Re: [keyassure] publishing the public key
Phillip Hallam-Baker <hallam@gmail.com> Wed, 16 February 2011 18:01 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75CEA3A6EE8 for <keyassure@core3.amsl.com>; Wed, 16 Feb 2011 10:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.203
X-Spam-Level:
X-Spam-Status: No, score=-2.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKsOq1--fSKp for <keyassure@core3.amsl.com>; Wed, 16 Feb 2011 10:01:34 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 4F0C33A6D27 for <keyassure@ietf.org>; Wed, 16 Feb 2011 10:01:34 -0800 (PST)
Received: by gyd12 with SMTP id 12so791423gyd.31 for <keyassure@ietf.org>; Wed, 16 Feb 2011 10:02:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; bh=4ck1matOeSLLZnvQnl2swYFxT/tjVl7sT2MxoSerkR0=; b=aFCDTpgCUDgkrFMclKd9hMSB4dQQNo/7ASHBIIXffjaNpBQofZstlux5g9NrUogHMJ hU613vb+yZ/mURFrYYPocmCCbARqLfqCv3mjj+uMIQuk2wT04ajuFCCVlyBpV3Se7z1r BAuSk9znwVzBE9E9kiJWHSDvm85FiTc9F2Bas=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; b=qzBIS94FbvVSbQSNDle98zvWZUUqFfkR+fqIdeFW8G4DBUFYOwBwZ7m27IiwSeB2yd hO9gIGhRaw9hq/s1eLW/BH3cEj3P0aWGcBzklKpLbo4YiXxX4nlrsGEZsHOXffaCjOXD 8tcb+T+TkZWvYcPz/aB4TXhSFrRSRWxDx0VzI=
Received: by 10.150.135.18 with SMTP id i18mr1093456ybd.278.1297879322090; Wed, 16 Feb 2011 10:02:02 -0800 (PST)
Received: from [10.31.190.225] ([166.205.139.98]) by mx.google.com with ESMTPS id w24sm3402906ybk.21.2011.02.16.10.01.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Feb 2011 10:02:00 -0800 (PST)
References: <928BE494-C59D-4FFF-9390-C459A4BC2107@bblfish.net> <20110214124617.GA31136@LK-Perkele-VI.localdomain>
In-Reply-To: <20110214124617.GA31136@LK-Perkele-VI.localdomain>
Mime-Version: 1.0 (iPad Mail 8C148)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <9FD85E34-EDB8-4901-915B-E7560C87954A@gmail.com>
X-Mailer: iPad Mail (8C148)
From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 16 Feb 2011 10:01:49 -0800
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Cc: "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 18:01:35 -0000
A much better saving is to use the tls option that allows for fast rekey by means of a kerberos like ticket stored on the client side. That approach means the client does one key exchange and that is leveraged over multiple http sessions. The cert is only a kb, self signed certs are less and your main saving would be not having the signature. Looking at the tls key exchange, what matters is packets, not really bytes. I dont think you will find certs vs keys saves a packet. Sent from my iPad On Feb 14, 2011, at 4:46, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > On Mon, Feb 14, 2011 at 11:20:33AM +0100, Henry Story wrote: >> Hi, >> >> In draft-dane-04 [1] one can currently only publish either a signature >> or a certificate in the DNS. That is the only allowed formats of the >> resource record are as specified in section 2.2 >> >> 1 -- Hash of an end-entity certificate >> 2 -- Full end-entity certificate in DER encoding >> 3 -- Hash of an certification authority's certificate >> 4 -- Full certification authority's certificate in DER encoding >> >> Why not publish the only piece of the certificate that is important in >> public key cryptography: the public key. ( This is what WebID does >> currently ) This should be shorter than the certificate, and though it >> will be longer than the signature, it will be a lot more useful, tying >> the publisher much less to a particular serialisation format. So you >> reduce the PGP/X509 disagreements. > > Unfortunately TLS requires sending the full certificate. Yes, one could > define a new certificate type that contained just the public key, but > that would require a IETF consensus (RFC through TLS working > group[1]). > > Then one would define new DANE ceritifcate type (3 [2] or 5/6) to > match that. > > <snip idea of certificate URLs> > > I don't think that would be possible to use without new certificate > type either. > > As for bandwidth, sure it would save some. One can send well-secured > key in roughly 80 bytes total (including CertificateType extension). > Modern X.509 certs are far larger[3], even if restricted to bare > minimum fields. > > As for what this would be useful for: If the raw key format would > be easily parsed, it would save lots of tricky ASN.1 and X.509 > parsing (yes, there are libraries for that) > > > > > [1] Not entierely accurate, it is RFC approved by IESG (and they'll > consult TLS WG). > > [2] Since those 4 types could be collapsed to 2 (2 of those require > second byte to be zero and 2 require nonzero second byte) > > [3] There's also subtle performance issue there. Those certificates > can be so large that TCP windows get overflowed. As consequence, > either one has to break TCP spec (many sites do this) or suffer > a latency hit. > > -Ilari > _______________________________________________ > keyassure mailing list > keyassure@ietf.org > https://www.ietf.org/mailman/listinfo/keyassure
- Re: [keyassure] publishing the public key Henry Story
- [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Martin Rex
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Martin Rex
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Scott Schmit
- Re: [keyassure] Issue #14 - publishing the public… Warren Kumari
- Re: [keyassure] Issue #14 - publishing the public… Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Yaron Sheffer
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Yaron Sheffer
- Re: [keyassure] publishing the public key John Gilmore
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story