Re: [Acme] key agility?
Richard Barnes <rlb@ipv.sx> Fri, 19 December 2014 18:11 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFB871A8A65 for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 10:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38pADMpRQ-EX for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 10:11:25 -0800 (PST)
Received: from mail-la0-f46.google.com (mail-la0-f46.google.com [209.85.215.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED8881ACCF9 for <acme@ietf.org>; Fri, 19 Dec 2014 10:11:24 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id q1so1300198lam.19 for <acme@ietf.org>; Fri, 19 Dec 2014 10:11:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=iw6b+iCFBsonc4x4RSmpouGBmSupfPmf5CAGvrra0GU=; b=Ethe5mIj2zkthSUuzkuXyRt5oBheDq4AvFcOnP4iHDuxfVqVmIrmsISfl5CoDLWnAF sNYXsP3yybHqVAfldF3ocapIyg3BAUxmYGBHRX9L9KfmSr3Bhzlt7DPWdP4okkPUsf9z zzSj1tKT9VG7bmE9Lf5B2s6Bi7i4cIYfiYn7N1oUg/nWfjOVy8/yVaa1B6fnYJNPhefu NI3CDYIX/2LJBYM47DhvYzyZKtsZSon7mrpw+RiIDUJDkXrCIPZ4Mqxmh1V9xQnD3GRw vX1oEqaSU4pcyVkAA/NFJyI9zkImGTFDpdZ53fw6zYuvG/gvvwLNcLs+GZaFJJhyhSxq yehA==
X-Gm-Message-State: ALoCoQlM3yAi9XsjCFbL0KYpqujVbkKpBfjoG6hWVYUAC7iDOuO6ygtQbmQcTDdMrJDFhHLYTDJE
MIME-Version: 1.0
X-Received: by 10.112.47.135 with SMTP id d7mr2538368lbn.54.1419012683453; Fri, 19 Dec 2014 10:11:23 -0800 (PST)
Received: by 10.25.12.215 with HTTP; Fri, 19 Dec 2014 10:11:23 -0800 (PST)
In-Reply-To: <5493BF87.6050107@gmail.com>
References: <54933EC2.3010104@gmail.com> <CAMm+Lwi-SeaKfHxXxmG8vsbMK09uvZxs_-y9vQW82U9VB0hGiw@mail.gmail.com> <5493B2F8.30308@gmail.com> <5493BF2F.3010607@fifthhorseman.net> <5493BF87.6050107@gmail.com>
Date: Fri, 19 Dec 2014 13:11:23 -0500
Message-ID: <CAL02cgRTAJW0VswhMeJJWm_t+FsVMzD5ZZx81ZDhjbufKdyUMw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Content-Type: multipart/alternative; boundary="001a1134d2e6eded48050a95a285"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/wFD-9cfIhQh7_-MSXyGbLvqbWO8
Cc: "acme@ietf.org" <acme@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [Acme] key agility?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 18:11:27 -0000
On Fri, Dec 19, 2014 at 1:02 AM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > > On 2014-12-19 07:01, Daniel Kahn Gillmor wrote: > >> On 12/19/2014 12:09 AM, Anders Rundgren wrote: >> >>> On 2014-12-19 00:41, Phillip Hallam-Baker wrote: >>> >>>> On Thu, Dec 18, 2014 at 3:53 PM, Anders Rundgren >>>> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> >>>> wrote: >>>> >>>> With a multi-step protocol some kind of key agility should be >>>> possible to support. >>>> The client could for example start with telling its >>>> preferences/capabilities. >>>> >>>> Anders >>>> >>>> >>>> I do not know what you mean here. >>>> >>>> >>> The ability to negotiate client key algorithm. >>> >> >> I think Anders is hinting at something like the following: >> >> * some TLS servers today have both RSA and ECDSA keys, and will offer a >> different cert depending on the capabilities offered by their clients. >> >> * this capacity (to support both key algorithms at once) is an >> important one to be able to do a transition when dealing with a >> heterogenous network. >> >> * acme should be able to support offering multiple certificates (with >> different key algorithms) to a single client which requests them. >> >> Anders, is that what you're talking about? >> > > Indeed, pardon for being so unclear :-( > > Thanks for clarifying. ACME incorporates the idea of multiple certificates for the same identifier, even for different clients. That's the reason for the separation between the "authorized key pair" (~= client) and the "subject key pair" (~= certificate). An authorized key pair can be used to issue any number of certificates for any combination of names that it is authorized for. That general framework includes the kind of flexibility you're looking for. --Richard > Anders > > >> --dkg >> >> > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Daniel Kahn Gillmor
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Anders Rundgren
- Re: [Acme] key agility? Phillip Hallam-Baker
- Re: [Acme] key agility? Richard Barnes