Ballot for draft-ietf-lamps-im-keyusage
Yes
No Objection
No Record
Summary: Needs one more YES or NO OBJECTION position to pass.
Should the Security Considerations say something about "SHOULD NOT" set this EKU if serverAuth or clientAuth EKU is set? Otherwise the entire additional security of using this EKU becomes moot.
# Gunter Van de Velde, RTG AD, comments for draft-ietf-lamps-im-keyusage-03 # The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-03.txt # The text is short and easy to read. Thank you for the write up. I only got few non-blocking comments from a networking generalist perspective. #DETAILED COMMENTS #================= 109 Messaging client. This Extended Key Usage is optionally critical. GV> I find this term "optionally critical" a strange construct and i am not sure i understand accurately what it means. Is either 'optional' or is it 'critical'? or is it critical when the KeyPurposeId id-kp-imUri is provided? 117 4. Security Considerations 118 119 The Security Considerations of [RFC5280] are applicable to this 120 document. This extended key purpose does not introduce new security 121 risks but instead reduces existing security risks by providing means 122 to identify if the certificate is generated to sign IM identity 123 credentials. GV> Out of interest (i am not very skilled in this area), could the suggested KeyPurposeId be used to redirect in any way to a fake (or irrelevant) KeyPurposeId id-kp-imUri somehow to trick believing that the certificate is legit?
Thank you to Behcet Sarikaya for the GENART review. Section 3. This Extended Key Usage is optionally critical. What does this text mean? Does it say that this extension could be marked as critical. If so, perhaps be clearer with: NEW This EKU extension may, at the option of the certificate issuer, be either critical or non-critical.
Thanks for the work on this simple document, nevertheless, I have two non-blocking comments on a single sentence `The subjectAltName of these certificates can be an IM URI or XMPP URI, for example.` Should there be informative references to XMPP URI (and possibly to other IM URI). I find it rather sad to have one cert per IM rather than a shared cert (or restricting this I-D to just a MIMI cert).