IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Henry Story <henry.story@bblfish.net> Tue, 22 February 2011 18:56 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A52AE3A67ED for <keyassure@core3.amsl.com>; Tue, 22 Feb 2011 10:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.119
X-Spam-Level:
X-Spam-Status: No, score=-3.119 tagged_above=-999 required=5 tests=[AWL=-0.120, BAYES_00=-2.599, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwklHGt4Uq1k for <keyassure@core3.amsl.com>; Tue, 22 Feb 2011 10:56:40 -0800 (PST)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by core3.amsl.com (Postfix) with ESMTP id 58BE63A6781 for <keyassure@ietf.org>; Tue, 22 Feb 2011 10:56:39 -0800 (PST)
Received: by bwz12 with SMTP id 12so3999443bwz.27 for <keyassure@ietf.org>; Tue, 22 Feb 2011 10:57:23 -0800 (PST)
Received: by 10.204.58.135 with SMTP id g7mr2861079bkh.187.1298401043260; Tue, 22 Feb 2011 10:57:23 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-8-99.w86-218.abo.wanadoo.fr [86.218.107.99]) by mx.google.com with ESMTPS id v25sm4733084bkt.18.2011.02.22.10.57.20 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Feb 2011 10:57:22 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1082)
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <4D63FD7A.5010203@vpnc.org>
Date: Tue, 22 Feb 2011 19:57:15 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <494A7B4F-8FE1-47D6-880F-EB98FEC7D9D7@bblfish.net>
References: <E1PqbpT-0000pd-Kz@login01.fos.auckland.ac.nz> <alpine.LFD.1.10.1102201747370.26752@newtla.xelerance.com> <4D619C94.8090702@vpnc.org> <93E9FABD-A84A-4A4E-AF96-6E101604F8B4@bblfish.net> <p06240803c98892e88fc4@[59.188.192.152]> <1FAB667F-44F9-4349-B11B-F4FECD51BB81@bblfish.net> <p06240804c988c84933b6@[169.223.137.111]> <B6315D18-AE32-4CE8-A7A5-7D155C1F259B@bblfish.net> <4D63D865.70704@vpnc.org> <8B1B5F4A-AABC-45FD-B4AD-25323E2956D3@bblfish.net> <4D63EB36.40507@vpnc.org> <27F9D8BA-46BD-4FC3-8C7E-51A0F49A3AF8@bblfish.net> <4D63F0F6.6010103@vpnc.org> <1644C26A-4512-46BB-95CC-A465412542E4@bblfish.net> <4D63FD7A.5010203@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>, keyassure@ietf.org
X-Mailer: Apple Mail (2.1082)
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 18:56:41 -0000

Ok so the following off list conversation between me and Paul, should have helped reduce the 
bandwidth pressure on the group. I'll send it back to the list because I think that at least
I am in sync with how Paul is thinking, so that should help.

On 22 Feb 2011, at 19:16, Paul Hoffman wrote:

> On 2/22/11 9:28 AM, Henry Story wrote:
>> 
>> On 22 Feb 2011, at 18:23, Paul Hoffman wrote:
>> 
>>> On 2/22/11 9:14 AM, Henry Story wrote:
>>>> The TLS protocol currently has the server send the client a
>>>> certificate. The client then just needs to look in DNS to find out if
>>>> the public key in the certificate sent by the server matches the
>>>> public key for the service in DNSsec. So bare public keys in DNSsec
>>>> should work.
>>> 
>>> You have yet to say how the TLS client knows what the public key is for the cert they get in TLS. This was discussed multiple times on the list, and (all?) the other supporters of bare keys have agreed that this is not a trivial thing to do, and have backed down from it. You haven't even addressed the issue. Instead, you keep coming back to "we want to do this in WebID".
>> 
>> Does the following sound ok, or am I answering a different question:
>> 
>> 1. TLS client receives cert from TLS server.
>> 2. TLS client extracts key from cert using normal x509 libs
>> 3. TLS client looks up hosname:port in DNSsec, and finds the bare key
>> 4. TLS client matches key found in 2 with the one found in 3
>> 
>> Is that the kind of thing I should send to the list?  I am not sure at which point the problem arises.
> 
> You can send it to the list, but as has been said on the list already, normal X.509 libraries do not let you extract the key. The few that do might have it in different formats, so doing a direct comparison is impossible. So it feels like the relevant part of your list, step 2, is not based in reality. If you can show me wrong, that's great, but if not, you posting the above list doesn't really help.

Ok. So at this point we are back to WebID.  I am speaking here of WebId only because we needed the same tools as you need in Dane. So we have some experience - not perfect - to go by.
   
  WebID  also requires the public key from the X509 certificate to be extracted. It needs to be extracted on the server (in Dane it will be on the client), and the certificate is the client certificate (in Dane it is the server certificate), but the tools to do that will be the same. 

  http://esw.w3.org/foaf+ssl has listed the many implementations of the above on servers for every widespread programming language. That is we have WebID working in perl, python, c, java, ruby(?), javascript, and others....  Now it is true that for php and javascript there was a lack of ASN.1 parsing tools, so people initially used opensso to parse the key, and extract the relevant information that way. Not very nice but we were trying to see if it works.

The Scala code which we can launch directly into the java SSL layer, and which is an OSGI component is here

https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala

as you can see there getting the public key from the certificate is one line of code

    val publicKey = cert0.getPublicKey


In WeBID there is a reason to publish the "bare" public key in a web format such as XML, RDF, html, ... If one wants to put they key in HTML it makes more sense to put the key in a format where people can verify visually the correspondence with what their browser tells them. A big ugly PEM blob is just in my view too much of an eysore, and contains too much mystification.

This issue does not perhaps exist in the same way in DNS and so with DANE, as I think the format there is also quite old, and it is unlikely that people will be looking at DNS records without tools. I just don't know that aspect of DNS very well, so I may be wrong.

   I think that if there were java libs to do a DNSSEC lookup it probably would not be that much work to change the SSL layer reasoner to do a Dane lookup. 

	Henry




Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email