Re: [Anima-bootstrap] Max: voucher terminology / explanations in next draft round

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 17 December 2016 19:56 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16BE6129A63 for <anima-bootstrap@ietfa.amsl.com>; Sat, 17 Dec 2016 11:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5vhxsfq6Mx2 for <anima-bootstrap@ietfa.amsl.com>; Sat, 17 Dec 2016 11:56:51 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 059ED12995D for <anima-bootstrap@ietf.org>; Sat, 17 Dec 2016 11:56:51 -0800 (PST)
Received: from dooku.sandelman.ca (CPEbc4dfb402cc3-CMbc4dfb402cc0.cpe.net.cable.rogers.com [174.113.238.167]) by relay.sandelman.ca (Postfix) with ESMTPS id C30681F905; Sat, 17 Dec 2016 19:56:49 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 898751771; Sun, 18 Dec 2016 04:56:48 +0900 (KST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>
In-reply-to: <20161213165903.GA13281@faui40p.informatik.uni-erlangen.de>
References: <20161213165903.GA13281@faui40p.informatik.uni-erlangen.de>
Comments: In-reply-to Toerless Eckert <tte@cs.fau.de> message dated "Tue, 13 Dec 2016 17:59:03 +0100."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Sat, 17 Dec 2016 14:56:48 -0500
Message-ID: <11825.1482004608@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/pNxSiTHABkZoFeUE8nsoPaElRXE>
Cc: "Max Pritikin \(pritikin\)" <pritikin@cisco.com>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] Max: voucher terminology / explanations in next draft round
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2016 19:56:52 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    > - Including certificate in the voucher allows those vouchers to
    > lie around at an owner much longer. Their validity is as long as that
    > of the included CA certificate (eg: >= 10 years). The validity of
    > a public key is typically much shorter (eg: <= 1 year).

A certificate is valid as long as the CA that vouches for the DN renews
the certificate.  They keys can be renewed, and algorithms can even be
replaced.  That's the payoff from the overhead of the PKI.

=> This is what we need to capture into the document.

A public key has no expiry date, since it has no date associated with it.
When you say that a public key is "typically" shorter, you are really
expressing a good crypto-hygiene suggestion to the owner of the public.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-