IETF Logo Mail Archive

Re: [keyassure] Bare keys again

Paul Wouters <paul@xelerance.com> Mon, 21 March 2011 00:39 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 197683A6C01 for <keyassure@core3.amsl.com>; Sun, 20 Mar 2011 17:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9PE9cQndLXI for <keyassure@core3.amsl.com>; Sun, 20 Mar 2011 17:39:07 -0700 (PDT)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id F17853A6A07 for <keyassure@ietf.org>; Sun, 20 Mar 2011 17:39:06 -0700 (PDT)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by newtla.xelerance.com (Postfix) with ESMTP id BF1A2C582; Sun, 20 Mar 2011 20:40:36 -0400 (EDT)
Date: Sun, 20 Mar 2011 20:40:35 -0400
From: Paul Wouters <paul@xelerance.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org>
Message-ID: <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 00:39:08 -0000

On Sun, 20 Mar 2011, Paul Hoffman wrote:

> The definition in RFC 6066 for pre-agreed is "no CA root key identity supplied".  Later in the section it says "The option to include no CA root keys is included to allow the client to indicate possession of some pre-defined set of CA root keys." Note the use of "CA root key" in both of those.

Yes. The predefined set of (required) CA root keys is the empty set. But whether
it is a preloaded set from Versign or a preloaded set from Komodo, or a preloaded
empty set is irrelevant to the server receiving a TLS trusted_ca_keys extended option.

>> This means we will want to add bare public key into this draft, as it
>> is the only document that would require changes for bare public key to work.
>
> If you want to add bare CA keys, that's fine, but I suspect that you actually want to add bare end entity keys, and RFC 6066 doesn't allow that.

That difference is muddy anyway, isn't it? Isn't a self-signed certificate a CA?

> If you are truly interested in bare CA keys, we can make that change if the WG wants. However, I have heard no interest in bare CA keys from anyone (including you) before today; all of the discussion of bare keys was for end entity keys. For that, I believe you actually need to write an extension to TLS.

We are talking about end entity keys.

The client sends its hello message saying "I have all the CA root trust
anchors I need from pre-agreement".  Whether that means it got information
from DNSSEC/DANE or elsewhere does not matter. What matters is, is that
the client can start the TLS handshake without the server sending any
PKIX certs.

It can already accomplish this without using trusted_ca_keys, or if the
server does not support the 6066 extension to supress sending its CA
cert chain(s).

Whether the client does this because it is "memory starved" (as per 6066)
or because it obtained trust in the server pubkey via another set of
non-CA trust anchors does not really matter. All the server needs to
know is that it can ommit sending a giant blob of PKIX to the client.

The *only* thing needed for bare public keys to work is that the client
does the DNS lookup for the bare key using DANE. No TLS protocol change
is needed. Therefor, all we need is a method for specifying bare public
keys in DNS, for which my previous email proposed a structure.

Yes, we could make a TLS extension for "public_key" that works like server_name,
or we could extend server_name to take a new type "public_key", but there
is simply no need for such an extension, as the server does not need this
information and cannot do anyting with this information that is not already
covered with trusted_ca_keys.

Paul

v2.23.0 | Report a Bug | By Email