IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Martin Rex <mrex@sap.com> Mon, 14 February 2011 17:32 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62C7C3A6AC1 for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 09:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.192
X-Spam-Level:
X-Spam-Status: No, score=-10.192 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPAD0kHTKizH for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 09:32:56 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 5AA6F3A6D6D for <keyassure@ietf.org>; Mon, 14 Feb 2011 09:32:56 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1EHXGpb027480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 14 Feb 2011 18:33:16 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102141733.p1EHXFfR005827@fs4113.wdf.sap.corp>
To: paul@xelerance.com
Date: Mon, 14 Feb 2011 18:33:15 +0100
In-Reply-To: <alpine.LFD.1.10.1102140915530.3131@newtla.xelerance.com> from "Paul Wouters" at Feb 14, 11 09:19:32 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 17:32:57 -0000

Paul Wouters wrote:
> 
> On Mon, 14 Feb 2011, Henry Story wrote:
> >
> > Why not publish the only piece of the certificate that is important
> > in public key cryptography: the public key.
>
> Yes. This was asked by others including me as well. People thought it would
> be no problem to add this to dane once a bare public key TLS method exists.
> 
> >   An important question is of course: how much bandwidth does one save?
> 
> Bandwidth does not really matter. What matters is latency
> (less round trips) and a riddance of ASN.1 parsing.

The current approach of admins to run a TLS server with a bare public
key is to generate themselves a self-signed (X.509v1) Certificate.
That is probably what many folks are doing when protecting Web access to
their HomeNAS, Home DSL-router, Home DVB-s receiver, etc.

This works with the installed base, in particular with the installed
base of servers.  Though it doesn't work that well with Web Browsers
as clients.  In particular, many recent browers are pretty badly broken
when it comes to a sensible UI for servers using a self-signed cert.

-Martin

v2.23.0 | Report a Bug | By Email