Re: [Lurk] [TLS] WG Call for adoption of draft-rescorla-tls-subcerts

Watson Ladd <watsonbladd@gmail.com> Tue, 18 July 2017 16:34 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C024C131B93; Tue, 18 Jul 2017 09:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtj6RNr5RjCv; Tue, 18 Jul 2017 09:34:29 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B57F9131B92; Tue, 18 Jul 2017 09:34:28 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id v190so15592522pgv.2; Tue, 18 Jul 2017 09:34:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YN2Z3p9qjLMabBSt4bR8H5wgmrLDp9dSKm1sgx4z8JQ=; b=ZahaPho2oQELeV46Egwm1zw4mjREsiYyB5EGBWyGJtlVSNC0yVQF99cqkOX+8VZDaE 9jG7cyklN3BJIu/4cEVh8kA4vZ1w5zjBe7l2wA5dSBz6xQAZekmv4sD+Ztb3xqnbzCXj z6j3Gi0oyIzWDC7XYrha+pGkH75whg1zaEk+W6xIiA4ZM7atYSWBm7Kvw3mTDUs0Upyz uYFnuRm9K3ybZNa8FrP2GiqLcUiMppQOX6jkp+PKQKGMdBvejtiHs82NoYAXKk4lQ1xA dllnzOICr48lM9ev3AZXsK2sPA/MGYahgVlFbPTXQFQySnk9duMVhWwMtjsSb69iN1aJ 6kiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YN2Z3p9qjLMabBSt4bR8H5wgmrLDp9dSKm1sgx4z8JQ=; b=CR86bV5BaPdp1nipb886wSItrf4RA8pGvRuL2j1tJl9Ksuvm25M3tdqrwNGoVoj6AN P/bL8ZVeN9DZNhvPNpMYk5LJrplOiXemM4jpZlZc4NmpUCnOs9iky3CSo3EFpgpLCt+a UET6ES3+DA3mhZD1SkYYoooAHy1gIEmfyv8EQPHcftbjIwio6sKhlDsBRLYdyUE1SRYO CDVLmW3f+goHh1d4Jm4efvTmKwxZCJrXGPo00cQQWQ8GK3p8MRTnBpTMs6zGgAFVbeLG 6cKeSJS78S31VzFQqZIVEiO37giZLcqZoi6GihPHaNWzyoFUouS2ebd7VbGInFEoORo9 VUAw==
X-Gm-Message-State: AIVw111D1YnmlQwTozeC3RVEy6q7xa/Jb5oo+bGqcOYLigUBT3ZSp9N2 p6iEFSaUtdLXjOnn4UI7SoBTVl1fpYsS
X-Received: by 10.98.7.87 with SMTP id b84mr2564504pfd.216.1500395668310; Tue, 18 Jul 2017 09:34:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.187.77 with HTTP; Tue, 18 Jul 2017 09:34:27 -0700 (PDT)
Received: by 10.100.187.77 with HTTP; Tue, 18 Jul 2017 09:34:27 -0700 (PDT)
In-Reply-To: <BB0F27F7-F5CF-4512-A5D1-17E557D5D295@nokia.com>
References: <601C7C89-F149-4E97-A474-C128041925EA@sn3rd.com> <0956863E-7D11-47A7-BD67-5D9DB3A3574A@sn3rd.com> <CAOjisRwm=YRigbTuNSuXUAK_iQkPZnA=R8OSwHRDBGU477vzjg@mail.gmail.com> <61435CE8-3A17-4773-8329-54908985FB80@nokia.com> <CAOjisRzxDj-+oQeh6ALPV4Sb2FpRRVq44_BZ_mKciDC=HgJqng@mail.gmail.com> <BB0F27F7-F5CF-4512-A5D1-17E557D5D295@nokia.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 18 Jul 2017 09:34:27 -0700
Message-ID: <CACsn0cmcpQmCRopR7Rwq9Gjs4SbNuJu1LyyqAPGTqNbfjwLS9Q@mail.gmail.com>
To: "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Cc: LURK BoF <lurk@ietf.org>, tls@ietf.org, Sean Turner <sean@sn3rd.com>, Nick Sullivan <nicholas.sullivan@gmail.com>
Content-Type: multipart/alternative; boundary="001a1143ccc4d5107c05549a1653"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/-HV3QA3FVzfkNRMWP3zvE-XmNP8>
Subject: Re: [Lurk] [TLS] WG Call for adoption of draft-rescorla-tls-subcerts
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 16:34:32 -0000

On Jul 18, 2017 9:26 AM, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <
thomas.fossati@nokia.com>; wrote:

Hi Nick,



Your write-up is spot on, thanks.



Let me comment on a few points:



“How much Delegated Credentials can be rotated and diversified inside an
organization is only limited by the operational ability of the organization
that has control of the EE private key.”



The self-service/agile nature of D-C is great. With that, though, comes a
cost of ownership that maybe not all players can afford.


Outsourcing to get to something like short lived certs is possible here. If
you can put a cert on a webserver I'm sure you can put it on a delegated
credential creator and point your server at it.



- Introduces a high-risk operational dependency on external party:

-- Requires frequent exchanges with an external Certificate Authority (must
provide proof of domain possession to CA vs. internally managed credential
minter for delegated credentials).



There should be ways to mitigate this, say allowing the next S-T in line to
be available “long enough” before it becomes active.



-- There is no fallback if the CA has outage. With delegated credentials
you can fall back to a LURK-style protocol with the long-lived certificate
key.



I understand the logics but, since LURK boxes don’t scale, the cost to
cover your entire footprint for the sporadic cases when the CA is down
might be a bit prohibitive.


CA reliability is not good.



Cheers, t





On 18/07/2017, 14:35, "Nick Sullivan" <nicholas.sullivan@gmail.com>; wrote:



Thomas,

Thanks for your comments. Let me see if I can summarize them:

- A disadvantage of delegated credentials vs short-lived certs is that it
requires client opt-in. This is also a disadvantage of proxy certificates.
If client support is below 100%, a LURK-type system may be required to keep
long-term private keys off TLS termination endpoints.
- A disadvantage of delegated credentials is that it requires software
updates on both client and server. This is also a disadvantage of proxy
certificates. I think this is covered by my point below: "Short lived certs
work with existing libraries, no new code changes."

- An advantage of short-lived certificates is that there is an audit log by
a third party (either the CA's internal logs and optionally Certificate
Transparency logs).

I should state that short-lived certificates are possible right now and
it's supported by some CAs, though not necessarily at the scale needed to
provide, say, a unique 7-day certificate for each server of a large
Internet company. This draft's advantages apply most strongly to
organizations who don't want to tie their ability to have functional TLS on
the ability for CAs to maintain high-availability issuance services.  How
much Delegated Credentials can be rotated and diversified inside an
organization is only limited by the operational ability of the organization
that has control of the EE private key.



Nick



On Tue, Jul 18, 2017 at 1:40 PM Fossati, Thomas (Nokia - GB/Cambridge, UK) <
thomas.fossati@nokia.com>; wrote:

Hi Nick,



I am not against delegated credentials, in fact I think it’s a good thing
per se.



I had expressed a couple of concerns at the time the call for adoption was
first issued [1], which I think are still valid.



Could you please comment on / add them to your pro-cons analysis?



Cheers, thanks,

t



[1] https://www.ietf.org/mail-archive/web/tls/current/msg22966.html



On 18/07/2017, 12:06, "TLS on behalf of Nick Sullivan" <tls-bounces@ietf.org
on behalf of nicholas.sullivan@gmail.com>; wrote:



Sean,

We've had some additional discussions in person here at IETF 99 with folks
who were in the proxy certificates and short-lived certs camp, and we think
there is now more agreement that the mechanism described in this draft is
superior to the alternatives. I've included a summary of some of the pros
and cons of the approaches:

*Proxy certificates vs. Delegated Credentials*

*Pro proxy certificates*:

- Already deployed in some industries, though not on the Web.

- Fits the conceptual model that public key == certificate.

*Con proxy certificates*:

- Proxy certificates adds additional complexity to the delegation other
than limiting the time period (full X.509, additional constraints  such as
hostname).

- Encourages implementers to reuse PKIX libraries rather than build code as
part of TLS:
-- There have been problems and inconsistencies around pathlen and
constraints enforcement in existing PKIX libraries.
-- Modifying these libraries is more complex and risk prone than delegated
creds (which can easily be implemented in TLS as demonstrated by the 3
interoperable implementations at the IETF 98 hackathon).

- In proxy certificates, pathing is SKI dependent, not directly tied to EE
cert. This is a binding weaker than delegated credentials which includes a
signature over the EE certificate.



*Short-lived certs vs. Delegated Credentials*

*Pro short-lived certs*:

- Short lived certs work with existing libraries, no new code changes.

*Con short-lived certs*:

- Not widely available from CAs, especially for EV.

- Potentially problematic to the CT ecosystem (all certificates must be
logged in CT, which may bloat them).

- Introduces a high-risk operational dependency on external party:
-- Requires frequent exchanges with an external Certificate Authority (must
provide proof of domain possession to CA vs. internally managed credential
minter for delegated credentials).

-- There is no fallback if the CA has outage. With delegated credentials
you can fall back to a LURK-style protocol with the long-lived certificate
key.



Given these comparisons, we think the proposed draft is the superior option
and would like to continue the discussion about adopting it.



Nick



On Fri, May 19, 2017 at 12:58 AM Sean Turner <sean@sn3rd.com>; wrote:

All,

During the WG call for adoption, a couple of questions were raised about
comparison/analysis of sub-certs versus proxy and/or short-lived
certificates.  There is some discussion currently in the draft, but the
chairs feel that these issues need further discussion (and elaboration in
the draft) prior to WG adoption.  So let’s keep the conversation going.

J&S

> On Apr 12, 2017, at 15:31, Sean Turner <sean@sn3rd.com>; wrote:
>
> All,
>
> At our IETF 98 session, there was support in the room to adopt
draft-rescorla-tls-subcerts [0].  We need to confirm this support on the
list so please let the list know whether you support adoption of the draft
and are willing to review/comment on the draft before 20170429.  If you
object to its adoption, please let us know why.
>
> Clearly, the WG is going to need to work through the trade-offs between
short-lived certificates and sub-certs because both seem, to some, to be
addressing the same problem.
>
> Cheers,
>
> J&S
>
> [0] https://datatracker.ietf.org/doc/html/draft-rescorla-tls-subcerts

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls