Hi Fraser,
On 13/12/2020 05:16, Fraser Tweedale wrote:
On Thu, Dec 10, 2020 at 06:23:08PM +0000, Salz, Rich wrote:
In order to address feedback that came up during AD and WGLC review, Alexey
posted a new draft.
This link will show the differences:
https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-acme-email-smime-13.txt
Summary is that it adds text about putting the right keyUsage extensions
(signing, encryption) so that different keys/certs can be used for signing and
encryption. It’s important to be able to have separate signing and encryption
keys.
Please send feedback by the end of next week. Thanks!
There is ambiguity in Section 3.3:
In order to request signing only S/MIME certificate, the CSR MUST
include the key usage extension with digitalSignature and/or
nonRepudiation bits set.
This text does not imply that that other bits, including
keyEncipherment/keyAgreement, MUST NOT be set. I would suggest
appending "and no other bits set", i.e.:
In order to request signing only S/MIME certificate, the CSR MUST
include the key usage extension with digitalSignature and/or
nonRepudiation bits set, and no other bits set.
Similarly for the subsequent paragraph (which can be solved the same
way):
In order to request encryption only S/MIME certificate, the CSR MUST
include the key usage extension with keyEncipherment and/or
keyAgreement bits set.
I incroprorated your suggestions.
Best Regards,
Alexey
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
