X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs
draft-ietf-lamps-im-keyusage-04

Received changes through RFC Editor sync (changed state to RFC, created became rfc relationship between draft-ietf-lamps-im-keyusage and RFC 9734, changed IESG state to RFC Published)

[Ballot comment]
Should the Security Considerations say something about "SHOULD NOT" set this EKU if serverAuth or clientAuth EKU is set? Otherwise the entire additional security of using this EKU becomes moot.

[Ballot comment]
# Gunter Van de Velde, RTG AD, comments for draft-ietf-lamps-im-keyusage-03

# The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-im-keyusage-03.txt

# The text is short and easy to read. Thank you for the write up. I only got few non-blocking comments from a networking generalist perspective.

#DETAILED COMMENTS
#=================

109   Messaging client.  This Extended Key Usage is optionally critical.

GV> I find this term "optionally critical" a strange construct and i am not sure i understand accurately what it means. Is either 'optional' or is it 'critical'? or is it critical when the KeyPurposeId id-kp-imUri is provided?

117 4.  Security Considerations
118
119   The Security Considerations of [RFC5280] are applicable to this
120   document.  This extended key purpose does not introduce new security
121   risks but instead reduces existing security risks by providing means
122   to identify if the certificate is generated to sign IM identity
123   credentials.

GV> Out of interest (i am not very skilled in this area), could the suggested KeyPurposeId be used to redirect in any way to a fake (or irrelevant) KeyPurposeId id-kp-imUri somehow to trick believing that the certificate is legit?

[Ballot comment]
Thanks for the work on this simple document, nevertheless, I have two non-blocking comments on a single sentence `The subjectAltName of these certificates can be an IM URI or XMPP URI, for example.`

Should there be informative references to XMPP URI (and possibly to other IM URI).

I find it rather sad to have one cert per IM rather than a shared cert (or restricting this I-D to just a MIMI cert).

[Ballot comment]
Thank you to Behcet Sarikaya for the GENART review.

Section 3.
  This Extended Key Usage is optionally critical.

What does this text mean?  Does it say that this extension could be marked as critical.  If so, perhaps be clearer with:

NEW
This EKU extension may, at the option of the certificate issuer, be either critical or non-critical.

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-im-keyusage-03. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which we must complete.

First, in the SMI Security for PKIX Extended Key Purpose registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-kp-imUri
References: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

Second, in the SMI Security for PKIX Module Identifier registry also in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-im-eku
References: [ RFC-to-be ]

As this also requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2024-11-12):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-im-keyusage@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'X.509
Certificate Extended Key Usage (EKU) for Instant Messaging URIs'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-11-12. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  RFC 5280 specifies several extended key purpose identifiers
  (KeyPurposeIds) for X.509 certificates.  This document defines
  Instant Messaging (IM) identity KeyPurposeId for inclusion in the
  Extended Key Usage (EKU) extension of X.509 v3 public key
  certificates




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/



No IPR declarations have been submitted directly on this I-D.

Shepherd Write-up for draft-ietf-lamps-im-keyusage-01


(1) Does the working group (WG) consensus represent the strong
concurrence of a few individuals, with others being silent, or did it
reach broad agreement?

  There is support for this document in the LAMPS WG.

(2) Was there controversy about particular points, or were there
decisions where the consensus was particularly rough?

  During the WG Last Call no one spoke against the document, but
  there was some express support.
 
(3) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarize the areas of conflict in separate
email messages to the responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal or indicated any discontent.

(4) For protocol documents, are there existing implementations of the
contents of the document?  Have a significant number of potential
implementers indicated plans to implement?  Are any existing
implementations reported somewhere, either in the document itself (as
RFC 7942 recommends) or elsewhere (where)?

  No one has said one way or the other.

(5) Does this document need review from other IETF working groups or
external organizations?  Have those reviews occurred?

  None needed.

(6) Describe how the document meets any required formal expert review
criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type
reviews.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(7) If the document contains a YANG module, has the final version of the
module been checked with any of the recommended validation tools for
syntax and formatting validation?  If there are any resulting errors or
warnings, what is the justification for not fixing them at this time?
Does the YANG module comply with the Network Management Datastore
Architecture (NMDA) as specified in RFC 8342?

  YANG is not used in the document.

(8) Describe reviews and automated checks performed to validate sections
of the final version of the document written in a formal language, such
as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(9) Based on the shepherd's review of the document, is it their opinion
that this document is needed, clearly written, complete, correctly
designed, and ready to be handed off to the responsible Area Director?

  The document shepherd finds the document clear and complete.

(10) Several IETF Areas have assembled lists of common issues that their
reviewers encounter.  Do any such issues remain that would merit specific
attention from subsequent reviews?

  The document shepherd finds no concerns.

(11) What type of RFC publication is being requested on the IETF stream
(Best Current Practice, Proposed Standard, Internet Standard,
Informational, Experimental, or Historic)?  Why is this the proper type
of RFC?  Do all Datatracker state attributes correctly reflect this
intent?

  Proposed Standard.  The datatracker indicates this intent.

(12) Has the interested community confirmed that any and all appropriate
IPR disclosures required by BCP 78 and BCP 79 have been filed?  If not,
explain why.  If yes, summarize any discussion and conclusion regarding
the intellectual property rights (IPR) disclosures, including links to
relevant emails.

  The author has explicitly confirmed that all IPR disclosures that
  are required for full conformance with the provisions of BCP 78
  and BCP 79 have already been filed.  There are none.

(13) Has each Author or Contributor confirmed their willingness to be
listed as such?  If the number of Authors/Editors on the front page is
greater than 5, please provide a justification.

  The author has explicitly confirmed their willingness to be listed
  as an author.  All contributors are listed as authors.

(14) Identify any remaining I-D nits in this document.  (See the idnits
tool and the checkbox items found in Guidelines to Authors of
Internet-Drafts).  Simply running the idnits tool is not enough; please
review the entire guidelines document.

  IDnits raises no issues.

(15) Should any informative references be normative or vice-versa?

  All references are in the proper category.

(16) List any normative references that are not freely available to
anyone.  Did the community have sufficient access to review any such
normative references?

  All normative references are RFCs ot ITU-T recommendations.  All
  of these are freely available for download.

(17) Are there any normative downward references (see RFC 3967, BCP 97)?
If so, list them.

  There are no downrefs.

(18) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If they exist, what is
the plan for their completion?

  All of the normative references have already been published.

(19) Will publication of this document change the status of any existing
RFCs?  If so, does the Datatracker metadata correctly reflect this and
are those RFCs listed on the title page, in the abstract, and discussed
in the introduction?  If not, explain why and point to the part of the
document where the relationship of this document to these other RFCs is
discussed.

  Publication of this document will not effect the status of any
  other documents.

(20) Describe the document shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all aspects of the document requiring IANA
assignments are associated with the appropriate reservations in IANA
registries.  Confirm that any referenced IANA registries have been
clearly identified.  Confirm that each newly created IANA registry
specifies its initial contents, allocations procedures, and a reasonable
name (see RFC 8126).

  No concerns were found.  The IANA Considerations ask IANA to assign
  some object identifiers from existing registries, and the document
  shepherd is the IANA Designated Expert for the registries where these
  will be assigned.

(21) List any new IANA registries that require Designated Expert Review
for future allocations.  Are the instructions to the Designated Expert
clear?  Please include suggestions of designated experts, if appropriate.

  No new IANA registries are needed.

Shepherd Write-up for draft-ietf-lamps-im-keyusage-01


(1) Does the working group (WG) consensus represent the strong
concurrence of a few individuals, with others being silent, or did it
reach broad agreement?

  There is support for this document in the LAMPS WG.

(2) Was there controversy about particular points, or were there
decisions where the consensus was particularly rough?

  During the WG Last Call no one spoke against the document, but
  there was some express support.
 
(3) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarize the areas of conflict in separate
email messages to the responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal or indicated any discontent.

(4) For protocol documents, are there existing implementations of the
contents of the document?  Have a significant number of potential
implementers indicated plans to implement?  Are any existing
implementations reported somewhere, either in the document itself (as
RFC 7942 recommends) or elsewhere (where)?

  No one has said one way or the other.

(5) Does this document need review from other IETF working groups or
external organizations?  Have those reviews occurred?

  None needed.

(6) Describe how the document meets any required formal expert review
criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type
reviews.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(7) If the document contains a YANG module, has the final version of the
module been checked with any of the recommended validation tools for
syntax and formatting validation?  If there are any resulting errors or
warnings, what is the justification for not fixing them at this time?
Does the YANG module comply with the Network Management Datastore
Architecture (NMDA) as specified in RFC 8342?

  YANG is not used in the document.

(8) Describe reviews and automated checks performed to validate sections
of the final version of the document written in a formal language, such
as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  The document shepherd compiled the ASN.1 module
  after inserting placeholder values for the ones that need to be
  assigned by IANA.  It compiles without errors.

(9) Based on the shepherd's review of the document, is it their opinion
that this document is needed, clearly written, complete, correctly
designed, and ready to be handed off to the responsible Area Director?

  The document shepherd finds the document clear and complete.

(10) Several IETF Areas have assembled lists of common issues that their
reviewers encounter.  Do any such issues remain that would merit specific
attention from subsequent reviews?

  The document shepherd finds no concerns.

(11) What type of RFC publication is being requested on the IETF stream
(Best Current Practice, Proposed Standard, Internet Standard,
Informational, Experimental, or Historic)?  Why is this the proper type
of RFC?  Do all Datatracker state attributes correctly reflect this
intent?

  Proposed Standard.  The datatracker indicates this intent.

(12) Has the interested community confirmed that any and all appropriate
IPR disclosures required by BCP 78 and BCP 79 have been filed?  If not,
explain why.  If yes, summarize any discussion and conclusion regarding
the intellectual property rights (IPR) disclosures, including links to
relevant emails.

  The author has explicitly confirmed that all IPR disclosures that
  are required for full conformance with the provisions of BCP 78
  and BCP 79 have already been filed.  There are none.

(13) Has each Author or Contributor confirmed their willingness to be
listed as such?  If the number of Authors/Editors on the front page is
greater than 5, please provide a justification.

  The author has explicitly confirmed their willingness to be listed
  as an author.  All contributors are listed as authors.

(14) Identify any remaining I-D nits in this document.  (See the idnits
tool and the checkbox items found in Guidelines to Authors of
Internet-Drafts).  Simply running the idnits tool is not enough; please
review the entire guidelines document.

  IDnits raises no issues.

(15) Should any informative references be normative or vice-versa?

  All references are in the proper category.

(16) List any normative references that are not freely available to
anyone.  Did the community have sufficient access to review any such
normative references?

  All normative references are RFCs ot ITU-T recommendations.  All
  of these are freely available for download.

(17) Are there any normative downward references (see RFC 3967, BCP 97)?
If so, list them.

  There are no downrefs.

(18) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If they exist, what is
the plan for their completion?

  All of the normative references have already been published.

(19) Will publication of this document change the status of any existing
RFCs?  If so, does the Datatracker metadata correctly reflect this and
are those RFCs listed on the title page, in the abstract, and discussed
in the introduction?  If not, explain why and point to the part of the
document where the relationship of this document to these other RFCs is
discussed.

  Publication of this document will not effect the status of any
  other documents.

(20) Describe the document shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all aspects of the document requiring IANA
assignments are associated with the appropriate reservations in IANA
registries.  Confirm that any referenced IANA registries have been
clearly identified.  Confirm that each newly created IANA registry
specifies its initial contents, allocations procedures, and a reasonable
name (see RFC 8126).

  No concerns were found.  The IANA Considerations ask IANA to assign
  some object identifiers from existing registries, and the document
  shepherd is the IANA Designated Expert for the registries where these
  will be assigned.

(21) List any new IANA registries that require Designated Expert Review
for future allocations.  Are the instructions to the Designated Expert
clear?  Please include suggestions of designated experts, if appropriate.

  No new IANA registries are needed.