon, 18 Nov 2019 15:32:33 -0800 (PST) MIME-Version: 1.0 References: <878sodm0j3.fsf@fifthhorseman.net> In-Reply-To: <878sodm0j3.fsf@fifthhorseman.net> From: Ryan Sleevi Date: Mon, 18 Nov 2019 18:32:22 -0500 X-Gmail-Original-Message-ID: Message-ID: To: Daniel Kahn Gillmor Cc: LAMPS WG Content-Type: multipart/alternative; boundary="000000000000ad511a0597a75c35" Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 23:32:41 -0000 --000000000000ad511a0597a75c35 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Nov 18, 2019 at 5:52 PM Daniel Kahn Gillmor wrote: > Hi all-- > > I've just published: > > https://www.ietf.org/id/draft-dkg-lamps-samples-00.html > > This draft contains sample X.509v3 certificates, and corresponding > secret keys for a sample CA, and for two e-mail users, Alice and Bob. > It provides the certificates and keys in PEM-encoded form and (for Alice > and Bob) in PKCS#12 bundles, so they should be relatively easy to > import. > > My hope is that they are useful for generating and interpreting sample > S/MIME (CMS) messages, and part of a larger plan to generate test > vectors that will be useful in demonstrating protected header behavior > on existing clients. > > I'd appreciate any feedback or suggestions on the draft and the sample > keys and certificates and PKCS#12 files. > > I'm currently building the draft from the git repo at > https://gitlab.com/dkg/lamps-samples -- editorial patches, issues, etc > are welcome at the gitlab interface, though i would prefer if any > substantive issues are also addressed to the list here. > > --dkg > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm Overall, I=E2=80=99m wildly supportive of examples and test vectors that he= lp build interop, whether in I-D form or otherwise. PKITS, for all its flaws, has been profoundly useful in this space. One of the challenges with such approaches is ensuring deterministic outputs as well as negative cases. I noticed your approach, using certtool, makes it a bit difficult on both of those dimensions. That is, the encoding may change due to the version or certtool, and that it=E2=80=99s (rightfull= y) increasingly hard to have good tools do bad things. In the spirit of how many in the TLS-WG have found tools like BoGo ( https://github.com/google/boringssl/blob/master/ssl/test/PORTING.md ) helpful in building consensus and interop, and at the risk of suggesting a blue bikeshed, have you considered adopting something similar in tooling? Over in Chrome, one of the tools we use for both positive and negative testing, with deterministic output, is https://github.com/google/der-ascii . I realize the complexities of CMS and BER make this a more nuanced situation, but I highlight as a possible foundation to build deterministic =E2=80=9Cgood=E2=80=9D inputs, as well as =E2=80=9Cmangled-but-well-formed=E2=80=9D and =E2=80=9Cgarbage-but-reflecti= ve-of-real-world=E2=80=9D scenarios. Just $.02 of feedback, since I suspect the cost to switch, if it does turn out to be useful, will grow as more examples are added. --000000000000ad511a0597a75c35 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Mon, Nov 18, 2019 at 5:52 PM Daniel Ka= hn Gillmor <dkg@fifthhorseman.n= et> wrote:
Hi all--

I've just published:

=C2=A0 =C2=A0https://www.ietf.org/id/draft-dk= g-lamps-samples-00.html

This draft contains sample X.509v3 certificates, and corresponding
secret keys for a sample CA, and for two e-mail users, Alice and Bob.
It provides the certificates and keys in PEM-encoded form and (for Alice and Bob) in PKCS#12 bundles, so they should be relatively easy to
import.

My hope is that they are useful for generating and interpreting sample
S/MIME (CMS) messages, and part of a larger plan to generate test
vectors that will be useful in demonstrating protected header behavior
on existing clients.

I'd appreciate any feedback or suggestions on the draft and the sample<= br> keys and certificates and PKCS#12 files.

I'm currently building the draft from the git repo at
https://gitlab.com/dkg/lamps-samples -- editorial patches, = issues, etc
are welcome at the gitlab interface, though i would prefer if any
substantive issues are also addressed to the list here.

=C2=A0 =C2=A0--dkg
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

Overall, I=E2=80=99m wildly supportive of examples and test vecto= rs that help build interop, whether in I-D form or otherwise. PKITS, for al= l its flaws, has been profoundly useful in this space.

One of the challenges with such appro= aches is ensuring deterministic outputs as well as negative cases. I notice= d your approach, using certtool, makes it a bit difficult on both of those = dimensions. That is, the encoding may change due to the version or certtool= , and that it=E2=80=99s (rightfully) increasingly hard to have good tools d= o bad things.

In the spi= rit of how many in the TLS-WG have found tools like BoGo (
=C2=A0h= ttps://github.com/google/boringssl/blob/master/ssl/test/PORTING.md=C2=A0) helpful in building consensus and interop, and at the risk of sugg= esting a blue bikeshed, have you considered adopting something similar in t= ooling?

Over in Chrome, = one of the tools we use for both positive and negative testing, with determ= inistic output, is=C2=A0
https://github.com/google/der-ascii . I realize the complexities of C= MS and BER make this a more nuanced situation, but I highlight as a possibl= e foundation to build deterministic =E2=80=9Cgood=E2=80=9D inputs, as well = as =E2=80=9Cmangled-but-well-formed=E2=80=9D and =E2=80=9Cgarbage-but-refle= ctive-of-real-world=E2=80=9D scenarios.

Just $.02 of feedback, since I suspect the cost to switch, = if it does turn out to be useful, will grow as more examples are added.

--000000000000ad511a0597a75c35-- From nobody Mon Nov 18 15:51:50 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AAF312018B for ; Mon, 18 Nov 2019 15:51:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6tyy5W9V6AD for ; Mon, 18 Nov 2019 15:51:44 -0800 (PST) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0A6120144 for ; Mon, 18 Nov 2019 15:51:44 -0800 (PST) Received: by mail-qk1-x72b.google.com with SMTP id i3so4219765qkk.9 for ; Mon, 18 Nov 2019 15:51:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=VliRNqxHvIJxRxF7OuZjzAKgW3TDqdYf01HgoVlKRu8=; b=Y52HI7mGatEg6SPXy5I2CIJD6+TY/OVmjT7r9YSzjAeZVlL7JrUdpfY3TL1t6O+lGD yjJ0wD6JanGAdEmngpu2flBbtxMjBJGeaaXCQwuGyT/pe+xWlriaUcOCrv/peKixLTOs U72tY8/u9KO8GhO6ZuVfTUSmdxOpHkrSNwQ/E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=VliRNqxHvIJxRxF7OuZjzAKgW3TDqdYf01HgoVlKRu8=; b=nEl3I7zQ6IbOVF8DtJzGNwXTP7x4TsuMogI4Ei5KuMqfI1aNGUq2NdJdxwF/ez3KuP ufI7r2nmmTW6UprMJr2BWInOhKYGC7K1dl/jYf23b2p4oLA6x4DkeKkwRwCdPVop+O2m DMdKWP7liTKz0mHOdhtsQTttV1xPJPp58U546+7DXwf99zjWW7FNrpdkJ87CD7hv0t90 RtvqO3coqFkUzhcwnWdpARwmxqHzEjAyeC94Aqjj3oOjebwjT8+M95ADcvQ5GJck/lAR /QelTo6jVnkV5wlJDcRZ0nyFFGv9FF66ZAgT1i9QYuX69cFw2PVzYZ3FINiHBgCZ10R9 4lcQ== X-Gm-Message-State: APjAAAXGG7JeuhXHtqc8YVsBxL7CoiNQFNEdwuoUMuSNAWN91nlAKLej mSZAg9Sm2aqB5+OoKyRM3fjqmKVVUbg= X-Google-Smtp-Source: APXvYqzkKYrwuFjAX2W5CSpCUrmJlohHGth6T+ZlSPiUakSCPowHz6AJcLgsgBuz5qNusBVgNDeKIw== X-Received: by 2002:a05:620a:a9a:: with SMTP id v26mr21090505qkg.71.1574121103261; Mon, 18 Nov 2019 15:51:43 -0800 (PST) Received: from [192.168.2.143] (pool-96-255-231-27.washdc.fios.verizon.net. [96.255.231.27]) by smtp.gmail.com with ESMTPSA id a3sm9136128qkf.76.2019.11.18.15.51.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 15:51:42 -0800 (PST) User-Agent: Microsoft-MacOutlook/10.10.10.191111 Date: Mon, 18 Nov 2019 18:51:42 -0500 From: Carl Wallace To: Daniel Kahn Gillmor , LAMPS WG Message-ID: Thread-Topic: [lamps] LAMPS sample keys and certificates References: <878sodm0j3.fsf@fifthhorseman.net> In-Reply-To: <878sodm0j3.fsf@fifthhorseman.net> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 23:51:49 -0000 FWIW, there are a pile of sample artifacts here: https://github.com/GSA/fic= am-scvp-testing/tree/master/artifacts. The MFPKI (Mock Federal PKI) was gene= rated by cloning a pile of certs with names obfuscated. Many of these are li= kely expired by now though. Something like this could offer some diversity t= o the certification paths (in support of sample S/MIME, etc). =EF=BB=BFOn 11/18/19, 5:52 PM, "Spasm on behalf of Daniel Kahn Gillmor" wrote: Hi all-- =20 I've just published: =20 https://www.ietf.org/id/draft-dkg-lamps-samples-00.html =20 This draft contains sample X.509v3 certificates, and corresponding secret keys for a sample CA, and for two e-mail users, Alice and Bob. It provides the certificates and keys in PEM-encoded form and (for Alic= e and Bob) in PKCS#12 bundles, so they should be relatively easy to import. =20 My hope is that they are useful for generating and interpreting sample S/MIME (CMS) messages, and part of a larger plan to generate test vectors that will be useful in demonstrating protected header behavior on existing clients. =20 I'd appreciate any feedback or suggestions on the draft and the sample keys and certificates and PKCS#12 files. =20 I'm currently building the draft from the git repo at https://gitlab.com/dkg/lamps-samples -- editorial patches, issues, etc are welcome at the gitlab interface, though i would prefer if any substantive issues are also addressed to the list here. =20 --dkg _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm =20 From nobody Mon Nov 18 16:44:44 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B92120143 for ; Mon, 18 Nov 2019 16:44:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8S1Z7hL9FHl for ; Mon, 18 Nov 2019 16:44:40 -0800 (PST) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4D7812012C for ; Mon, 18 Nov 2019 16:44:40 -0800 (PST) Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id xAJ0gHcS013205; Tue, 19 Nov 2019 00:44:29 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=MZNojPBq3RYUo50YnaKH6PWz4xeeHyJyLGpRU70D2H4=; b=jG5APMudPJd5Jc2piY80dVpcFXXCyJHWAH337FdY5GwyBwXXGBCvbQoxrDOJp0etQigY CVwMszOCsIHX24h5uk+qTe0RwdvmpjZ6VUEuNXK8Nbl7Z7QVdLNA3fQfekWhHaJYEK67 +xHY4zVRXivR/bAyLT8K8H/D+cqfQhYlXJYGwt+1Zw4NhI7lblUGhsdmYWh1PKQIzSOr phnsTegrVEjyPGy8aBghD4gJAuUiO8hKu/1yAr57Edyf8wyHCQd0Q9z8PFWMsXdr7K+q PDRuJv1TnoqO6HNpcrS8ySBEHxAdgvoyoEq7l4fMO8l/xA9MQpmEcMmNxbTGM59lnkvU bg== Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2wafywb2rg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Nov 2019 00:44:29 +0000 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.27/8.16.0.27) with SMTP id xAJ0Vubp029087; Mon, 18 Nov 2019 19:44:28 -0500 Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2waday6m4w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 18 Nov 2019 19:44:28 -0500 Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 18 Nov 2019 19:44:27 -0500 Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1473.005; Mon, 18 Nov 2019 19:44:27 -0500 From: "Salz, Rich" To: Daniel Kahn Gillmor , LAMPS WG Thread-Topic: [lamps] LAMPS sample keys and certificates Thread-Index: AQHVnmLd8VwUu0Cgm0uuY68/89bZwKeRqDYA Date: Tue, 19 Nov 2019 00:44:27 +0000 Message-ID: <1573F1C2-8A25-46DA-B13B-95B4DE9B233B@akamai.com> References: <878sodm0j3.fsf@fifthhorseman.net> In-Reply-To: <878sodm0j3.fsf@fifthhorseman.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.1f.0.191110 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.216.123] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-18_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=868 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911190001 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-18_08:2019-11-15,2019-11-18 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 bulkscore=0 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1011 mlxscore=0 mlxlogscore=844 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911190002 Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2019 00:44:42 -0000 VGhpcyBpcyB2ZXJ5IGNvb2wuDQoNCkkgZG9uJ3QgdGhpbmsgaXQgbWF0dGVycyB3aGF0IHRvb2xp bmcgaXMgdXNlZCBzaW5jZSBpdCdzIG1vc3QgaW1wb3J0YW50IHRvIGdldCB0ZXN0IHZlY3RvcnMg cHVibGlzaGVkIHRoYW4gdG8gYWxsb3cgZm9yIGVhc2llciBnZW5lcmF0aW9uIG9mIGZ1dHVyZSB0 ZXN0IHZlY3RvcnMuDQoNCihJIHdvbid0IGJlIGF0IExBTVBTLCBzaW5jZSBpdCBhbHJlYWR5IGhh cHBlbmVkIGJlY2F1c2UgSSBoYWQgdG8gZ28gdG8gZ2VuZGlzcGF0Y2guKQ0KDQoNCg== From nobody Mon Nov 18 17:21:19 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F76E12004A for ; Mon, 18 Nov 2019 17:21:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=n88cqF6t; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=tmfUo2jF Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qdYRP7p-nzZa for ; Mon, 18 Nov 2019 17:21:16 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E75120025 for ; Mon, 18 Nov 2019 17:21:16 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574126475; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bOTwi3ZYJ/Xs8hZeGnwEajsB49gIj2GfW2raJqU5jRY=; b=n88cqF6tOeAmW1ELAgMNLQAUkS85lDcFj9W8YFdTVJuigbLT3IQqoRX7 C70YZ3IMMRzQPq7j7AXOesFs9GE9Ag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574126475; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bOTwi3ZYJ/Xs8hZeGnwEajsB49gIj2GfW2raJqU5jRY=; b=tmfUo2jFc5vVcx/e6CipdsPyrv3qKK10lo3KoIiohvNJDHRBnysyjJCy /Api8w0GNlRMkaXJ5Fl1UrSVBVjk76gxZz9I4l/x6TKSpXFv/kOXagtj8z qCRCgCM3Z28vl4qNvZDl412hKPEa4Ym+0IKZCZOn43tqfpPc65dLdyWgRy 5BBgXM6TpCioq++oml7QWzeWlju8+kozwGc/ArlcvWNwtyUfIHCoaynkPD Cx5V3fJjUdfTtg1NT/xQNkP2hlzhvDkFOtnqB5NxS/KWvuqAF8UnYAuARk M9i7Z4OavQ+0efCUgAmYUAXc7M9ClFUj04EXOlokh7DJ2v4zottF3g== Received: from fifthhorseman.net (dhcp-8c89.meeting.ietf.org [31.133.140.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id D3C94F9A5; Mon, 18 Nov 2019 20:21:13 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id B9CFC203CD; Tue, 19 Nov 2019 09:21:08 +0800 (+08) From: Daniel Kahn Gillmor To: Ryan Sleevi Cc: LAMPS WG In-Reply-To: References: <878sodm0j3.fsf@fifthhorseman.net> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Tue, 19 Nov 2019 09:21:08 +0800 Message-ID: <8736ekmzjv.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2019 01:21:18 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ryan-- thanks for the supportive note and the interesting pointers. On Mon 2019-11-18 18:32:22 -0500, Ryan Sleevi wrote: > One of the challenges with such approaches is ensuring deterministic > outputs as well as negative cases. I noticed your approach, using certtoo= l, > makes it a bit difficult on both of those dimensions. That is, the encodi= ng > may change due to the version or certtool, and that it=E2=80=99s (rightfu= lly) > increasingly hard to have good tools do bad things. sure, the approach for building the examples is present but i was intending this document would ultimately exist as a document with static objects, rather than a programmatic test suite. that is, it's (hopefully) input to a test suite, but not a test suite itself. I haven't even contemplated negative cases here, as you rightly observe. I confess i was surprised in searching the IETF's archive of I-Ds that there was no such set of simple positive examples, so this is an attempt to just fix that gap, rather than trying to provide a programmatic or exhaustive corpus. > In the spirit of how many in the TLS-WG have found tools like BoGo ( > https://github.com/google/boringssl/blob/master/ssl/test/PORTING.md > ) helpful in building consensus and interop, and at the risk of suggesti= ng > a blue bikeshed, have you considered adopting something similar in toolin= g? I really like the idea of doing this, but it's more ambitious than i was intending this draft to be. I certainly wouldn't block someone from trying to do it, of course! > Over in Chrome, one of the tools we use for both positive and negative > testing, with deterministic output, is > https://github.com/google/der-ascii . I realize the complexities of CMS a= nd > BER make this a more nuanced situation, but I highlight as a possible > foundation to build deterministic =E2=80=9Cgood=E2=80=9D inputs, as well = as > =E2=80=9Cmangled-but-well-formed=E2=80=9D and =E2=80=9Cgarbage-but-reflec= tive-of-real-world=E2=80=9D > scenarios. good point! none of what i've done in this draft is sophisticated enough to warrant der-ascii right now, but i'll put it in my toolbox for future experimentation. Regards, --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXdNDhAAKCRB2GBllKa5f +AizAQCk6+NL6UOJ2sAFxU4ZB+EuCB+czPFnCHnWKXqp+DQggQEA5Zbk8prmvf/c UX1v2/TajIkSSCcEkUscTpBsSLbuhAg= =FsOK -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Nov 19 01:17:52 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173E2120890 for ; Tue, 19 Nov 2019 01:17:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxQ_qoSj8l2T for ; Tue, 19 Nov 2019 01:17:47 -0800 (PST) Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FF2C120096 for ; Tue, 19 Nov 2019 01:17:47 -0800 (PST) Received: by mail-qk1-x72e.google.com with SMTP id i19so17149970qki.2 for ; Tue, 19 Nov 2019 01:17:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hB+4AAKR/yewgdzLMxksQJrqAbykOkbBPWrQD99Lr+4=; b=LyTpnqfxHhy94orbbH/yII3Vv0ygRrwyfn42zujAqvJoTfdjuhrG52NGTQJWzE0bkx is+PYGsV5eUed1GKtDOHLdXo2lQ/YKpDe/PEIXcMpAlWE3Xd74biEsNw/kAaNlMy6wwU WVDd32hQXFgc33+InzbwpCZzfwuDaa32fUKAA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hB+4AAKR/yewgdzLMxksQJrqAbykOkbBPWrQD99Lr+4=; b=HlMqGRmPYg2w+e41SPm/3HK2qN8rCLNaeKlFbIQQsRq7q7NJL6sI1HImt9LQJ9Is8h dtM4LiRhCW2SCWqovEOo2cUv6TnbzV7wfc+joM3sy9oWY1hbx7efUdZUV6FVd7ubAndy fSn4feRiEEI2uDlnabtk7WK/VtWf9glEhwvPxUx0aQP+I7EfOMp/y3P+WQJoPm/vCgwq T1J5qT809TqewPpTinC1mFELhOErkiL81kkCmQyYNUSZr6bdJcLwjz4gt7snc83ggaAJ vEec2LMwKGMa7lmJ281hLrVWWgUDXFoljxpJMlTTk26pFShIOWCN+AmBZl/OUhyUWLZ4 ps0A== X-Gm-Message-State: APjAAAU0it2lpo8qYKQrk4EkAnRn5jcF9vJB1bnqvp9y1purGFTX+g82 Ne8KXzAJ9g0MIYkeLlrRnUGarBHOUlbX7g== X-Google-Smtp-Source: APXvYqwLZ89MGW+keuPBQiyTvd/xe1TUcqTGHD1nr6v+jsiwZ/bzYcQbsdK2GWIzo7mvPDtLDg6jkA== X-Received: by 2002:a37:4f0a:: with SMTP id d10mr15842992qkb.286.1574155066109; Tue, 19 Nov 2019 01:17:46 -0800 (PST) Received: from [5.5.33.188] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id x30sm12376788qtc.7.2019.11.19.01.17.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Nov 2019 01:17:45 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) From: Sean Turner In-Reply-To: Date: Tue, 19 Nov 2019 17:17:39 +0800 Cc: LAMPS WG Content-Transfer-Encoding: quoted-printable Message-Id: <368995FB-0B3D-42AC-B306-A170909397D2@sn3rd.com> References: To: Mike Ounsworth X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [lamps] CMS implementation links from Interop report. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2019 09:17:52 -0000 Sorry - they were looking for S/MIME implementations to see what they = could test the header behavior against. spt > On Nov 18, 2019, at 18:49, Mike Ounsworth = wrote: >=20 > Hey Sean, >=20 > For those not in the room, can you spell out the context in which this = was brought up? >=20 > - - - > Mike Ounsworth | Office: +1 (613) 270-2873 >=20 > -----Original Message----- > From: Spasm On Behalf Of Sean Turner > Sent: Monday, November 18, 2019 5:47 AM > To: LAMPS WG > Subject: [EXTERNAL][lamps] CMS implementation links from Interop = report. >=20 > https://www6.ietf.org/iesg/implementation/report-rfc3852.txt >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >=20 From nobody Tue Nov 19 23:37:28 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B601120ACE; Tue, 19 Nov 2019 23:37:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cD793LM8ynhS; Tue, 19 Nov 2019 23:37:19 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B99121209CD; Tue, 19 Nov 2019 23:37:19 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id DA0F6F4073B; Tue, 19 Nov 2019 23:37:03 -0800 (PST) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org X-PHP-Originating-Script: 1005:ams_util_lib.php From: rfc-editor@rfc-editor.org Cc: rfc-editor@rfc-editor.org, drafts-update-ref@iana.org, spasm@ietf.org Content-type: text/plain; charset=UTF-8 Message-Id: <20191120073703.DA0F6F4073B@rfc-editor.org> Date: Tue, 19 Nov 2019 23:37:03 -0800 (PST) Archived-At: Subject: [lamps] =?utf-8?q?RFC_8659_on_DNS_Certification_Authority_Author?= =?utf-8?q?ization_=28CAA=29_Resource_Record?= X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2019 07:37:26 -0000 A new Request for Comments is now available in online RFC libraries. RFC 8659 Title: DNS Certification Authority Authorization (CAA) Resource Record Author: P. Hallam-Baker, R. Stradling, J. Hoffman-Andrews Status: Standards Track Stream: IETF Date: November 2019 Mailbox: phill@hallambaker.com, rob@sectigo.com, jsha@letsencrypt.org Pages: 17 Obsoletes: RFC 6844 I-D Tag: draft-ietf-lamps-rfc6844bis-07.txt URL: https://www.rfc-editor.org/info/rfc8659 DOI: 10.17487/RFC8659 The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by CAs. This document obsoletes RFC 6844. This document is a product of the Limited Additional Mechanisms for PKIX and SMIME Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Thu Nov 21 07:22:10 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D178C1200FE for ; Thu, 21 Nov 2019 07:22:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQ_rLwJTUuhT for ; Thu, 21 Nov 2019 07:22:07 -0800 (PST) Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F31381200E7 for ; Thu, 21 Nov 2019 07:22:06 -0800 (PST) Received: by mail-qt1-x833.google.com with SMTP id i17so4108696qtq.1 for ; Thu, 21 Nov 2019 07:22:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=szHTLZ8enakLOfTLR8qu1YaTenPh9lWBsZ6yBpb5i5U=; b=gFFraQw+iT/axNs0j5QVsUANGbiJxBZkmsGe5I0+17ocWvOGIQGS1ttD7ehwYPX4ef +lV3gSREO/TawL/UXICVsjfOIlGPj+0B1+9XEUhdL8edRa44lKfYa82byzm/PtR4iq+b DMSLFfUuxpeCIei1/RK46s1uUR/X1FRHM0IIc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=szHTLZ8enakLOfTLR8qu1YaTenPh9lWBsZ6yBpb5i5U=; b=poYxUnp/WWBZtNjy8zkjnFTnLHgQl8IvlO7UTm39iOcwBgwFYp5S8wj0oQPkUhJ5vu +7UuERdyY/N1n91OmKmBcC+w+MzIrEYC+XjojAe1r7qbDqZSTzql8oNDnzlYB/eDORGa Z36dc2YP/4nZgh4WYa8FlQzXmwM+A1HUMIPGjfrwxpPC6Fs64yypJsjefp5/RprwuRxT U48FC4F9hObumhNCt0JlKjXVwf9nwHEGVpDm21YzZrmtRdMw85zX1JEOoi1P2yHCoOLb tk3Ev7L0p92KmcJYiNTAXgIRZPH3SQVheZa2P3j61fT0MBOjNe4NxBBNt1AH2KU6xVuM Q1rg== X-Gm-Message-State: APjAAAVJxkJzqUzMKOZVV11QIsEpbaSYSvHS9kz4d3J7ubqDuskmp3Xq BwicnYcYJraMVjFJciWAPWurKg== X-Google-Smtp-Source: APXvYqwdyz/a5AmLZTa6RX9R+v4p5PzeeEhy2BMRLqi9wQkbrtZ+J6BqnAmE/c/S/hBya8fxcWDDWA== X-Received: by 2002:ac8:4513:: with SMTP id q19mr4418883qtn.334.1574349726053; Thu, 21 Nov 2019 07:22:06 -0800 (PST) Received: from [5.5.33.83] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id k29sm1608309qtu.70.2019.11.21.07.22.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Nov 2019 07:22:04 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) From: Sean Turner In-Reply-To: Date: Thu, 21 Nov 2019 23:21:57 +0800 Cc: LAMPS WG Content-Transfer-Encoding: quoted-printable Message-Id: References: <878sodm0j3.fsf@fifthhorseman.net> To: Daniel Kahn Gillmor X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Nov 2019 15:22:09 -0000 Showing signs of age based on algorithm choices, but there is also: https://datatracker.ietf.org/doc/rfc4134/ spt > On Nov 19, 2019, at 07:51, Carl Wallace = wrote: >=20 > FWIW, there are a pile of sample artifacts here: = https://github.com/GSA/ficam-scvp-testing/tree/master/artifacts. The = MFPKI (Mock Federal PKI) was generated by cloning a pile of certs with = names obfuscated. Many of these are likely expired by now though. = Something like this could offer some diversity to the certification = paths (in support of sample S/MIME, etc). >=20 > =EF=BB=BFOn 11/18/19, 5:52 PM, "Spasm on behalf of Daniel Kahn = Gillmor" = wrote: >=20 > Hi all-- >=20 > I've just published: >=20 > https://www.ietf.org/id/draft-dkg-lamps-samples-00.html >=20 > This draft contains sample X.509v3 certificates, and corresponding > secret keys for a sample CA, and for two e-mail users, Alice and = Bob. > It provides the certificates and keys in PEM-encoded form and (for = Alice > and Bob) in PKCS#12 bundles, so they should be relatively easy to > import. >=20 > My hope is that they are useful for generating and interpreting = sample > S/MIME (CMS) messages, and part of a larger plan to generate test > vectors that will be useful in demonstrating protected header = behavior > on existing clients. >=20 > I'd appreciate any feedback or suggestions on the draft and the = sample > keys and certificates and PKCS#12 files. >=20 > I'm currently building the draft from the git repo at > https://gitlab.com/dkg/lamps-samples -- editorial patches, issues, = etc > are welcome at the gitlab interface, though i would prefer if any > substantive issues are also addressed to the list here. >=20 > --dkg > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >=20 >=20 >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Thu Nov 21 12:34:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 785221208E8 for ; Thu, 21 Nov 2019 12:34:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.299 X-Spam-Level: X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=KmY4wVqP; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=TJ7djlYv Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjAlSyK3tVbB for ; Thu, 21 Nov 2019 12:34:12 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D70FE1200B1 for ; Thu, 21 Nov 2019 12:34:11 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574368450; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=/DCZZK1bnLicrmtl8b2NBPQ4hdUZAndoZhOkzaLW3G0=; b=KmY4wVqPUVu3ruDhni/hjbBSt51Avpa3yzQ5G52ef+kWM+G/tklNgZ3t ttp/FvK+x+kE+siZg/ddWE5c75KbDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574368450; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=/DCZZK1bnLicrmtl8b2NBPQ4hdUZAndoZhOkzaLW3G0=; b=TJ7djlYvOeoUfCw0KXkpItmsaKVqbzVOF748FWwShNm1jemWpAsbc8ID Z8cb3nA/DV1gwt9f0cdEhtsshLpU4y0cOu6Vu0ViyhpINiCURSINqZMnFD 09nhk83HwOzCwzOMyiXuMP8Iln7bnEaEXpPziRRuIbeXxS9GVrfu/0z0Ss nOnC8nDPd4Ng/XPv/hU38255CCOKB280U15/IAy+uogfFthVnBVo/AwAM5 JGDLveUtPrapgAvjx2i+18iLdh5sk3MTLcX6sSlSyNy4pl9eUL4BH0hxSa hufEM61cugpy8gtbYXu9zJb9JvQMngYZ86g01j9BZfX3mn34ZkF6jw== Received: from fifthhorseman.net (unknown [182.55.86.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6E5A6F9B0; Thu, 21 Nov 2019 15:34:09 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 0CDD8204D2; Fri, 22 Nov 2019 04:14:17 +0800 (+08) From: Daniel Kahn Gillmor To: Sean Turner Cc: LAMPS WG In-Reply-To: References: <878sodm0j3.fsf@fifthhorseman.net> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Fri, 22 Nov 2019 04:14:16 +0800 Message-ID: <8736ehj8br.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Nov 2019 20:34:14 -0000 --=-=-= Content-Type: text/plain On Thu 2019-11-21 23:21:57 +0800, Sean Turner wrote: > Showing signs of age based on algorithm choices, but there is also: > > https://datatracker.ietf.org/doc/rfc4134/ Thanks for this pointer! I had looked for something like this, and even cornered Paul to ask him if he remembered writing such a thing, but came up empty. I now see why i missed it in my earlier searches -- i was assuming that there would be a PEM-encoded form of the key and certificate objects, and had searched for PEM headers but did not find them. It's interesting that there are no PEM-encoded objects here, just the output of dumpasn1 and a weird custom base64-encoded form in appendix B! I agree with you that the algorithm choices are on the weaker side here (1024-bit RSA and DSS!), so i'm inclined to continue work on the new document, to have relatively modern certs to use for newer examples. I'll definitely include a reference to this earlier work, though. --dkg PS i've updated draft-dkg-lamps-sample-certs to use RSA (i'd originally tried to use RSA-PSS, but ran into trouble with using that in some tests), and to have the keyEncipherment flag set (rather than the dataEncipherment flag, which i had mistakenly set). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXdbwGAAKCRB2GBllKa5f +OamAQD3TJcHdeerzhUPRQx/jbB00VcEgw20oWGTx74tIjkTRAEA9TLqx+cQMQf8 A2LFfF9/Y39+YFxs9Zg9bJ8NNJnuDgw= =5O4b -----END PGP SIGNATURE----- --=-=-=-- From nobody Thu Nov 21 16:34:34 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB7C71200B6 for ; Thu, 21 Nov 2019 16:34:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkYsRbLiNBIZ for ; Thu, 21 Nov 2019 16:34:19 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB8591200B7 for ; Thu, 21 Nov 2019 16:34:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5532D300A9E for ; Thu, 21 Nov 2019 19:34:17 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wv0fQeq9an_t for ; Thu, 21 Nov 2019 19:34:15 -0500 (EST) Received: from [5.5.33.96] (unknown [204.194.23.17]) by mail.smeinc.net (Postfix) with ESMTPSA id A52E730055E; Thu, 21 Nov 2019 19:34:14 -0500 (EST) From: Russ Housley Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_BB6B31EB-170D-4082-AAF9-77FFB8D9F517"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Date: Thu, 21 Nov 2019 19:34:12 -0500 In-Reply-To: <8736ehj8br.fsf@fifthhorseman.net> Cc: LAMPS WG To: Daniel Kahn Gillmor References: <878sodm0j3.fsf@fifthhorseman.net> <8736ehj8br.fsf@fifthhorseman.net> X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [lamps] LAMPS sample keys and certificates X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 00:34:22 -0000 --Apple-Mail=_BB6B31EB-170D-4082-AAF9-77FFB8D9F517 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii DKG: The perl script does yield the binary data, but the document does not = use PEM format. Russ > On Nov 21, 2019, at 3:14 PM, Daniel Kahn Gillmor = wrote: >=20 > Signed PGP part > On Thu 2019-11-21 23:21:57 +0800, Sean Turner wrote: >> Showing signs of age based on algorithm choices, but there is also: >>=20 >> https://datatracker.ietf.org/doc/rfc4134/ >=20 > Thanks for this pointer! I had looked for something like this, and = even > cornered Paul to ask him if he remembered writing such a thing, but = came > up empty. >=20 > I now see why i missed it in my earlier searches -- i was assuming = that > there would be a PEM-encoded form of the key and certificate objects, > and had searched for PEM headers but did not find them. It's > interesting that there are no PEM-encoded objects here, just the = output > of dumpasn1 and a weird custom base64-encoded form in appendix B! >=20 > I agree with you that the algorithm choices are on the weaker side = here > (1024-bit RSA and DSS!), so i'm inclined to continue work on the new > document, to have relatively modern certs to use for newer examples. >=20 > I'll definitely include a reference to this earlier work, though. >=20 > --dkg >=20 > PS i've updated draft-dkg-lamps-sample-certs to use RSA (i'd = originally > tried to use RSA-PSS, but ran into trouble with using that in some > tests), and to have the keyEncipherment flag set (rather than the > dataEncipherment flag, which i had mistakenly set). >=20 >=20 --Apple-Mail=_BB6B31EB-170D-4082-AAF9-77FFB8D9F517 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iF0EARECAB0WIQRJuTEKFXbtfFQz5huK5O7Q9ZwRywUCXdctBAAKCRCK5O7Q9ZwR y+aTAKCyevckCtIYXnztaMhZP04n0zLuQgCghChM0mgE5eFZmxZ1WxBYSo2K400= =bDAi -----END PGP SIGNATURE----- --Apple-Mail=_BB6B31EB-170D-4082-AAF9-77FFB8D9F517-- From nobody Thu Nov 21 17:26:59 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D751209E3 for ; Thu, 21 Nov 2019 17:26:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFeIWmHwEIqd for ; Thu, 21 Nov 2019 17:26:53 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50847120962 for ; Thu, 21 Nov 2019 17:26:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BF627300B18 for ; Thu, 21 Nov 2019 20:26:51 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LZ5VRr8zDO8M for ; Thu, 21 Nov 2019 20:26:50 -0500 (EST) Received: from [5.5.33.94] (unknown [204.194.23.17]) by mail.smeinc.net (Postfix) with ESMTPSA id A85A13005C5; Thu, 21 Nov 2019 20:26:49 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) From: Russ Housley In-Reply-To: <225FC0D6-3447-4FBD-A8A8-5755BA1F3E2E@sn3rd.com> Date: Thu, 21 Nov 2019 20:26:47 -0500 Cc: LAMPS WG Content-Transfer-Encoding: quoted-printable Message-Id: <668A4F8F-79D7-4AF8-8CAD-AA26D693DEEE@vigilsec.com> References: <225FC0D6-3447-4FBD-A8A8-5755BA1F3E2E@sn3rd.com> To: Sean Turner X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [lamps] please adopt: draft-turner-5480-ku-clarifications X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 01:26:57 -0000 Sean: This draft cannot be adopted until the re-charter gets approved. Russ > On Nov 18, 2019, at 6:07 AM, Sean Turner wrote: >=20 > Just a reminder about this draft. It updates RFC 5480 to specify = semantics for the keyEncipherment and dataEncipherment key usage bits = when used in certificates that support Elliptic Curve Cryptography. I = presented at IETF 105 = (https://datatracker.ietf.org/meeting/105/materials/slides-105-lamps-clari= fications-for-ecc-spki-00). I asked (late) for a slot on the for 106 = (same slides as 105). Only minor changes to the -01 draft based on = list comments: > = https://www.ietf.org/rfcdiff?url1=3Ddraft-turner-5480-ku-clarifications-00= &url2=3Ddraft-turner-5480-ku-clarifications-01. >=20 > Cheers, >=20 > spt > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Fri Nov 22 06:08:59 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800AB120116 for ; Fri, 22 Nov 2019 06:08:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.407 X-Spam-Level: X-Spam-Status: No, score=-0.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=BBcWN8p6; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=kQ3BbzaS Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED97A_i0uWQ4 for ; Fri, 22 Nov 2019 06:08:55 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8BB1200B9 for ; Fri, 22 Nov 2019 06:08:55 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574431733; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=Lky2/DYBanvlInpcH4kT2nDbacpK4dBftR2yoR6QKqQ=; b=BBcWN8p6rHEfKN6RodbO9Y6EXnJwGyOWX20nzgXts5eCDsyKF8bOQKo1 eXFyaL2ys2yHm3uiB4awPbJqIvoRAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574431733; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=Lky2/DYBanvlInpcH4kT2nDbacpK4dBftR2yoR6QKqQ=; b=kQ3BbzaSw8WAh/yLfwDy7T0BiYh0vDQzQViNYZYFL5gbg6dL8gDSFCXi xRBnPXpESLIfACiVEC11BVPIZX0t+l24vdXtOtl1V/CTolBscblCuJxZXh PldYgkGtFdRKTomhsfbAcX6dFY2bgfgySDG+yO8OpsL8sgsr5LzQ+JHTJR 84LelRjtO11vDXJadjon0h4OJMQbpb8E0LF1oDo+r++TzTzsap+bwUsr8Q QtCrR4mvCxQXfzT1qs9f1eVOj0fQv/npYFgzGSAQ7jBzsmK2d5E87WZ0Yz gI1HFD5cIkmvhAj+yJLiXKp5xzCrS1DaZm7r1BD3JSjxJ4zjAGKYwA== Received: from fifthhorseman.net (unknown [103.137.210.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 76C12F9AF for ; Fri, 22 Nov 2019 09:08:51 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 997B4204D2; Fri, 22 Nov 2019 19:07:53 +0800 (+08) From: Daniel Kahn Gillmor To: LAMPS WG Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Fri, 22 Nov 2019 19:07:53 +0800 Message-ID: <87blt4i2ye.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 14:08:57 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi folks-- It occurs to me that i'd like at least one of the certificates in https://www.ietf.org/id/draft-dkg-lamps-samples-01.html to announce some SMIMECapabilities. For example, maybe it could advertise that it is capable of handling a PKCS#7 Compression layer? Or that it is capable of processing authEnveloped-data? However, reading RFC 8551 and related specs i realize how rusty my ASN.1 is (and my knowledge of CMS is so paltry that there was never even enough of it to rust). It looks to me like S/MIME capabilities are never advertised in the cert itself, but rather expected to be included as a signedAttribute in a signedData object. Is that right? Is there no way that the advertisement can be included in the certificate? I suppose if the advertisement could be included in both the signedData object *and* the certificate itself then the algorithm in =C2=A72.7.1 of RFC 8551 would need to be much more complicated. Any pointers or examples would be welcome, --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXdfBiQAKCRB2GBllKa5f +CZ0APwPrYktg2eDjXhIPKCfSXq3kSucm5RK0qlzhQ08fkx3zAD7B2gmDjPg4LOL 6HMPmtRBKwmNIMpwvIlKrAAfYlVmSgc= =WmXU -----END PGP SIGNATURE----- --=-=-=-- From nobody Sat Nov 23 06:34:19 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B8B120088 for ; Sat, 23 Nov 2019 06:34:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0SABrYdOPSso for ; Sat, 23 Nov 2019 06:34:16 -0800 (PST) Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ECBB120043 for ; Sat, 23 Nov 2019 06:34:16 -0800 (PST) Received: by mail-vk1-xa33.google.com with SMTP id k19so2374631vke.10 for ; Sat, 23 Nov 2019 06:34:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MnqbZJr1Yi9UIHvktWPyXzUL3IiUAuBIl5tagXimBxI=; b=ZQetysyCrUsj6O46BW75uuwyKBBeyBe1nYSR1Q9xTXedQZ8b/Cd/nv+lFveWITRCu+ BtjmlrqtPNUp2c7YGtvd4NKI8lU9jD28liAdSOGbadkCmHv4lc5519mXjYpDyfyzRdUg lqR/J2glARt6QE/LYkpcIuAVREqwV0gz8hYA1MwO5xw1fxq5HJnzg9kg105FXqnfU/Uv hjMw3lkycCqPqSv9yW1NR8JTIM0VpmAKBpxSZ/bOuWe78M5R/dvIqWkP5uEGxhXeFtF1 j9d+ocjvdv6OgnsbKF264dlim6q3DibEU99EqgzVAtpI9F/H9muWC+l/n9LzSFYzLz2d QBmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MnqbZJr1Yi9UIHvktWPyXzUL3IiUAuBIl5tagXimBxI=; b=YuOeGl7uLl+smMuELosYSQhoqka77lqIi4m6DSZqNFkUdXJcURflWCvqv/Jcuj3TbB XBoA6QH9HyK1+Iz/LsAs6YX+tIlumx+bG7G43/4gCDLPW67B0faiXj4TLzBVw1OYHuLs KdKvtIJb9tAJ+O103u0XKYKsu/+eFuuTVal3x46kkqsEJhBw5qzRmyj6NGmi0CZqDhMD xV3Owngxo/uALquxC1mquMIPiJfmVLd9v9iyju/UssdQM5SHIQRGg01wO5WuDPDYCsDx zxXYEX2Nb+BwXLTcQvSP4su3YLAq7mQx06O5Z6+kGTI1mGxacUEeVQKiqMMi1Xp/OMoZ ajuw== X-Gm-Message-State: APjAAAVMLb/wDrFcJc/qXU9b7qU3FZm5aICepfBj+8kHD7zDaKOrgM4i lFyHO/7g6R9pz+2JHifCuPsjJ0i8LNNiLY5JOyDRoB90 X-Google-Smtp-Source: APXvYqwt/RSS4Q4fyvaEvDWIWMsoE8UEHlUGBhHjfuhu2C7VdSOH2CF8uCApYwxct1o1fJLkP8sRyV/SboJOoZUQrIg= X-Received: by 2002:a1f:e246:: with SMTP id z67mr13021751vkg.37.1574519654755; Sat, 23 Nov 2019 06:34:14 -0800 (PST) MIME-Version: 1.0 References: <87blt4i2ye.fsf@fifthhorseman.net> In-Reply-To: <87blt4i2ye.fsf@fifthhorseman.net> From: Dmitry Belyavsky Date: Sat, 23 Nov 2019 17:34:03 +0300 Message-ID: To: Daniel Kahn Gillmor Cc: LAMPS WG Content-Type: multipart/alternative; boundary="000000000000b6b0e20598046cfc" Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Nov 2019 14:34:18 -0000 --000000000000b6b0e20598046cfc Content-Type: text/plain; charset="UTF-8" Dear Daniel, On Fri, Nov 22, 2019 at 5:09 PM Daniel Kahn Gillmor wrote: > Hi folks-- > > It occurs to me that i'd like at least one of the certificates in > https://www.ietf.org/id/draft-dkg-lamps-samples-01.html to announce some > SMIMECapabilities. For example, maybe it could advertise that it is > capable of handling a PKCS#7 Compression layer? Or that it is capable > of processing authEnveloped-data? > > However, reading RFC 8551 and related specs i realize how rusty my ASN.1 > is (and my knowledge of CMS is so paltry that there was never even > enough of it to rust). > > It looks to me like S/MIME capabilities are never advertised in the cert > itself, but rather expected to be included as a signedAttribute in a > signedData object. Is that right? Is there no way that the > advertisement can be included in the certificate? > OpenSSL adds a fixed list of ciphers and digests as S/MIME capabilities not looking at the certificate. -- SY, Dmitry Belyavsky --000000000000b6b0e20598046cfc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear=C2=A0Daniel,=C2=A0

On Fri, Nov 22, 20= 19 at 5:09 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
Hi folks--

It occurs to me that i'd like at least one of the certificates in
https://www.ietf.org/id/draft-dkg-lamps-sampl= es-01.html to announce some
SMIMECapabilities.=C2=A0 For example, maybe it could advertise that it is capable of handling a PKCS#7 Compression layer?=C2=A0 Or that it is capable=
of processing authEnveloped-data?

However, reading RFC 8551 and related specs i realize how rusty my ASN.1 is (and my knowledge of CMS is so paltry that there was never even
enough of it to rust).

It looks to me like S/MIME capabilities are never advertised in the cert itself, but rather expected to be included as a signedAttribute in a
signedData object.=C2=A0 Is that right?=C2=A0 Is there no way that the
advertisement can be included in the certificate?

=
OpenSSL adds a fixed list of ciphers and digests as S/MIME capab= ilities not looking at the certificate.

--
SY, Dmitry Belyavsky
--000000000000b6b0e20598046cfc-- From nobody Sun Nov 24 20:46:55 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982CF120255 for ; Sun, 24 Nov 2019 20:46:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4yFjUTeon48 for ; Sun, 24 Nov 2019 20:46:51 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2916912023E for ; Sun, 24 Nov 2019 20:46:51 -0800 (PST) Received: from Jude (50.76.105.153) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 24 Nov 2019 20:46:45 -0800 From: Jim Schaad To: 'Daniel Kahn Gillmor' , 'LAMPS WG' References: <87blt4i2ye.fsf@fifthhorseman.net> In-Reply-To: <87blt4i2ye.fsf@fifthhorseman.net> Date: Sun, 24 Nov 2019 20:46:42 -0800 Message-ID: <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGeosGC3qsIgYx4CoUCMbtvh/u2RagJURQw Content-Language: en-us X-Originating-IP: [50.76.105.153] Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Nov 2019 04:46:53 -0000 You are looking for RFC 4262 -----Original Message----- From: Spasm On Behalf Of Daniel Kahn Gillmor Sent: Friday, November 22, 2019 3:08 AM To: LAMPS WG Subject: [lamps] Advertising S/MIME capabilities in a certificate? Hi folks-- It occurs to me that i'd like at least one of the certificates in = https://www.ietf.org/id/draft-dkg-lamps-samples-01.html to announce some = SMIMECapabilities. For example, maybe it could advertise that it is = capable of handling a PKCS#7 Compression layer? Or that it is capable = of processing authEnveloped-data? However, reading RFC 8551 and related specs i realize how rusty my ASN.1 = is (and my knowledge of CMS is so paltry that there was never even = enough of it to rust). It looks to me like S/MIME capabilities are never advertised in the cert = itself, but rather expected to be included as a signedAttribute in a = signedData object. Is that right? Is there no way that the = advertisement can be included in the certificate? I suppose if the advertisement could be included in both the signedData = object *and* the certificate itself then the algorithm in =C2=A72.7.1 of = RFC 8551 would need to be much more complicated. Any pointers or examples would be welcome, --dkg From nobody Mon Nov 25 22:18:27 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C76B120FD6 for ; Mon, 25 Nov 2019 22:18:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=LEfMhvSY; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=s5hP1Tcd Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHu8otW-SbRC for ; Mon, 25 Nov 2019 22:18:24 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862581209D6 for ; Mon, 25 Nov 2019 22:18:12 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574749090; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OcbfnGX8l2jws8SQm4dWPU/CA2Ar9eNpXH0m24iGRwg=; b=LEfMhvSYwZsiPhwquUGEIFuj+XnCjCdGpQmE0sjBODXX662ZQBFwj9Yi szBg3LnKm0S5qC+UUWwJAsKGWVnVDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574749090; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OcbfnGX8l2jws8SQm4dWPU/CA2Ar9eNpXH0m24iGRwg=; b=s5hP1TcdIdyosdwJyYwdiP1q1+SL+0Avi2UastOMPbq90Nie+moKuGE6 /tS8syUa/hMpEDDrxtKkn4paQYPMaJ85yPSlIuAvkxiSHMKAPm3/UgSnCa 5RYwwN6BpEG2408/e4z0MLbGrDHGDNsKwG3exMW3SFQQBgoyGJKU6mJZXD QlZsAfOLBNRAy/AtgTucJPy0C4x/73xhaCmH7E2LHUaCMI9MMCyBwYFbp0 RFRdxlOQm0A1vzklwvx2/xTCLbJEhE9Q8mEc8JG85WA6s59zML3Hf5MKOm w8n/F7NDILzPqkuKDeIXxjrZBaPDvReAInS3ObD0G1vykeAdgSyeuA== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8B70EF9A5; Tue, 26 Nov 2019 01:18:09 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 07451204BD; Tue, 26 Nov 2019 14:18:02 +0800 (+08) From: Daniel Kahn Gillmor To: Jim Schaad , 'LAMPS WG' In-Reply-To: <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Tue, 26 Nov 2019 01:18:01 -0500 Message-ID: <877e3ngnza.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Nov 2019 06:18:26 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sun 2019-11-24 20:46:42 -0800, Jim Schaad wrote: > You are looking for RFC 4262 Thanks, Jim. I see that the X.509v3 extension OID in RFC 4262 has been subsumed in RFC 8551 (though it isn't clear to me from reading RFC 8551 that this is the purpose of the OID). Do you have an example X.509 certificate that contains an indicator that the certificate holder can handle (some form of) S/MIME compression? I'm trying to make sense of how that would be structured. i'm not sure why the extension itself appears to contain a SEQUENCE of SMIMECapability objects, and yet each SMIMECapability object itself contains a sequence of capabilityID and parameters. Why two layers of indirection there? also, it's not clear to me how the SMIMECapability objects that are present in the X.509 certificate are supposed to be merged with the most recently-seen set of capabilities in a signed message. That is, =C2=A72.7.1 of RFC 8551 presents an algorithm for selecting an encryption ciphersuite (and presumably can also be used for things like deciding whether to compress any objects). But the algorithm doesn't take into account any capability objects seen on the certificate itself. Does the presence of a capability in a certificate supercede the most recent in-message advertisement? does the *absence* of a capability in a certificate supercede the most recent in-message advertisement? How are implementers supposed to handle this? It's possible i'm just not reading these document well -- i'd appreciate pointers to any text or references that clear up any of the above confusions. Regards, --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXdzDmQAKCRB2GBllKa5f +CVFAP0QO66cTjGPb6GBdyPjNxsyLy/bLVnloS+ZSgLFYFQCkQD/Z1ulAxSZ1Q1V xpAdz94TYyP/K8O19SnxPnu/hnxdjAc= =rDn8 -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Nov 26 11:59:25 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 829FA120127 for ; Tue, 26 Nov 2019 11:59:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEaVG1vq-_Dk for ; Tue, 26 Nov 2019 11:59:21 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 103CF12007C for ; Tue, 26 Nov 2019 11:59:21 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Nov 2019 11:59:14 -0800 From: Jim Schaad To: 'Daniel Kahn Gillmor' , 'LAMPS WG' References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> <877e3ngnza.fsf@fifthhorseman.net> In-Reply-To: <877e3ngnza.fsf@fifthhorseman.net> Date: Tue, 26 Nov 2019 11:59:13 -0800 Message-ID: <066401d5a493$fb5c5de0$f21519a0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGeosGC3qsIgYx4CoUCMbtvh/u2RQH0/VjAAdEyrxGn7axHoA== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Nov 2019 19:59:24 -0000 -----Original Message----- From: Spasm On Behalf Of Daniel Kahn Gillmor Sent: Monday, November 25, 2019 10:18 PM To: Jim Schaad ; 'LAMPS WG' Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? On Sun 2019-11-24 20:46:42 -0800, Jim Schaad wrote: > You are looking for RFC 4262 Thanks, Jim. I see that the X.509v3 extension OID in RFC 4262 has been subsumed in = RFC 8551 (though it isn't clear to me from reading RFC 8551 that this is = the purpose of the OID). [JLS] Aaah - no, The OID was defined for the message format first and = was kept as the identifier for RFC 4262. If it had been consumed into a = new S/MIME draft it would have been RFC 8550. It was defined way back = in the days of RFC 2633 because we needed to solve the problems with = export control and RC2 so that a common version could be agreed on. It = was also setup to deal with the RC2 only export versions and domestic = 3DES agreement. Do you have an example X.509 certificate that contains an indicator that = the certificate holder can handle (some form of) S/MIME compression? I'm trying to make sense of how that would be structured. i'm not sure why the extension itself appears to contain a SEQUENCE of = SMIMECapability objects, and yet each SMIMECapability object itself = contains a sequence of capabilityID and parameters. Why two layers of indirection there? [JLS] Welcome the structure of a Signed Attribute. There are two = different things that are causing the wrapping. The signed attribute = definition and the SMIMECapabilities definition. In section 2.5.2 it = stays that there can only be one item in the outer sequence so there are = not multiple sequences defined. If this was not done then a merge = method of trying to figure out priorities would have had to be defined. = Making it be a single sequence makes prioritization easier to defined. also, it's not clear to me how the SMIMECapability objects that are = present in the X.509 certificate are supposed to be merged with the most = recently-seen set of capabilities in a signed message. That is, = =C2=A72.7.1 of RFC 8551 presents an algorithm for selecting an = encryption ciphersuite (and presumably can also be used for things like = deciding whether to compress any objects). But the algorithm doesn't = take into account any capability objects seen on the certificate itself. [JLS] That should potentially have been thought about in RFC 4262. The = algorithm for RFC 8551 is always replace. If I was implementing this I = would either define it as the message replaces the certificate or the = certificate replaces the message. At this point I would not know which = way I would go as I have not thought it through. First guess is that = the certificate always wins. This was defined some 6 years after I = stopped working on mail at Microsoft. Jim Does the presence of a capability in a certificate supercede the most = recent in-message advertisement? does the *absence* of a capability in = a certificate supercede the most recent in-message advertisement? How are implementers supposed to handle this? It's possible i'm just = not reading these document well -- i'd appreciate pointers to any text = or references that clear up any of the above confusions. Regards, --dkg From nobody Tue Nov 26 15:01:00 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5603120B04 for ; Tue, 26 Nov 2019 15:00:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.299 X-Spam-Level: X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=iS1gPqZ3; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=usMaRNAl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkNIaMzke0PC for ; Tue, 26 Nov 2019 15:00:57 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B1B120B01 for ; Tue, 26 Nov 2019 15:00:57 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574809256; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=WEc9IVG+GcAGAP3m7LdaVT74jZvP0XlTALIEbE1hP9o=; b=iS1gPqZ3dYO7JFYPPkGReOmHXIeIacjPUBk2SQRnAMLegGp4CnJhNYtr 4izbcGWjpZF2xqE48gHLAs4WJVWOAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574809256; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=WEc9IVG+GcAGAP3m7LdaVT74jZvP0XlTALIEbE1hP9o=; b=usMaRNAlyjGKXfZZyrYFt1IPkKf6OmTFQIHDDggItnp4nDoXx+ZpY450 Dty8/w7EouPWBhpClmvjF2/BnlkF6WbW+cnoyc3Zr4iY4hmZkW6SA/PSUU J7kH55KY9d7N9iMcVT4eWKGnRCMN/9GReXpA3PGZkIu/x2wdjyq2BtYTGG JdxBsTDbt2kQsBRVmuIddlT/57wdx+Ggr5PSwkAUiEPyaL9PXDOOnfF52c MADNdJmnJSGncvDg57itqMdklfi+cDUFklSH7ohOx2csS2DjQ82CEtDz8O ldo0g4U1mns/S96dna8/4onHVC4/NY/88WT6WzdLNEo1RvQsHHhpGw== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id D6EAEF9A9; Tue, 26 Nov 2019 18:00:55 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 5478820524; Wed, 27 Nov 2019 07:00:53 +0800 (+08) From: Daniel Kahn Gillmor To: Jim Schaad , 'LAMPS WG' In-Reply-To: <066401d5a493$fb5c5de0$f21519a0$@augustcellars.com> References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> <877e3ngnza.fsf@fifthhorseman.net> <066401d5a493$fb5c5de0$f21519a0$@augustcellars.com> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Tue, 26 Nov 2019 18:00:52 -0500 Message-ID: <87o8wyfdjv.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Nov 2019 23:01:00 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue 2019-11-26 11:59:13 -0800, Jim Schaad wrote: > [ re: multiple layers of sequences ] > Welcome the structure of a Signed Attribute. There are two different > things that are causing the wrapping. The signed attribute definition > and the SMIMECapabilities definition. In section 2.5.2 it stays that > there can only be one item in the outer sequence so there are not > multiple sequences defined. If this was not done then a merge method > of trying to figure out priorities would have had to be defined. > Making it be a single sequence makes prioritization easier to defined. OK, thanks for the pointer and the hint, i hadn't really understood that from reading =C2=A72.5.2 the first time, but i see how it can be read that way now :) Are there any examples? An example certificate would be really nice to have as a demonstration! draft-dkg-lamps-samples uses certtool (from GnuTLS) to create its example certificates, but it looks like certtool can't currently generate the right extensions in the certificate. I've opened https://gitlab.com/gnutls/gnutls/issues/863 to ask for such an extension. If anyone knows of another implementation that supports these capability extensions, please let me know so that i can record it in that feature request, as GnuTLS upstream likes to know what other implementations provide it (presumably for interop testing) > [ re: juggling capabilities discovered in certificates and messages ] > That should potentially have been thought about in RFC 4262. The > algorithm for RFC 8551 is always replace. If I was implementing this > I would either define it as the message replaces the certificate or > the certificate replaces the message. At this point I would not know > which way I would go as I have not thought it through. First guess is > that the certificate always wins. Hm, that's interesting -- if certificate always wins, then it becomes impossible for a client with any capabilities in the cert to announce new capabilities based on a software upgrade. right? I was thinking that a union of the capabilities between the certificate and the most-recently-received signed message would make the most sense from a deployment perspective, but i agree that it would be good to have that documented. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXd2upQAKCRB2GBllKa5f +CHiAQDLahM+Isok1ElFx6PuuExj266fdp0xpONPj1zpWcf+nQEA6InlrZWbMI3B Pmmnui1Iu5FK/obx4oPX2eO3060zJA0= =9arW -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Nov 26 19:17:51 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2A6F120130 for ; Tue, 26 Nov 2019 19:17:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIwpi7CaDXBx for ; Tue, 26 Nov 2019 19:17:44 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 218021200F7 for ; Tue, 26 Nov 2019 19:17:44 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Nov 2019 19:17:35 -0800 From: Jim Schaad To: 'Daniel Kahn Gillmor' , 'LAMPS WG' References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> <877e3ngnza.fsf@fifthhorseman.net> <066401d5a493$fb5c5de0$f21519a0$@augustcellars.com> <87o8wyfdjv.fsf@fifthhorseman.net> In-Reply-To: <87o8wyfdjv.fsf@fifthhorseman.net> Date: Tue, 26 Nov 2019 19:17:34 -0800 Message-ID: <069701d5a4d1$37c95840$a75c08c0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGeosGC3qsIgYx4CoUCMbtvh/u2RQH0/VjAAdEyrxECRSVgxwG9FCpDp84PALA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Nov 2019 03:17:49 -0000 -----Original Message----- From: Daniel Kahn Gillmor =20 Sent: Tuesday, November 26, 2019 3:01 PM To: Jim Schaad ; 'LAMPS WG' Subject: RE: [lamps] Advertising S/MIME capabilities in a certificate? On Tue 2019-11-26 11:59:13 -0800, Jim Schaad wrote: > [ re: multiple layers of sequences ] > Welcome the structure of a Signed Attribute. There are two different=20 > things that are causing the wrapping. The signed attribute definition = > and the SMIMECapabilities definition. In section 2.5.2 it stays that=20 > there can only be one item in the outer sequence so there are not=20 > multiple sequences defined. If this was not done then a merge method=20 > of trying to figure out priorities would have had to be defined. > Making it be a single sequence makes prioritization easier to defined. OK, thanks for the pointer and the hint, i hadn't really understood that = from reading =C2=A72.5.2 the first time, but i see how it can be read = that way now :) Are there any examples? An example certificate would be really nice to = have as a demonstration! [JLS] I am not aware of one. As Stefan was at Microsoft at the time, I = assume that they may have issued some, but it would be easy to just = create a template with the extension in it so that no special work would = be needed on the client side to generate or for the server to decide if = to include it. draft-dkg-lamps-samples uses certtool (from GnuTLS) to create its = example certificates, but it looks like certtool can't currently = generate the right extensions in the certificate. I've opened https://gitlab.com/gnutls/gnutls/issues/863 to ask for such an = extension. If anyone knows of another implementation that supports these capability = extensions, please let me know so that i can record it in that feature = request, as GnuTLS upstream likes to know what other implementations = provide it (presumably for interop testing) > [ re: juggling capabilities discovered in certificates and messages ]=20 > That should potentially have been thought about in RFC 4262. The=20 > algorithm for RFC 8551 is always replace. If I was implementing this=20 > I would either define it as the message replaces the certificate or=20 > the certificate replaces the message. At this point I would not know=20 > which way I would go as I have not thought it through. First guess is = > that the certificate always wins. Hm, that's interesting -- if certificate always wins, then it becomes = impossible for a client with any capabilities in the cert to announce = new capabilities based on a software upgrade. right? I was thinking that a union of the capabilities between the certificate = and the most-recently-received signed message would make the most sense = from a deployment perspective, but i agree that it would be good to have = that documented. [JLS] I think that this depends on who you believe should be able to = control things. A company will want to restrict what is to be used = even if the client is advertising that it can do additional things. The = company would be more than willing to re-issue new certificates as = needed if the set of algorithms is changing. On the other hand an = individual is much more likely to just use messages to send capabilities = and not assume that people are going to be able to find certificates = from some type of "global" repository in order to find out what = capabilities exist. Jim --dkg From nobody Wed Nov 27 07:25:45 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3801209B3 for ; Wed, 27 Nov 2019 07:25:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=yVFZ3TGX; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=0l2Xsz4G Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6wyEo3BaXtG for ; Wed, 27 Nov 2019 07:25:40 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A5D12081E for ; Wed, 27 Nov 2019 07:25:40 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574868336; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nQdoLARTEb/Mi6kAZmYp/zQSqSJwbGsDRoMraWUevEI=; b=yVFZ3TGXZjYDaXQrE9GYzYZwRW2/1nPslIQCXDG9lwBP5o5uNVZhHEuS zUupnSj0+CixH098rz0nflSdQ1JmCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574868336; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nQdoLARTEb/Mi6kAZmYp/zQSqSJwbGsDRoMraWUevEI=; b=0l2Xsz4GsOhwJsLGWbkVt5fn1Q2+M324LlOaGWJIpArdnrX0dyETBL7B Zh1KJ986kMW2l0bmweTkDTSMG7br4Z1/vEDpcTfnE17zkts49BTtudwj2Q fE5CMtxh+MJaMFI+NoUspFV0QOYoVG2TaWySV70lX9h2KKSv+O2q0tWXPD WLYSBHTcLcoJ6YzSdLOYpvWSypnjt5gTams5U41AxpMpsvDNciVl5IjhAR ebMUUuCP+NVAPxFfPF7tZNuuGvJ6C8dd/8RPxvbhRol2FpybiPgk5Tq8pE Nyi3kT+OT0ufBKRhb5CbZX2XsKziIiNBWpzypLXJEAmFwILJLmZyHA== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 1A2DAF9A9; Wed, 27 Nov 2019 10:25:36 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id D81152046E; Wed, 27 Nov 2019 23:25:32 +0800 (+08) From: Daniel Kahn Gillmor To: Jim Schaad , 'LAMPS WG' In-Reply-To: <069701d5a4d1$37c95840$a75c08c0$@augustcellars.com> References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com> <877e3ngnza.fsf@fifthhorseman.net> <066401d5a493$fb5c5de0$f21519a0$@augustcellars.com> <87o8wyfdjv.fsf@fifthhorseman.net> <069701d5a4d1$37c95840$a75c08c0$@augustcellars.com> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Wed, 27 Nov 2019 10:25:32 -0500 Message-ID: <87imn5fij7.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Nov 2019 15:25:43 -0000 --=-=-= Content-Type: text/plain On Tue 2019-11-26 19:17:34 -0800, Jim Schaad wrote: > I am not aware of one. As Stefan was at Microsoft at the time, I > assume that they may have issued some, but it would be easy to just > create a template with the extension in it so that no special work > would be needed on the client side to generate or for the server to > decide if to include it. Right, but this is contingent on agreeing on what the actual byte sequence is that would represent such a certificate. While we have the spec, a concrete test vector goes a long way toward ensuring that different implementers actually agree on how to interpret the spec. > I think that this depends on who you believe should be able to control > things. A company will want to restrict what is to be used even if > the client is advertising that it can do additional things. The > company would be more than willing to re-issue new certificates as > needed if the set of algorithms is changing. I imagine that a company's willingness to re-issue might depend on how expensive it is (in terms of $$, and in terms of employee time and expertise, and in terms of management overhead) to issue a new certificate. Consider also that certificate re-issuance opens the question of expiration dates, etc (i.e. should the new certificate expire at the same time as the old one? or should it expire the same duration *from issuance* as the old one?). None of these are super challenging decisions, but they are operational decisions to make, and they require input/time from different staff, which increases the management overhead. > On the other hand an individual is much more likely to just use > messages to send capabilities and not assume that people are going to > be able to find certificates from some type of "global" repository in > order to find out what capabilities exist. sure, but "find certificates from a global repo" only matters for sending mail having never received anything from the peer. Once the sender has received at least one message from the peer, they have this potential capability conflict to resolve. I suppose when an individual is sending messages, the sent message will include the certificate as well, so the sender can always just copy the capability set from the certificate into the message if they want to absolve the peer from grappling with this issue. But if the capability set in the message *differs* from the capability set in the certificate, the fact that no well-defined policy exists for the recipient to disambiguate seems like a problem for the ecosystem. So far, in this thread, three possible disambiguation policies have been mentioned, all with different results for the recipient: Given the most-recently received message that announces S/MIME capabilities and a certificate which also advertises S/MIME capabilities: - use S/MIME capabilities from certificate - use S/MIME capabilities from the message - use the union of S/MIME capabilities from the certificate and the message (of course, there might be others). Is there some reason that we shouldn't try to specify one of these as the expected canonical disambiguation? Should we provide guidance to MUAs about what capabilities to announce in messages that they send with a given certificate that also contains capabilities? --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXd6VbAAKCRB2GBllKa5f +O/EAP9Q7AP2HleTCarv5QCrMAA4YNuTD2MpJjCWE2QmhoqbngD/YGHCdyCo2oFt Maa3pJCSS52s9YVGEmkxUKKsrd+YYAM= =TvrF -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Nov 27 11:18:45 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCA71208A9 for ; Wed, 27 Nov 2019 11:18:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKXyGfdOIST1 for ; Wed, 27 Nov 2019 11:18:43 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A4A7120813 for ; Wed, 27 Nov 2019 11:18:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BB53F300A48 for ; Wed, 27 Nov 2019 14:18:41 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rABku0w0zGsg for ; Wed, 27 Nov 2019 14:18:40 -0500 (EST) Received: from [5.5.33.217] (unknown [204.194.23.17]) by mail.smeinc.net (Postfix) with ESMTPSA id C73443004AF for ; Wed, 27 Nov 2019 14:18:40 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Message-Id: Date: Wed, 27 Nov 2019 14:18:40 -0500 To: LAMPS WG X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: [lamps] DRAFT Minutes for the LAMPS Session at IETF 106 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Nov 2019 19:18:45 -0000 https://datatracker.ietf.org/meeting/106/materials/minutes-106-lamps-00 Please review the minutes. Please send corrections to the mail list. Russ From nobody Thu Nov 28 01:54:57 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6782D1200CE for ; Thu, 28 Nov 2019 01:54:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6fx8yGVtzBe5 for ; Thu, 28 Nov 2019 01:54:53 -0800 (PST) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60058.outbound.protection.outlook.com [40.107.6.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA05B1200D5 for ; Thu, 28 Nov 2019 01:54:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K9fB9FEvQNPoU1/0EDO3ol+Zhykfq1vWfBuCK7m5OwyNNjWRp7+fBQQhu2+NDWrNAsKXhO7B50ubbyoq5WBObtDqJ6fk66ce3H47bLO+ZqCbKbTJprjDd6bi8K013j6UBLWlcz73znBOuFJ4cECg2a37XT9sHd6i2urmMYsLhj8eWZCBDw1EfTLjE/haDXMeL4bXPBdNqsDtl6C39nYac+lMN8RGCLjKTDsa+f6RQxx17f9O14SU4g3lJCpK+5s6RsuuT9RYMiAookI758Iug3IdLkqCKVB/Ls02ct6DSjlxmttItXt+vSED/gNFzZiWBc+7SDTV1MA+2+/mQ/ocYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wqK7ngeri0KDUh9Yz8Z3WA+xqtY8eB78ZWcWK89Wncg=; b=Apo3hRO7E9NTDUkA+cOBzIePTHZMk/jn6UswbGgq4ben8//1qj+M6JSgu4WJOpeL32AfHSOB7xr5ZBhPQOYMuNmTtxoLnROAVvpfQSqQ61YJPAfMHYzTa32QJKBeS78CDDsLEgD+pP1/nllquJH2uzOcMmYG1RE75yC3erxu81vIoQKGh3IzCP0jXR4oogRDNsa3VQVv0ythtYcroqp9g/k6LbpIXvUUQyU+yWI/9sGqUHInrfiwRnEMFZVP7c4YlXdc7PusxpvRDpyQbiOnq0+Lo0iYPKa5K3a/mIC0ELLUPUJoIdtSM3337j3a2eCGZK+3QvqgtJyWGCLhOWt+Xw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wqK7ngeri0KDUh9Yz8Z3WA+xqtY8eB78ZWcWK89Wncg=; b=pFRw8Dsu+latMp/JSwS934+imA7bH7m+U7XUw7qfbYP2grb3j6JWnSpaDauQM86czPNbkVHRsTqAwTUawslL0rtsnD8/9bcZ1rG9uOzZSqTwDTmqtm5Z97dQ0nNQZ0X90v49Lw4F2ar17HF4PA4KcMyI9GtKW/4XEmJ1yDtFgwI= Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (20.177.110.224) by AM0PR10MB2323.EURPRD10.PROD.OUTLOOK.COM (20.177.109.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.21; Thu, 28 Nov 2019 09:54:50 +0000 Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::c090:4e70:20a7:c730]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::c090:4e70:20a7:c730%3]) with mapi id 15.20.2495.014; Thu, 28 Nov 2019 09:54:50 +0000 From: "Brockhaus, Hendrik" To: Russ Housley CC: LAMPS WG Thread-Topic: [lamps] DRAFT Minutes for the LAMPS Session at IETF 106 Thread-Index: AQHVpVeB9anWSa4LmUGxJdWpBudYqKegWKPQ Date: Thu, 28 Nov 2019 09:54:50 +0000 Message-ID: References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com; x-originating-ip: [195.145.170.173] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 1baeb9a2-3b43-4528-5c52-08d773e902d5 x-ms-traffictypediagnostic: AM0PR10MB2323: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-forefront-prvs: 0235CBE7D0 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(346002)(39860400002)(366004)(376002)(189003)(199004)(7736002)(6116002)(4326008)(9686003)(55016002)(6306002)(25786009)(11346002)(102836004)(26005)(5660300002)(74316002)(8676002)(966005)(81156014)(2906002)(305945005)(6506007)(76116006)(3846002)(6436002)(64756008)(8936002)(66476007)(81166006)(66556008)(14454004)(66446008)(66946007)(52536014)(446003)(186003)(478600001)(99286004)(76176011)(7696005)(33656002)(45080400002)(66066001)(86362001)(6916009)(71190400001)(71200400001)(316002)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2323; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: y3+8mSXYusUlbCIihOwa6ZQ8Qm8k5c/Sbdvve+4jMj0z+Glx8x3LiNrCqGaU8AGEkB81pYYWfeBBj0GbRCtUsLXF19MD9k5mEdbOo8uH/f0uM+/C7N7XEvXLhvuV6Xk1HBwjKkScMC+U4XR1zq6Jh6jbN31Z91U55dpQ53UX8B1mD6+hxGAs+iUTtGoXym5OgM3daSVuMc2uuPdjiT7d81/+RIXjXJbOVPvOS5gJ32EoQry8Q2SLq+8NFd1hKuA1gadXnQfstIULLcnwfPgqGS9SkgwWWe/C+jdMDu1QTh1qW6terIZOatmsQL3yRmLa6fqMbxcgMvNSwZH7l9EUBHLoAdquqZnZ3IEn1J9BzM0VKw+u+IkTDl8Kx9rbhNA4PP3U1BLegIjCSVmcfZrZJ5pKzzMvsucc3OzZMmSnKR3jYDRaboIfIArbJUaAJOBeVwqxImQM73v/+MIo3sfwD8VkBPHN9G5/B/jqSkAESSA= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1baeb9a2-3b43-4528-5c52-08d773e902d5 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2019 09:54:50.7506 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: H7f1kega3pmi5dlzXo+xiN0Jij9Az4mWsLgUitm7PH3A/YifhDAAEan9pWTNSgzzSRKe/OphAVV13A9jBQI9LFwKwZVCnXPSNott+poO3Fg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2323 Archived-At: Subject: Re: [lamps] DRAFT Minutes for the LAMPS Session at IETF 106 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Nov 2019 09:54:56 -0000 Thanks Russ, the minutes are OK with me. Hendrik > -----Urspr=FCngliche Nachricht----- > Von: Spasm Im Auftrag von Russ Housley > Gesendet: Mittwoch, 27. November 2019 20:19 > An: LAMPS WG > Betreff: [lamps] DRAFT Minutes for the LAMPS Session at IETF 106 >=20 > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatat= rack > er.ietf.org%2Fmeeting%2F106%2Fmaterials%2Fminutes-106-lamps- > 00&data=3D02%7C01%7Chendrik.brockhaus%40siemens.com%7Cff4438d7d1 > aa415097df08d7736ea357%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C > 1%7C637104791330458468&sdata=3DonuBHOGVFFC%2BMlceal5oFs8HXuJJ5 > h9IIL6YpS0BDqU%3D&reserved=3D0 >=20 > Please review the minutes. Please send corrections to the mail list. >=20 > Russ >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i= etf. > org%2Fmailman%2Flistinfo%2Fspasm&data=3D02%7C01%7Chendrik.brockha > us%40siemens.com%7Cff4438d7d1aa415097df08d7736ea357%7C38ae3bcd957 > 94fd4addab42e1495d55a%7C1%7C1%7C637104791330458468&sdata=3Dlm > WqS9XFwe0t3%2BsDiPMssr2v8qjj6MpThrVtcyj0oh0%3D&reserved=3D0