Re: [Acme] key agility?
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 19 December 2014 15:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A79E21A8972 for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 07:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImQ4oPbsKNdI for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 07:46:05 -0800 (PST)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0D61A00E0 for <acme@ietf.org>; Fri, 19 Dec 2014 07:46:05 -0800 (PST)
Received: by mail-la0-f41.google.com with SMTP id hv19so1051992lab.14 for <acme@ietf.org>; Fri, 19 Dec 2014 07:46:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=jDqvY1XCg5CjbJ9Ugj04AOdi+bt8xXImArloPyQyRtE=; b=fk9OCgdyl91vPBZ0PdVQwasqj7sGkitkn3HqcGZaY4gWpDl6QubyCEOfBsApTZtXhm 4Q7KEVQMf6PkMLBI0xrhtrG59BI2BicI1LFsUILncFKN2WVqxT1W+kXVUyKs08cfAjKR WMiSu4ylmsKGS/omstW/7eUNxWuSECxfu7ncuHV7lo2yYu+kcVT+incpspAzpOAA+XNR gzz/gaxIy5XYni/XHOVrxzglu8Pc9uunep2icsR1o8gfJCB8+3z8Hps2coQoGRD2zmoB KVHsQICwJAS6ZEZHvQKdLEQRLlZ/PAj8HMW14LIFi9yR3oaEmQfzbd/eHyEw3/PF10S+ cmGA==
MIME-Version: 1.0
X-Received: by 10.112.51.44 with SMTP id h12mr8527867lbo.5.1419003963356; Fri, 19 Dec 2014 07:46:03 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Fri, 19 Dec 2014 07:46:03 -0800 (PST)
In-Reply-To: <5493BF2F.3010607@fifthhorseman.net>
References: <54933EC2.3010104@gmail.com> <CAMm+Lwi-SeaKfHxXxmG8vsbMK09uvZxs_-y9vQW82U9VB0hGiw@mail.gmail.com> <5493B2F8.30308@gmail.com> <5493BF2F.3010607@fifthhorseman.net>
Date: Fri, 19 Dec 2014 10:46:03 -0500
X-Google-Sender-Auth: aJUzUKcc57nIl-padRMgvqq4csc
Message-ID: <CAMm+Lwg+d-H_P+CgpXayBLtwUD79uw5aoY8WpdDGGJP9-TR6ig@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: multipart/alternative; boundary="001a113339282bbcc6050a939bc0"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/BXDOP2V4Jpnuhnr4HEH-zbiix6s
Cc: "acme@ietf.org" <acme@ietf.org>, Anders Rundgren <anders.rundgren.net@gmail.com>
Subject: Re: [Acme] key agility?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 15:46:17 -0000
On Fri, Dec 19, 2014 at 1:01 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > On 12/19/2014 12:09 AM, Anders Rundgren wrote: > > On 2014-12-19 00:41, Phillip Hallam-Baker wrote: > >> On Thu, Dec 18, 2014 at 3:53 PM, Anders Rundgren > >> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> > >> wrote: > >> > >> With a multi-step protocol some kind of key agility should be > >> possible to support. > >> The client could for example start with telling its > >> preferences/capabilities. > >> > >> Anders > >> > >> > >> I do not know what you mean here. > >> > > > > The ability to negotiate client key algorithm. > > I think Anders is hinting at something like the following: > > * some TLS servers today have both RSA and ECDSA keys, and will offer a > different cert depending on the capabilities offered by their clients. > > * this capacity (to support both key algorithms at once) is an > important one to be able to do a transition when dealing with a > heterogenous network. > > * acme should be able to support offering multiple certificates (with > different key algorithms) to a single client which requests them. > > Anders, is that what you're talking about? This is still unclear to me. Are we talking about the client negotiating the provision of a certificate pair so as to be able to support dual RSA/ECC issue? Or are we talking about the client being able to select the use of an ECC or RSA key to authenticate the ACME protocol. If the first, I agree. If the second then I am very confused. As I see the ACME protocol, it is an upgrade to the traditional Cert issue protocol to support the new requirements of modern cert use including embedded devices and the cloud. Enabling the ECC transition is another important requirement. Fortunately it is pretty easy to support any of these if we support a service feature negotiation phase. The guts of the protocol is a request of the form: <Signature Parameters> { "IssueRequest" : { "Version" : "1.0", "CSR" : <CSR in Base64>, <other attributes> } While it is simplest and most straightforward to treat ECC and RSA as issue of two separate certs, combining them might simplify the management task and in particular integration with TRANS.
- [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Daniel Kahn Gillmor
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Richard Barnes