IETF Logo Mail Archive

Re: [keyassure] Bare keys again

Eric Rescorla <ekr@rtfm.com> Mon, 21 March 2011 15:35 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D79173A687E for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 08:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.937
X-Spam-Level:
X-Spam-Status: No, score=-102.937 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSA8qv75vQQt for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 08:35:32 -0700 (PDT)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by core3.amsl.com (Postfix) with ESMTP id BE57F3A687C for <keyassure@ietf.org>; Mon, 21 Mar 2011 08:35:32 -0700 (PDT)
Received: by gxk28 with SMTP id 28so3421368gxk.27 for <keyassure@ietf.org>; Mon, 21 Mar 2011 08:37:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.82.1 with SMTP id j1mr1930157agl.15.1300721824872; Mon, 21 Mar 2011 08:37:04 -0700 (PDT)
Received: by 10.90.72.16 with HTTP; Mon, 21 Mar 2011 08:37:01 -0700 (PDT)
In-Reply-To: <2DDA94E3-3DF7-4A41-8C80-F1790B07C45C@vpnc.org>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <2DDA94E3-3DF7-4A41-8C80-F1790B07C45C@vpnc.org>
Date: Mon, 21 Mar 2011 08:37:01 -0700
Message-ID: <AANLkTinj=OKZeShVxid0AQvmxkabFsB2OhBtZS7QFqt0@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 15:35:34 -0000

On Sun, Mar 20, 2011 at 6:10 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Mar 20, 2011, at 5:40 PM, Paul Wouters wrote:
>> Yes, we could make a TLS extension for "public_key" that works like server_name,
>> or we could extend server_name to take a new type "public_key", but there
>> is simply no need for such an extension, as the server does not need this
>> information and cannot do anyting with this information that is not already
>> covered with trusted_ca_keys.
>
> We fully disagree about what the TLS 1.2 spec says. I'm happy to be wrong about this if folks in the TLS WG agree with you, but your interpretation seems novel, to say the least. I understand you not wanting to spend the effort to do this properly with an extension to TLS; however, this WG cannot just say that we don't care about the requirements in TLS 1.2.


[Speaking as an individual]
IMO the requirements of 5246 are fairly clear here:


7.4.2.  Server Certificate

   When this message will be sent:

      The server MUST send a Certificate message whenever the agreed-
      upon key exchange method uses certificates for authentication
      (this includes all key exchange methods defined in this document
      except DH_anon).  This message will always immediately follow the
      ServerHello message.

   Meaning of this message:

      This message conveys the server's certificate chain to the client.

      The certificate MUST be appropriate for the negotiated cipher
      suite's key exchange algorithm and any negotiated extensions.

   Structure of this message:

      opaque ASN.1Cert<1..2^24-1>;

      struct {
          ASN.1Cert certificate_list<0..2^24-1>;
      } Certificate;

   certificate_list
      This is a sequence (chain) of certificates.  The sender's
      certificate MUST come first in the list.  Each following
      certificate MUST directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority MAY be omitted from the chain, under the
      assumption that the remote end must already possess it in order to
      validate it in any case.


In other words, when using any of the ordinarily certificate-based cipher suites
(i.e., all the ones that everyone actually uses), it is not
permissible either to omit the
Certificate message or to have it be empty. This is not to say, of
course, that you
could not design an extension which would modify this behavior, but in the
absence of such an extension, any server which does not send its certificate
would not comply with RFC 5246.




[Speaking as TLS WG Chair]
An extension along the lines indicated would change basic properties of TLS and
IMO would need to go through the TLS WG, and certainly is outside the remit
of this WG.

-Ekr

v2.23.0 | Report a Bug | By Email