IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Henry Story <henry.story@bblfish.net> Mon, 14 February 2011 14:54 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1ACB03A6A97 for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 06:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.656
X-Spam-Level:
X-Spam-Status: No, score=-3.656 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRTju6yM8zkn for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 06:54:40 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 8FAB43A6D50 for <keyassure@ietf.org>; Mon, 14 Feb 2011 06:54:40 -0800 (PST)
Received: by bwz12 with SMTP id 12so6079547bwz.31 for <keyassure@ietf.org>; Mon, 14 Feb 2011 06:55:02 -0800 (PST)
Received: by 10.204.52.138 with SMTP id i10mr3503785bkg.23.1297695301706; Mon, 14 Feb 2011 06:55:01 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-9-11.w83-112.abo.wanadoo.fr [83.112.80.11]) by mx.google.com with ESMTPS id rc9sm1832745bkb.14.2011.02.14.06.54.59 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 14 Feb 2011 06:55:00 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1082)
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <alpine.LFD.1.10.1102140915530.3131@newtla.xelerance.com>
Date: Mon, 14 Feb 2011 15:54:57 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <9A1C69DD-0AA3-470A-AA7A-A1629E94440C@bblfish.net>
References: <928BE494-C59D-4FFF-9390-C459A4BC2107@bblfish.net> <alpine.LFD.1.10.1102140915530.3131@newtla.xelerance.com>
To: keyassure@ietf.org
X-Mailer: Apple Mail (2.1082)
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 14:54:42 -0000

On 14 Feb 2011, at 15:19, Paul Wouters wrote:

> On Mon, 14 Feb 2011, Henry Story wrote:
> 
>> In draft-dane-04 [1] one can currently only publish either a signature or a certificate in the DNS. That is the only allowed formats of the resource record are as specified in section 2.2
>> 
>> 1 -- Hash of an end-entity certificate
>> 2 -- Full end-entity certificate in DER encoding
>> 3 -- Hash of an certification authority's certificate
>> 4 -- Full certification authority's certificate in DER encoding
>> 
>> Why not publish the only piece of the certificate that is important in public key cryptography: the public key. ( This is what WebID does currently ) This should be shorter than the certificate, and though it will be longer than the signature, it will be a lot more useful, tying the publisher much less to a particular serialisation format. So you reduce the PGP/X509 disagreements.
> 
> Yes. This was asked by others including me as well. People thought it would be no
> problem to add this to dane once a bare public key TLS method exists.
> 
>>  An important question is of course: how much bandwidth does one save?
> 
> Bandwidth does not really matter. What matters is latency (less round trips) and a riddance of ASN.1
> parsing.
> 
> If you want to help writing a bare public key TLS variant, please contact me.

What do you mean by a bare public key TLS variant? You mean start an IETF group
to spec out how the client and the server should communicate in a TLS variant
that would not require the server to send a certificate? Or is this something that
one needs to do to explain how a User Agent can prove authenticity of the server from
a public key alone? (That's so simple it's a bit difficult to even see how to write it)
Or is it just that one needs to specify text for dane? Or is dane a subproject of 
keyassure, and this is referring to some other project here? Or is do
we just need to specify some text that is going to go into dane?

Sorry. I don't have a good picture of the web of specs that dane is tied into.

If its longer project I probably won't have time to do this myself as I am already 
quite tied up with WebID. But if I know what is needed we could write up a little 
note on the W3C WebID Incubator Group ( http://tinyurl.com/webidxg ) for our final 
report on what browser improvements would be helpful, and why. Hopefully this will 
be something that the browser vendors at the W3C could have a closer look at. But
it really depends on how long the project is. Perhaps there are people on our list who
have more time to participate. Perhaps this won't take so long to do...

	Henry


> 
> Paul

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email