X.509 Certificate General-Purpose Extended Key Usage (EKU) for Document Signing
draft-ietf-lamps-documentsigning-eku-06

Received changes through RFC Editor sync (created alias RFC 9336, changed title to 'X.509 Certificate General-Purpose Extended Key Usage (EKU) for Document Signing', changed abstract to 'RFC 5280 specifies several extended key purpose identifiers (KeyPurposeIds) for X.509 certificates.  This document defines a general-purpose Document-Signing KeyPurposeId for inclusion in the Extended Key Usage (EKU) extension of X.509 public key certificates.  Document-Signing applications may require that the EKU extension be present and that a Document-Signing KeyPurposeId be indicated in order for the certificate to be acceptable to that Document-Signing application.', changed standardization level to Proposed Standard, changed state to RFC, added RFC published event at 2022-12-20, changed IESG state to RFC Published)

[Ballot comment]
Section 7 as worded is a little confusing, though I managed to figure out what it's trying to say.  I suggest it get a once-over before it goes on to the RFC Editor.  If you need some suggested text, I'd be happy to provide some.

[Ballot comment]
# Security AD comments for {draft-ietf-lamps-documentsigning-eku-04}
CC @paulwouters

## Comments:

### humans

  The term "Document Signing" in this document refers to digitally
  signing contents that are consumed by people.  To be more precise,
  contents are intended to be shown to a person with printable or
  displayable form by means of services or software, rather than
  processed by machines.

Is there a reason to only include human readers and not machines? Why not
leave it to users to decide how to use this?

### key usage vs KU

  The EKU extension can be used in conjunction with the key usage extension

Would it make sense to call that the KU extension, or key usage (KU) extension

### Section 4 humans again

  The signed contents of Internet-Drafts are primarily intended to be
  consumed by people.

### RFCs is people?

What is this "signed contents of Internet-Drafts" ? Should that be "signed
contents of Documents" ?

### single example?

  When a single application has the capability to process various data
  formats, the software may choose to make the excluded and permitted
  decisions separately in accordance with the format it is handling
  (e.g. text, pdf, etc).

Why is this text in the document? It seems kinda out of scope.

### Section 6 allows squatting?

  This general
  document signing KeyPurposeId may be used as a stop-gap for those
  that intend to define their own KeyPurposeId

It seems weird for this document to say "this is for document signing, but hey
go squat on this value for other uses if that's convenient".


## NITS

### Section 1

[RFC5280]  is a broken link

I can't parse: the usage can easily become out of control.

weird use of "-" in:  use. - If the

Paragraph 3 in Section 1 is in its entirety hard to parse.

### Section 3

[RFC5280] is a broken link

[Ballot comment]
# GEN AD review of draft-ietf-lamps-documentsigning-eku-05

CC @larseggert

Thanks to Dale Worley for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/1T23l8-kN8pEMqnQvh1ir3MsGVw).

## Comments

### Section 4, paragraph 1
```
    The signed contents of Internet-Drafts are primarily intended to be
```
Did you mean "documents" here instead of "Internet-Drafts"?

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Typos

#### Section 1, paragraph 3
```
-    owner but by another vendor, the vender who own the KeyPurposeIds may
-                                        ^
-    not able to control use, or even do not know about the use. - If the
-                                                                -
+    owner but by another vendor, the vendor who own the KeyPurposeIds may
+                                        ^
```

#### Section 4, paragraph 5
```
-      party software proresses each restriction on "Excluded
-                        ^
+      party software processes each restriction on "Excluded
+                        ^
```

### Grammar/style

#### Section 4, paragraph 8
```
the format it is handling (e.g. text, pdf, etc). 5. Implications for a Certif
                                      ^^^
```
File types are normally capitalized.

#### Section 4, paragraph 8
```
ormat it is handling (e.g. text, pdf, etc). 5. Implications for a Certificati
                                      ^^^
```
A period is needed after the abbreviation "etc.".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

[Ballot comment]
# Internet AD comments for {draft-ietf-lamps-documentsigning-eku-04}
CC @ekline

## Comments

### S3,4

* Given that documents may be presented to people "by means of ... software"
  perhaps a slight tweak to the "rather than processed by machines", e.g.:

    - "rather than processed primarily by machines", or
    - "rather than processed principally by machines"

## Nits

### S4

* s/instead of single/instead of a single/

* s/proresses/processes/ I think?

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-documentsigning-eku-04. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the SMI Security for PKIX Extended Key Purpose on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

a new registration will be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-kp-documentSigning
Reference: [ RFC-to-be ]

As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, in the SMI Security for PKIX Module Identifier registry, also on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

a new registration will be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-docsign-eku
Reference: [ RFC-to-be ]

As this also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

Sabrina Tanamal
Lead IANA Services Specialist

The following Last Call announcement was sent out (ends 2022-08-11):

From: The IESG
To: IETF-Announce
CC: draft-ietf-lamps-documentsigning-eku@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, rdd@cert.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (General Purpose Extended Key Usage (EKU) for Document Signing X.509 Certificates) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'General
Purpose Extended Key Usage (EKU) for Document Signing X.509
  Certificates'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2022-08-11. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  RFC5280 specifies several extended key purpose identifiers
  (KeyPurposeIds) for X.509 certificates.  This document defines a
  general purpose document signing KeyPurposeId for inclusion in the
  Extended Key Usage (EKU) extension of X.509 public key certificates.
  Document Signing applications may require that the EKU extension be
  present and that a document signing KeyPurposeId be indicated in
  order for the certificate to be acceptable to that Document Signing
  application.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-documentsigning-eku/



No IPR declarations have been submitted directly on this I-D.

Shepherd Write-up for draft-ietf-lamps-documentsigning-eku-03


(1) Does the working group (WG) consensus represent the strong
concurrence of a few individuals, with others being silent, or did it
reach broad agreement?

  There is broad support for this document in the LAMPS WG.

(2) Was there controversy about particular points, or were there
decisions where the consensus was particularly rough?

  One or two people spoke against it when the idea was originally
  raised, but no one spoke against it in the last year.
 
(3) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarize the areas of conflict in separate
email messages to the responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal or indicated extreme discontent.

(4) For protocol documents, are there existing implementations of the
contents of the document?  Have a significant number of potential
implementers indicated plans to implement?  Are any existing
implementations reported somewhere, either in the document itself (as
RFC 7942 recommends) or elsewhere (where)?

  Several Certification Authorities (CAs) have expressed an intention
  to support this new extended key usage value.

(5) Does this document need review from other IETF working groups or
external organizations?  Have those reviews occurred?

  None needed.

(6) Describe how the document meets any required formal expert review
criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type
reviews.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(7) If the document contains a YANG module, has the final version of the
module been checked with any of the recommended validation tools for
syntax and formatting validation?  If there are any resulting errors or
warnings, what is the justification for not fixing them at this time?
Does the YANG module comply with the Network Management Datastore
Architecture (NMDA) as specified in RFC 8342?

  YANG is not used in the document.

(8) Describe reviews and automated checks performed to validate sections
of the final version of the document written in a formal language, such
as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(9) Based on the shepherd's review of the document, is it their opinion
that this document is needed, clearly written, complete, correctly
designed, and ready to be handed off to the responsible Area Director?

  The document shepherd finds the document clear and complete.

(10) Several IETF Areas have assembled lists of common issues that their
reviewers encounter.  Do any such issues remain that would merit specific
attention from subsequent reviews?

  The document shepherd finds no concerns.

(11) What type of RFC publication is being requested on the IETF stream
(Best Current Practice, Proposed Standard, Internet Standard,
Informational, Experimental, or Historic)?  Why is this the proper type
of RFC?  Do all Datatracker state attributes correctly reflect this
intent?

  Proposed Standard.  The datatracker indicates this intent.

(12) Has the interested community confirmed that any and all appropriate
IPR disclosures required by BCP 78 and BCP 79 have been filed?  If not,
explain why.  If yes, summarize any discussion and conclusion regarding
the intellectual property rights (IPR) disclosures, including links to
relevant emails.

  All authors and contributors have explicitly confirmed that all IPR
  disclosures required for full conformance with the provisions of
  BCP 78 and BCP 79 have already been filed.  There are none.

(13) Has each Author or Contributor confirmed their willingness to be
listed as such?  If the number of Authors/Editors on the front page is
greater than 5, please provide a justification.

  All authors have explicitly confirmed their willingness to be listed
  as an author.  All contributors are listed as authors.

(14) Identify any remaining I-D nits in this document.  (See the idnits
tool and the checkbox items found in Guidelines to Authors of
Internet-Drafts).  Simply running the idnits tool is not enough; please
review the entire guidelines document.

  IDnits does not raise any issues.

  The document shepherd review of the document did not find any
  issues related to the Guidelines to Authors of Internet-Drafts.

(15) Should any informative references be normative or vice-versa?

  All references are in the proper category.

(16) List any normative references that are not freely available to
anyone.  Did the community have sufficient access to review any such
normative references?

  All normative references are RFCs, except one.  ITU-T X.680 can be
  downloaded for free from the following URL:
 
  https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.680-202102-I!!PDF-E

(17) Are there any normative downward references (see RFC 3967, BCP 97)?
If so, list them.

  There are no downrefs.

(18) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If they exist, what is
the plan for their completion?

  All of the normative references have already been published.

(19) Will publication of this document change the status of any existing
RFCs?  If so, does the Datatracker metadata correctly reflect this and
are those RFCs listed on the title page, in the abstract, and discussed
in the introduction?  If not, explain why and point to the part of the
document where the relationship of this document to these other RFCs is
discussed.

  Publication of this document will not effect the status of any
  other documents.

(20) Describe the document shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all aspects of the document requiring IANA
assignments are associated with the appropriate reservations in IANA
registries.  Confirm that any referenced IANA registries have been
clearly identified.  Confirm that each newly created IANA registry
specifies its initial contents, allocations procedures, and a reasonable
name (see RFC 8126).

  No concerns were found.  The IANA Considerations ask IANA to assign
  two object identifiers from existing registries, and the document
  shepherd is the IANA Designated Expert for the registries where these
  will be assigned.

(21) List any new IANA registries that require Designated Expert Review
for future allocations.  Are the instructions to the Designated Expert
clear?  Please include suggestions of designated experts, if appropriate.

  No new IANA registries are needed.

Shepherd Write-up for draft-ietf-lamps-documentsigning-eku-03


(1) Does the working group (WG) consensus represent the strong
concurrence of a few individuals, with others being silent, or did it
reach broad agreement?

  There is broad support for this document in the LAMPS WG.

(2) Was there controversy about particular points, or were there
decisions where the consensus was particularly rough?

  One or two people spoke against it when the idea was originally
  raised, but no one spoke against it in the last year.
 
(3) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarize the areas of conflict in separate
email messages to the responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal or indicated extreme discontent.

(4) For protocol documents, are there existing implementations of the
contents of the document?  Have a significant number of potential
implementers indicated plans to implement?  Are any existing
implementations reported somewhere, either in the document itself (as
RFC 7942 recommends) or elsewhere (where)?

  Several Certification Authorities (CAs) have expressed an intention
  to support this new extended key usage value.

(5) Does this document need review from other IETF working groups or
external organizations?  Have those reviews occurred?

  None needed.

(6) Describe how the document meets any required formal expert review
criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type
reviews.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(7) If the document contains a YANG module, has the final version of the
module been checked with any of the recommended validation tools for
syntax and formatting validation?  If there are any resulting errors or
warnings, what is the justification for not fixing them at this time?
Does the YANG module comply with the Network Management Datastore
Architecture (NMDA) as specified in RFC 8342?

  YANG is not used in the document.

(8) Describe reviews and automated checks performed to validate sections
of the final version of the document written in a formal language, such
as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(9) Based on the shepherd's review of the document, is it their opinion
that this document is needed, clearly written, complete, correctly
designed, and ready to be handed off to the responsible Area Director?

  The document shepherd finds the document clear and complete.

(10) Several IETF Areas have assembled lists of common issues that their
reviewers encounter.  Do any such issues remain that would merit specific
attention from subsequent reviews?

  The document shepherd finds no concerns.

(11) What type of RFC publication is being requested on the IETF stream
(Best Current Practice, Proposed Standard, Internet Standard,
Informational, Experimental, or Historic)?  Why is this the proper type
of RFC?  Do all Datatracker state attributes correctly reflect this
intent?

  Proposed Standard.  The datatracker indicates this intent.

(12) Has the interested community confirmed that any and all appropriate
IPR disclosures required by BCP 78 and BCP 79 have been filed?  If not,
explain why.  If yes, summarize any discussion and conclusion regarding
the intellectual property rights (IPR) disclosures, including links to
relevant emails.

  All authors and contributors have explicitly confirmed that all IPR
  disclosures required for full conformance with the provisions of
  BCP 78 and BCP 79 have already been filed.  There are none.

(13) Has each Author or Contributor confirmed their willingness to be
listed as such?  If the number of Authors/Editors on the front page is
greater than 5, please provide a justification.

  All authors have explicitly confirmed their willingness to be listed
  as an author.  All contributors are listed as authors.

(14) Identify any remaining I-D nits in this document.  (See the idnits
tool and the checkbox items found in Guidelines to Authors of
Internet-Drafts).  Simply running the idnits tool is not enough; please
review the entire guidelines document.

  IDnits does not raise any issues.

  The document shepherd review of the document did not find any
  issues related to the Guidelines to Authors of Internet-Drafts.

(15) Should any informative references be normative or vice-versa?

  All references are in the proper category.

(16) List any normative references that are not freely available to
anyone.  Did the community have sufficient access to review any such
normative references?

  All normative references are RFCs, except one.  ITU-T X.680 can be
  downloaded for free from the following URL:
 
  https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.680-202102-I!!PDF-E

(17) Are there any normative downward references (see RFC 3967, BCP 97)?
If so, list them.

  There are no downrefs.

(18) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If they exist, what is
the plan for their completion?

  All of the normative references have already been published.

(19) Will publication of this document change the status of any existing
RFCs?  If so, does the Datatracker metadata correctly reflect this and
are those RFCs listed on the title page, in the abstract, and discussed
in the introduction?  If not, explain why and point to the part of the
document where the relationship of this document to these other RFCs is
discussed.

  Publication of this document will not effect the status of any
  other documents.

(20) Describe the document shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all aspects of the document requiring IANA
assignments are associated with the appropriate reservations in IANA
registries.  Confirm that any referenced IANA registries have been
clearly identified.  Confirm that each newly created IANA registry
specifies its initial contents, allocations procedures, and a reasonable
name (see RFC 8126).

  No concerns were found.  The IANA Considerations ask IANA to assign
  two object identifiers from existing registries, and the document
  shepherd is the IANA Designated Expert for the registries where these
  will be assigned.

(21) List any new IANA registries that require Designated Expert Review
for future allocations.  Are the instructions to the Designated Expert
clear?  Please include suggestions of designated experts, if appropriate.

  No new IANA registries are needed.