Hi,
Attached is my revised XML file with some minor changes.
1) I am updating draft-barnes-mimi-identity-arch so it will no longer be an
expired draft. I already submitted a PR for my intended changes. My
co-author should review it today or tomorrow. Once it is submitted, I will
let you know
2) The XML, HTML, and TXT versions look good. The PDF version has the
section headings for References and Normative References at the end of one
page with the references starting on the next one. If it is straightforward
to start Section 6 on the next page, that seems desirable.
Many thanks,
-rohan
On Tue, Feb 4, 2025 at 7:46 AM Megan Ferguson <
mfergu...@staff.rfc-editor.org> wrote:
> Thanks for the guidance, Rohan and Russ!
>
> We will await Rohan’s updated XML file with further changes.
>
> Thank you.
>
> RFC Editor/mf
>
> > On Feb 4, 2025, at 8:16 AM, Russ Housley <hous...@vigilsec.com> wrote:
> >
> > Rohan and RFC Editor:
> >
> > 1) <!--[rfced] We note a small discrepancy between the ASN.1 snippet in
> >> Section 3 and the ASN.1 in Appendix A: the { character at the end
> >> of the "id-kp" line in Section 3 is on the following line in the
> >> Appendix. Please review and let us know if/how to make these
> >> consistent. Might it be possible to simply point the reader to
> >> Appendix A instead of repeating the code?
> >>
> >> Original (Section 3):
> >> id-kp OBJECT IDENTIFIER ::= {
> >> iso(1) identified-organization(3) dod(6) internet(1)
> >> security(5) mechanisms(5) pkix(7) kp(3) }
> >>
> >> id-kp-imUri OBJECT IDENTIFIER ::= { id-kp TBD1 }
> >>
> >> Original (Appendix A):
> >> id-kp OBJECT IDENTIFIER ::=
> >> { iso(1) identified-organization(3) dod(6) internet(1)
> >> security(5) mechanisms(5) pkix(7) kp(3) }
> >>
> >>
> >> id-kp-imUri OBJECT IDENTIFIER ::= { id-kp TBD1 }
> >>
> >> -->
> >> I followed the formatting conventions of other similar registrations,
> including RFC9509, which is the most recent registration of an Extended Key
> Purpose. It also places the opening curly brace in a different location in
> the textual definition than it does in the MIB. I would tend to keep the
> status quo unless there is consensus otherwise from the chairs and ADs.
> >
> > Both formats will work. ASN.1 compilers will be fine with either one.
> >
> > Russ
>
>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc [
<!ENTITY nbsp " ">
<!ENTITY zwsp "​">
<!ENTITY nbhy "‑">
<!ENTITY wj "⁠">
]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"; ipr="trust200902" docName="draft-ietf-lamps-im-keyusage-04" number="9734" category="std" updates="" obsoletes="" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3" xml:lang="en">
<front>
<title abbrev="extendedKeyUsage for IM URIs">X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs</title>
<seriesInfo name="RFC" value="9734"/>
<author fullname="Rohan Mahy">
<organization>Rohan Mahy Consulting Services</organization>
<address>
<email>rohan.i...@gmail.com</email>
</address>
</author>
<date year="2025" month="February"/>
<area>SEC</area>
<workgroup>lamps</workgroup>
<keyword>x.509</keyword>
<keyword>certificate</keyword>
<keyword>extended key usage</keyword>
<keyword>eku</keyword>
<keyword>instant messaging</keyword>
<keyword>im URI</keyword>
<keyword>mimi URL</keyword>
<abstract>
<t>RFC 5280 specifies several extended key purpose identifiers
(KeyPurposeIds) for X.509 certificates. This document defines
an Instant Messaging (IM) identity KeyPurposeId for inclusion in
the Extended Key Usage (EKU) extension of X.509 v3 public key
certificates</t>
</abstract>
</front>
<middle>
<section anchor="introduction">
<name>Introduction</name>
<t>Instant Messaging (IM) systems using the Messaging Layer Security (MLS)
<xref target="RFC9420"/> protocol can incorporate per-client identity certificate
credentials. A subjectAltName in these certificates can be an IM URI
<xref target="RFC3860"/> or Extensible Messaging and Presence Protocol (XMPP) URI <xref target="RFC6121"/>, for example.</t>
<t>Organizations may be unwilling to issue certificates for an IM
client using a general KeyPurposeId, such as <tt>id-kp-serverAuth</tt> or
<tt>id-kp-clientAuth</tt>, because of the risk that such certificates could be
abused in a cross-protocol attack.</t>
<t>An explanation of MLS credentials as they apply to IM is
described in <xref target="I-D.barnes-mimi-identity-arch"/>. These credentials are
expected to be heavily used in the More Instant Messaging Interoperability
(MIMI) Working Group.</t>
</section>
<section anchor="conventions-and-definitions">
<name>Conventions and Definitions</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be
interpreted as described in BCP 14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
</section>
<section anchor="the-im-uri-extended-key-usage">
<name>The IM URI EKU</name>
<t>This specification defines the KeyPurposeId <tt>id-kp-imUri</tt>, which may be
included in certificates used to prove the identity of an IM client. This EKU extension <bcp14>MAY</bcp14>, at the option
of the certificate issuer, be either critical or non-critical.</t>
<sourcecode type="asn.1"><![CDATA[
id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
id-kp-imUri OBJECT IDENTIFIER ::= { id-kp 40 }]]></sourcecode>
</section>
<section anchor="security-considerations">
<name>Security Considerations</name>
<t>The security considerations of <xref target="RFC5280"/> are applicable to this
document. The <tt>id-kp-imUri</tt> Extended Key Purpose does not introduce new security
risks but instead reduces existing security risks by providing means
to identify if the certificate is generated to sign IM identity credentials.
Issuers <bcp14>SHOULD NOT</bcp14> set the <tt>id-kp-imUri</tt> extended key purpose and an
<tt>id-kp-clientAuth</tt> or <tt>id-kp-serverAuth</tt> extended key purpose: that would
defeat the improved specificity offered by having an <tt>id-kp-imUri</tt> extended key
purpose.</t>
</section>
<section anchor="iana-considerations">
<name>IANA Considerations</name>
<t>IANA has registered the following OID in the "SMI Security
for PKIX Extended Key Purpose" registry (1.3.6.1.5.5.7.3). This
OID is defined in <xref target="the-im-uri-extended-key-usage"/>.</t>
<table>
<thead>
<tr>
<th align="left">Decimal</th>
<th align="left">Description</th>
<th align="left">References</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">40</td>
<td align="left">id-kp-imUri</td>
<td align="left">RFC 9734</td>
</tr>
</tbody>
</table>
<t>IANA has also registered the following ASN.1 <xref target="ITU.X690.2021"/>
module OID in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). This OID is defined in <xref target="asn1-module"/>.</t>
<table>
<thead>
<tr>
<th align="left">Decimal</th>
<th align="left">Description</th>
<th align="left">References</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">113</td>
<td align="left">id-mod-im-eku</td>
<td align="left">RFC 9734</td>
</tr>
</tbody>
</table>
</section>
</middle>
<back>
<displayreference target="I-D.barnes-mimi-identity-arch" to="E2E-IDENTITY"/>
<references anchor="sec-combined-references">
<name>References</name>
<references anchor="sec-normative-references">
<name>Normative References</name>
<reference anchor="ITU.X690.2021" target="https://www.itu.int/rec/T-REC-X.690";>
<front>
<title>Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title>
<author>
<organization>ITU-T</organization>
</author>
<date month="February" year="2021"/>
</front>
<seriesInfo name="ITU-T" value="Recommendation X.690"/>
<seriesInfo name="ISO/IEC" value="8825-1-2021"/>
</reference>
<reference anchor="ITU.X680.2021" target="https://www.itu.int/rec/T-REC-X.680";>
<front>
<title>Information Technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
<author>
<organization>ITU-T</organization>
</author>
<date month="February" year="2021"/>
</front>
<seriesInfo name="ITU-T Recommendation" value="X.680"/>
<seriesInfo name="ISO/IEC" value="8824-1:2021"/>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
</references>
<references anchor="sec-informative-references">
<name>Informative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9420.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3860.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6121.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.barnes-mimi-identity-arch.xml"/>
</references>
</references>
<section anchor="asn1-module">
<name>ASN.1 Module</name>
<t>The following module adheres to ASN.1 specifications <xref target="ITU.X680.2021"/> and
<xref target="ITU.X690.2021"/>.</t>
<sourcecode type="asn.1"><![CDATA[
<CODE BEGINS>
IM-EKU
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-im-eku (113) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- OID Arc
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
-- Extended Key Usage Values
id-kp-imUri OBJECT IDENTIFIER ::= { id-kp 40 }
END
<CODE ENDS>]]></sourcecode>
</section>
<section numbered="false" anchor="acknowledgments">
<name>Acknowledgments</name>
<t>Thanks to <contact fullname="Sean Turner"/> and <contact
fullname="Russ Housley"/> for reviews, suggestions, corrections, and
encouragement.</t>
</section>
</back>
</rfc>
--
auth48archive mailing list -- auth48archive@rfc-editor.org
To unsubscribe send an email to auth48archive-le...@rfc-editor.org
