Re: [Acme] key agility?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 December 2014 06:01 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A88C1A9174 for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 22:01:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_rUiJ6yEmKe for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 22:01:22 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2EE1A9172 for <acme@ietf.org>; Thu, 18 Dec 2014 22:01:22 -0800 (PST)
Received: from [192.168.12.134] (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 6304EF984; Fri, 19 Dec 2014 01:01:18 -0500 (EST)
Message-ID: <5493BF2F.3010607@fifthhorseman.net>
Date: Fri, 19 Dec 2014 01:01:19 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Icedove/34.0
MIME-Version: 1.0
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <54933EC2.3010104@gmail.com> <CAMm+Lwi-SeaKfHxXxmG8vsbMK09uvZxs_-y9vQW82U9VB0hGiw@mail.gmail.com> <5493B2F8.30308@gmail.com>
In-Reply-To: <5493B2F8.30308@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gPdHMnl64lQmw1vAFSBdnqkH4aVPtcDU9"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/jMxL0UkQWzNZkAuQaojoMfdoDqc
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] key agility?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 06:01:24 -0000
On 12/19/2014 12:09 AM, Anders Rundgren wrote: > On 2014-12-19 00:41, Phillip Hallam-Baker wrote: >> On Thu, Dec 18, 2014 at 3:53 PM, Anders Rundgren >> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> >> wrote: >> >> With a multi-step protocol some kind of key agility should be >> possible to support. >> The client could for example start with telling its >> preferences/capabilities. >> >> Anders >> >> >> I do not know what you mean here. >> > > The ability to negotiate client key algorithm. I think Anders is hinting at something like the following: * some TLS servers today have both RSA and ECDSA keys, and will offer a different cert depending on the capabilities offered by their clients. * this capacity (to support both key algorithms at once) is an important one to be able to do a transition when dealing with a heterogenous network. * acme should be able to support offering multiple certificates (with different key algorithms) to a single client which requests them. Anders, is that what you're talking about? --dkg
- [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Daniel Kahn Gillmor
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Richard Barnes