Skip to main content

Last Call Review of draft-ietf-lamps-5480-ku-clarifications-00

Request Review of draft-ietf-lamps-5480-ku-clarifications
Requested revision No specific revision (document currently at 03)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-02-21
Requested 2020-02-07
Authors Tadahiko Ito , Sean Turner
I-D last updated 2020-02-18
Completed reviews Opsdir Last Call review of -01 by Tim Chown (diff)
Secdir Last Call review of -02 by Klaas Wierenga (diff)
Genart Last Call review of -00 by Dale R. Worley (diff)
Assignment Reviewer Dale R. Worley
State Completed Snapshot
Review review-ietf-lamps-5480-ku-clarifications-00-genart-lc-worley-2020-02-18
Posted at
Reviewed revision 00 (document currently at 03)
Result Ready w/issues
Completed 2020-02-18
I am the assigned Gen-ART reviewer for this draft.  The General Area
Review Team (Gen-ART) reviews all IETF documents being processed by
the IESG for the IETF Chair.  Please treat these comments just like
any other last call comments.

For more information, please see the FAQ at


Document:  draft-ietf-lamps-5480-ku-clarifications-00
Reviewer:  Dale R. Worley
Review Date:  2020-02-18
IETF LC End Date:  2020-02-07
IESG Telechat date:  [unknown]


       This draft is on the right track but has open issues, described
       in the review.

The text is difficult to follow in places.  I believe that the WG has
a clear understanding of what is intended, but a few small editorial
errors have unfortunately rendered the text incorrect and
contradictory to RFC 5480.

Note that I am unfamiliar with the details of PKI certificates; this
review is based largely on what I have learned from RFC 5480 and this

From the discussion it appears that id-ecDH and id-ecMQV are "key
agreement algorithms" and that, as such, they should not be used with
keyEncipherment or dataEncipherment.  [this draft, section 3]
Conversely, id-ecPublicKey is not a "key agreement algorithm".  [RFC
5480, section 2.1.2, para. 1, sentence 1]

1.  Introduction

   This document corrects this omission, by updating Section 3 of
   [RFC5480] to make it clear that neither keyEncipherment nor the
   dataEncipherment key usage bits are set for key agreement algorithms.

This could be clearer by replacing or augmenting "key agreement
algorithms" with a description of which of these algorithms are key
agreement algorithms, viz., id-ecDH and id-ecMQV.  Otherwise, one must
first have read RFC 5480 to understand this introduction correctly.

3.  Updates to Section 3

   If the keyUsage extension is present in a certificate that indicates
   id-ecPublicKey as algorithm of AlgorithmIdentifier [RFC2986] in
   SubjectPublicKeyInfo, then following values MUST NOT be present:

     keyEncipherment; and

   If the keyUsage extension is present in a certificate that indicates
   id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following
   values also MUST NOT be present:

     keyEncipherment; and

The structure of this section is peculiar, since it presents almost
the same text about "id-ecPublicKey" and about "id-ecDH or id-ecMQV".
If the intention is to say the same thing about all three, these
should be folded together.

It is also not clear why the first paragraph refers to
AlgorithmIdentifier but the second paragraph uses SubjectPublicKeyInfo
to refer to essentially the same thing.

But this text appears to contradict the statement in [RFC 5480] that
the usage of id-ecPublicKey is "unrestricted" and is not a key
agreement algorithm, in which case the first paragraph should say "the
following values MAY be present".  (In which case, the "also" in the
2nd paragraph should be omitted.)