Re: [keyassure] Issues that no longer issues?

Paul Wouters <> Sun, 20 March 2011 23:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69E063A6C01 for <>; Sun, 20 Mar 2011 16:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TbfjbJNAhUhD for <>; Sun, 20 Mar 2011 16:53:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7D5163A69CD for <>; Sun, 20 Mar 2011 16:53:21 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 0B4D9C584; Sun, 20 Mar 2011 19:54:51 -0400 (EDT)
Date: Sun, 20 Mar 2011 19:54:49 -0400 (EDT)
From: Paul Wouters <>
To: Warren Kumari <>,
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: [keyassure] Issues that no longer issues?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Mar 2011 23:53:22 -0000

On Sun, 20 Mar 2011, Warren Kumari wrote:

> Issue #20: Change the format of the two fields to have fewer certificate types ---- Resolved quite a while ago, and discussed in issue #21. We used different numbers / algorithms.

John Gilmore and me looked at TLS bare public key support and we realised
that it requires no TLS protocol changes if we use RFC6066 trusted_ca_keys
set to pre-agreed(0) in the client's extended hello options,meaning the
server will supress sending any PKI certs.

This means we will want to add bare public key into this draft, as it
is the only document that would require changes for bare public key to work.

It would require specifying the various bare public key formats (likely
re-use the format from PKIX pubkey field, but use base64 encoding instead
of DER encoding)

This would also require a few textual changes in the draft where it now
states "certificate", as we could be using either a certificate or a bare
public key.