On Thu, Dec 10, 2020 at 06:23:08PM +0000, Salz, Rich wrote: > In order to address feedback that came up during AD and WGLC review, Alexey > posted a new draft. > This link will show the differences: > https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-acme-email-smime-13.txt > > Summary is that it adds text about putting the right keyUsage extensions > (signing, encryption) so that different keys/certs can be used for signing > and encryption. It’s important to be able to have separate signing and > encryption keys. > > Please send feedback by the end of next week. Thanks!
There is ambiguity in Section 3.3: In order to request signing only S/MIME certificate, the CSR MUST include the key usage extension with digitalSignature and/or nonRepudiation bits set. This text does not imply that that other bits, including keyEncipherment/keyAgreement, MUST NOT be set. I would suggest appending "and no other bits set", i.e.: In order to request signing only S/MIME certificate, the CSR MUST include the key usage extension with digitalSignature and/or nonRepudiation bits set, and no other bits set. Similarly for the subsequent paragraph (which can be solved the same way): In order to request encryption only S/MIME certificate, the CSR MUST include the key usage extension with keyEncipherment and/or keyAgreement bits set. Thanks, Fraser _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
