RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 02 January 2019 20:57 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED02A129B88; Wed, 2 Jan 2019 12:57:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.066
X-Spam-Level:
X-Spam-Status: No, score=-2.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkeeRRMPGcO0; Wed, 2 Jan 2019 12:57:23 -0800 (PST)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1993A129AB8; Wed, 2 Jan 2019 12:57:22 -0800 (PST)
Received: from [67.219.247.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-d.us-east-1.aws.symcld.net id 2C/F3-21706-1B52D2C5; Wed, 02 Jan 2019 20:57:21 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTWUwTURSGuZ3pdCDUDAXl2KDGijFBplBjTMX 9Qe2D4hJ90boMdmirbamdgoA+uCQqIC4RDCBbRAlWCBQluNVoNSJoDCJqioJBcauSqGDcojhL 3V4m/z3/d5Z7cofEVN8JNclmu1mXg7FpiAjckkSn0E2TaWNye1mKvrLVj+mDrwMK/UtvFa7va RyW60fO5eH6yoeb5hOGozeqMcPJk19lBs+TYblh6PgDbDm+Rm51pGVkb5RbbnovEM6RBdmDJ4 aJnahhXj6KIHHqAAbDg8eQcFBRB2UQuPZULh36EJTWBPB8FE4SVDI89LXJBB1DZcCZtv0yAcK oegTNtT6FYERTRQjyr8ULRgxVjGD/GW8oIxUqgp8xQeNUPHzp8IhaSa2D2o8luNSuRAa9u4fE hHBqLpx9HBAhRI2Bzx31YhyjYqFnoErUQMVA/73bhKRHw5vnP+USb4SKIT8fJ/n4RAi00BIyD rqqCsR7ArVHAU+6G0N1aHhfXIxJeikEjl4PQY8RnPreFTIS4NK+7lCCDWqu7CMkqAcD77MHuG TEQfu3cizUgoC+Lw3ieCrKBEUef2jU8eAp7MclaIDfd8txxWGUUPbP9crEzVYjKLzdjpeJi4q C9tIBXIJouHjlKibpCdA6WM5rBa9nwzmTFJ0IRQX9CknPgL13PxDViPSgGWkuq9nitjNWG61L TqZ1umn0TP6r1zK5tEmbydEsw7lpnZbZxmm5HPsmm0nrYN3NiH+IJmd41nkUPGX2o7GkTDNa6 elINKpGpWWYciwMZ9ngyrSxnB/FkaQGlPmTaKMqysWa2ex0q41/zb9tICM1MUq7YCs5J2PnrG bJ6kA02Zb3qRxT4Y4MB6uOVabF8xAlQJZMx58Sv/+JLjROHa1EYWFhqkgn67Jb3f/7QRRLIk2 0khCqRFod7j+dgvwQMn6I6ZAoDOFm/lrqnWjzIeaF4fq7dHPt1qzEyi0LFqdkzUn5yl1emPpj 1emGKFKr276jsSTd+6lzyojPnxdhi1rdnXtEndRXoKqrKKpse95rDCy7Vz576Y8VSwrqbLvu+ 1aeXxT8cAs9io8rHXvsVVLnnfU1xIQaxte5JbV3/dSctYVNdSOz3t5x5rbIWptvaHDOwugSMB fH/ALtivYIDgQAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-20.tower-424.messagelabs.com!1546462638!4225435!1
X-Originating-IP: [104.47.45.58]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 1793 invoked from network); 2 Jan 2019 20:57:20 -0000
Received: from mail-co1nam04lp2058.outbound.protection.outlook.com (HELO NAM04-CO1-obe.outbound.protection.outlook.com) (104.47.45.58) by server-20.tower-424.messagelabs.com with AES256-SHA256 encrypted SMTP; 2 Jan 2019 20:57:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BO8passwIlIPDU0t4BdILC/LtekZYhI43LgJlNIaYvU=; b=cMqTp6BnwTGrrL0p2oI5WdkT92mjYCpG3kCX9L/Ha/e5AC63h6mIqmp2zs6uJYaik/n7iLYeA2Q10u6ggQxEl7jFeytPedW+LSV0poUXTT5/7x/ehfURo+Uc0m2aFmzONrRpoNScM4qJb9KHLhBoK5skG1l0Iwqq1jAmGIBZJzg=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1410.namprd14.prod.outlook.com (10.172.150.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.6; Wed, 2 Jan 2019 20:57:17 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4%2]) with mapi id 15.20.1471.019; Wed, 2 Jan 2019 20:57:17 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: "Salz, Rich" <rsalz@akamai.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org" <draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org>, IETF <ietf@ietf.org>
Subject: RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Topic: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Index: AQHUnjFsG1mFhr8NEEGYNgqXXTDizqWcVNuAgAAZcQCAAAWZAIAABD8AgAAGM7A=
Date: Wed, 02 Jan 2019 20:57:17 +0000
Message-ID: <BN6PR14MB110608E203576F64905F8E2F838C0@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <3D85A45C-FE94-45A7-BF37-C3F8C1B3F5AA@vigilsec.com> <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org> <ECAC3D9D-6A2F-4DE0-BF8B-4AEB1A513BA7@akamai.com>
In-Reply-To: <ECAC3D9D-6A2F-4DE0-BF8B-4AEB1A513BA7@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [98.111.253.32]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1410; 6:JGrk4nftKG7MUbebznx2ZpQnWoe4U+N0/CAqRhkCD7VlNFVWvdyZz/qf+xq65VLYMqL1uY9K80mHOkQGZdn7B5T7rooz7yfQw/Mnsfwq/Vn5PA1o7nbAcO/C0deHZXYvHZy+ZiRigj1OB7nifGoQoE9bIpuqip1/CB0dD9Cd6HI0o8iE3eduYQUAOEi9klCzU4zl+d4+wAlrFwOAhiOtrUxtdZm5wTjyMC+5m6E7Eiv/jnn2Gi3u6ucqsDgpS9Ui0XmuLPCw+PFceE8vn4PS6JfWPhopwhdp9Kdj75J5d7z+kc02J+g05tkZP2ksYY8g3vnWZqHQwSJCBVGjNWxc559e6pA8cDcFYcUj44ltyQ+YjNvmHqUK5OQhbOHNbKMyI9S/LjJOq0eFb+XV8XpGQTQVuKeKmkOHZidGtrgqfSM4gon71Ebwn57k46G4jyMsi7oAcauwl848xYqCHasqdw==; 5:h07oySPwBibmXyh8x9g0EKPI6nJbX8GxKBWlr33vmb1ziIBFy9/dzMgzqTlT8c8Lx1eRd1bhkbFKUuDD7TgyN2z/l/Amrid+ErtP5RR4nlnVnSFxw0rl383hqfx4kDaxa4sNaPtl16AwKJLF5Gfy4qPpAQkPkQBEPnJvEUvr2R+cxWayc0GWz84x0CHFfj/fOrZnxzvEo6lFjcqvl2glgQ==; 7:4FbKd/YjGi3KAII8Bx0XwUEVDjUzIWz3Pi/aNbPZ3a8wsY3yEH8J4w0oKGFWByUfJbbdAwhJQwgUCnDErEN0tPjQ62vZxVWUPJu5oYk4V/lUCYxMbeiUXrCiv9DfO4J9f+Ic+6anOpzuceF3JCf1nA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a63a83b0-a20e-4b1a-58b3-08d670f4e148
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1410;
x-ms-traffictypediagnostic: BN6PR14MB1410:
x-microsoft-antispam-prvs: <BN6PR14MB1410E916F91F4A85F616F722838C0@BN6PR14MB1410.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(908002)(999002)(5005026)(102415395)(6040522)(8220060)(2401047)(8121501046)(3002001)(93006095)(93001095)(3231475)(944501520)(4983020)(52105112)(10201501046)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:BN6PR14MB1410; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1410;
x-forefront-prvs: 0905A6B2C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(376002)(346002)(396003)(136003)(13464003)(189003)(199004)(53936002)(6116002)(5660300001)(186003)(55016002)(66066001)(11346002)(446003)(256004)(6246003)(14444005)(33656002)(476003)(68736007)(3846002)(74316002)(229853002)(102836004)(316002)(81156014)(81166006)(305945005)(7736002)(93886005)(86362001)(99286004)(99936001)(7696005)(25786009)(97736004)(105586002)(6436002)(76176011)(110136005)(54906003)(44832011)(486006)(53546011)(6506007)(8936002)(71200400001)(966005)(71190400001)(478600001)(106356001)(14454004)(6306002)(9686003)(2906002)(26005)(8676002)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1410; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: r3HX8t0Nvm9KowaLTOPhNt9//C7rf9P6lKUG9V7roKoyd1We0a9pFil67o9Y2inab7Rc8SjFfVaCkrSXuv5ZJwvgS31DOtGu9zGdPz6LWsZyseuGjHy3NMIe3YmZIADLMPuPfWCQBU5UPKVCy0bBG4JG38/snuccydI+PuFyPOD+n5soIiRRkbhWWiMycjHQ123BMaV6Y4JODm4B6fH792bG6Bl856b5OHEVsVbgLbqaXOSmD3fex8bqvs0/otUDuUcUh/gFRt3BdhzNlGxVISXiIuw/rnanp5eZHTcsckbXLjAkDN3jnxGn5W87eUCC
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00AC_01D4A2B3.CC30E870"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a63a83b0-a20e-4b1a-58b3-08d670f4e148
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2019 20:57:17.1718 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1410
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ShheCaV_NapKffmBJ52E4iMsu2c>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 20:57:26 -0000
I'm sympathetic to perhaps adding a sentence or two, but otherwise I'm struggling to understand the risk as well. If an entity is incapable of managing and protecting a replacement root key, perhaps they shouldn't be in the CA business. And since, at worst, they lose the ability to replace the root key, they aren't in a worse situation than they were if this capability didn't exist. -Tim > -----Original Message----- > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Salz, Rich > Sent: Wednesday, January 2, 2019 3:32 PM > To: Paul Hoffman <paul.hoffman@vpnc.org>; Russ Housley > <housley@vigilsec.com> > Cc: spasm@ietf.org; draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org; IETF > <ietf@ietf.org> > Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn- > 02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC > > I don't understand what the risk is. > > If a client sees and understands the extension, it can update its trust store to > have the new key. If a client does not see, or does not understand, the > extension, then the trust store will have to be updated out of band, just like it > is now. > > CA's that use this extension must take proper care to ensure that the private > key is not exposed. > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Stephen Farrell
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Jim Schaad
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Benjamin Kaduk