X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs
draft-ietf-lamps-im-keyusage-04
Yes
Deb Cooley
(Erik Kline)
No Objection
Jim Guichard
Mahesh Jethanandani
(Francesca Palombini)
(Murray Kucherawy)
(Orie Steele)
(Zaheduzzaman Sarker)
Note: This ballot was opened for revision 03 and is now closed.
Deb Cooley
Yes
Éric Vyncke
No Objection
Comment
(2024-11-26 for -03)
Sent
Thanks for the work on this simple document, nevertheless, I have two non-blocking comments on a single sentence `The subjectAltName of these certificates can be an IM URI or XMPP URI, for example.` Should there be informative references to XMPP URI (and possibly to other IM URI). I find it rather sad to have one cert per IM rather than a shared cert (or restricting this I-D to just a MIMI cert).
Gunter Van de Velde
No Objection
Comment
(2024-11-29 for -03)
Sent
# Gunter Van de Velde, RTG AD, comments for draft-ietf-lamps-im-keyusage-03 # The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-03.txt # The text is short and easy to read. Thank you for the write up. I only got few non-blocking comments from a networking generalist perspective. #DETAILED COMMENTS #================= 109 Messaging client. This Extended Key Usage is optionally critical. GV> I find this term "optionally critical" a strange construct and i am not sure i understand accurately what it means. Is either 'optional' or is it 'critical'? or is it critical when the KeyPurposeId id-kp-imUri is provided? 117 4. Security Considerations 118 119 The Security Considerations of [RFC5280] are applicable to this 120 document. This extended key purpose does not introduce new security 121 risks but instead reduces existing security risks by providing means 122 to identify if the certificate is generated to sign IM identity 123 credentials. GV> Out of interest (i am not very skilled in this area), could the suggested KeyPurposeId be used to redirect in any way to a fake (or irrelevant) KeyPurposeId id-kp-imUri somehow to trick believing that the certificate is legit?
Jim Guichard
No Objection
Mahesh Jethanandani
No Objection
Roman Danyliw
No Objection
Comment
(2024-11-22 for -03)
Sent
Thank you to Behcet Sarikaya for the GENART review. Section 3. This Extended Key Usage is optionally critical. What does this text mean? Does it say that this extension could be marked as critical. If so, perhaps be clearer with: NEW This EKU extension may, at the option of the certificate issuer, be either critical or non-critical.
Erik Kline Former IESG member
Yes
Yes
(for -03)
Not sent
Paul Wouters Former IESG member
Yes
Yes
(2024-12-01 for -03)
Sent
Should the Security Considerations say something about "SHOULD NOT" set this EKU if serverAuth or clientAuth EKU is set? Otherwise the entire additional security of using this EKU becomes moot.
Francesca Palombini Former IESG member
No Objection
No Objection
(for -03)
Not sent
Murray Kucherawy Former IESG member
No Objection
No Objection
(for -03)
Not sent
Orie Steele Former IESG member
No Objection
No Objection
(for -03)
Not sent
Zaheduzzaman Sarker Former IESG member
No Objection
No Objection
(for -03)
Not sent