IETF Logo Mail Archive

Re: [keyassure] Bare keys again

Martin Rex <mrex@sap.com> Mon, 21 March 2011 21:40 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE3C53A68E4 for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 14:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.223
X-Spam-Level:
X-Spam-Status: No, score=-10.223 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ub8x+n7zWOs for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 14:40:46 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 935543A68E8 for <keyassure@ietf.org>; Mon, 21 Mar 2011 14:40:46 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p2LLgHL1021046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 21 Mar 2011 22:42:17 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103212142.p2LLgHQS017649@fs4113.wdf.sap.corp>
To: paul@xelerance.com
Date: Mon, 21 Mar 2011 22:42:17 +0100
In-Reply-To: <alpine.LFD.1.10.1103211631260.20162@newtla.xelerance.com> from "Paul Wouters" at Mar 21, 11 04:39:01 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 21:40:54 -0000

Paul Wouters wrote:
> 
> On the contrary, that is *exactly* what the goal of 6066 is. It specifies as
> reason "memory starved clients" and "reducing bandwidth", but why is that
> list treated as an exclusive list?

The real purpose of rfc6066 is really only what the last paragraph
of the definition of this TLS extension says:

http://tools.ietf.org/html/rfc6066#section-6

   Servers that receive a client hello containing the "trusted_ca_keys"
   extension MAY use the information contained in the extension to guide
   their selection of an appropriate certificate chain to return to the
   client.  In this event, the server SHALL include an extension of type
   "trusted_ca_keys" in the (extended) server hello.  The
   "extension_data" field of this extension SHALL be empty.


The semantics of a "Server Certificate" handshake message with
no Certificates in it is UNDEFINED and therefore prohibited.

The semantics of a "Client Certificate" handshake message with
no Certificates is "NO client certificate" with _no_ slack.

The TLS requirement for the Certificate handshake message says this:

http://tools.ietf.org/html/rfc5246#section-7.4.2

   Structure of this message:

      opaque ASN.1Cert<1..2^24-1>;

      struct {
          ASN.1Cert certificate_list<0..2^24-1>;
      } Certificate;

   certificate_list
      This is a sequence (chain) of certificates.  The sender's
      certificate MUST come first in the list.  Each following
      certificate MUST directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority MAY be omitted from the chain, under the
      assumption that the remote end must already possess it in order to
      validate it in any case.


There certainly are no "pre_agreed" semantics for the End-Entity(!)
certificate in the TLS Certificate handshake message.

What might be permissible (but is not an official part of the TLS spec)
is to send the certificate chain only up to a signer known to the
TLS peer.  The CertificateRequest handshake message conveys the
signer trusted by the Server to the client, so certificate path
validation should be possible for a cert chain up to one of the
announced trusted signers.


If the client uses the TrustedAuthorities TLS extension, then
personally, I would consider it permissible (but that is not
officially part of the spec!) for the server to send his own
cert chain only up to one of the trusted signers announced
by the client through the TrustedAuthorities TLS extension.



-Martin

v2.23.0 | Report a Bug | By Email