IETF Logo Mail Archive

Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

"Salz, Rich" <rsalz@akamai.com> Wed, 02 January 2019 20:32 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 755871274D0; Wed, 2 Jan 2019 12:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36DSCSmiF3F1; Wed, 2 Jan 2019 12:32:30 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40BE9129AB8; Wed, 2 Jan 2019 12:32:27 -0800 (PST)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x02KRglj003571; Wed, 2 Jan 2019 20:32:27 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=iZUTYBFx2Iw3kfGcBHtHdkqsNdKZpEU2KSJo0f2dZmc=; b=Z6PwkeUy1Tqho/p6HirgZkGAb7sfkK8a9f8e560uN/KvMoLlc0dkPRy2IOdfHgnOFjzP PWvw9gAQ8NYwP7kVKyWGPfnrSYTcP0NBkE2K//iyt7fkpzDwmI/AyQxncoZYdNR5LRP8 188Ul/Lh36F47URkH6pECr0hEffk1Y3NwviFtK904gIrRb8IkDvXxMwGgY0tZCuhGSEj R1i1KTLtwF/CedvDVSG8CElgNrhX6f7AHqFTJ9aknJ5q3oB29qf+zJ/hB69XVltSHSyx hQhVOFsKsa/+RPK24c71VwNrBjJlMt3O8nSt3eUyg+idjY/+GF/v0Qad3qiiy1TJxGe8 5g==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2prj4htkhg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jan 2019 20:32:26 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id x02KVutP024453; Wed, 2 Jan 2019 15:32:25 -0500
Received: from email.msg.corp.akamai.com ([172.27.25.32]) by prod-mail-ppoint3.akamai.com with ESMTP id 2pp552qwde-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jan 2019 15:32:25 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb3.msg.corp.akamai.com (172.27.27.103) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 2 Jan 2019 14:32:23 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Wed, 2 Jan 2019 14:32:23 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org" <draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org>, IETF <ietf@ietf.org>
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Topic: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Index: AQHUnjGB95DAqnv0tkCxg+ex07oDdqWcuXCAgAAZcQCAAAWZAP//sG0A
Date: Wed, 02 Jan 2019 20:32:22 +0000
Message-ID: <ECAC3D9D-6A2F-4DE0-BF8B-4AEB1A513BA7@akamai.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <3D85A45C-FE94-45A7-BF37-C3F8C1B3F5AA@vigilsec.com> <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org>
In-Reply-To: <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.36.122]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F1384C6389348F469E5A6CAD4AC02FA5@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-02_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=798 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901020180
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-02_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=794 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901020180
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/3A_o1RPuhDI5RkhQ0q6YUna5sSg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 20:32:31 -0000

I don't understand what the risk is.
 
If a client sees and understands the extension, it can update its trust store to have the new key.  If a client does not see, or does not understand, the extension, then the trust store will have to be updated out of band, just like it is now.

CA's that use this extension must take proper care to ensure that the private key is not exposed.

v2.23.0 | Report a Bug | By Email