Re: [Lurk] Fwd: New Version Notification for draft-sheffer-lurk-cert-delegation-00.txt
"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Wed, 25 May 2016 10:00 UTC
Return-Path: <thomas.fossati@nokia.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A171212D19D for <lurk@ietfa.amsl.com>; Wed, 25 May 2016 03:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gHkheqbSIjH for <lurk@ietfa.amsl.com>; Wed, 25 May 2016 03:00:13 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2819F12D664 for <lurk@ietf.org>; Wed, 25 May 2016 03:00:13 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id D439AA30FC5D4; Wed, 25 May 2016 10:00:08 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id u4PA0ASJ005023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 May 2016 10:00:10 GMT
Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id u4P9xx5x008558 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 25 May 2016 12:00:10 +0200
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.26]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0195.001; Wed, 25 May 2016 12:00:00 +0200
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: EXT Yaron Sheffer <yaronf.ietf@gmail.com>, "lurk@ietf.org" <lurk@ietf.org>
Thread-Topic: [Lurk] Fwd: New Version Notification for draft-sheffer-lurk-cert-delegation-00.txt
Thread-Index: AQHRrJK2YOdppGeYJE62svfOinx2vZ/JbnoA
Date: Wed, 25 May 2016 10:00:00 +0000
Message-ID: <D36B2EDE.6836A%thomas.fossati@alcatel-lucent.com>
References: <20160512204349.14299.93495.idtracker@ietfa.amsl.com> <5734F136.10208@gmail.com>
In-Reply-To: <5734F136.10208@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.4.160422
x-originating-ip: [135.239.27.39]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <98F8486161696A498FE36251B6EA95C8@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/lurk/03lXEHGwHwhiWWlZgS_JLaFwATc>
Subject: Re: [Lurk] Fwd: New Version Notification for draft-sheffer-lurk-cert-delegation-00.txt
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2016 10:00:15 -0000
Hi Yaron, On 12/05/2016 22:10, "Lurk on behalf of EXT Yaron Sheffer" <lurk-bounces@ietf.org on behalf of yaronf.ietf@gmail.com> wrote: >To solve the CDN-shouldn't-get-my-private-key scenario, I propose an >almost trivial REST API, where the CDN contacts the content owner once a >day and obtains a 3 day credential (private key plus short-term cert). > >Comments are welcome! Thanks very much for the draft. Your proposal has a few good properties: - It's very simple, with minimal impact on existing implementations and deployments; - It scales very well, because it drastically reduces the number of calls to the LURK box (somewhere about 10 orders of magnitude less than the other proposals), and because it removes the need for keeping the LURK box near the edge - and thus deploying more boxes as the CDN footprint grows -- if the application cares about time-to-first-byte, as it usually does; - It makes the CDN less dependent on the availability of the LURK box; - Lastly, it seems to provide the right ecosystem for solving the well known revocation issues ([1], [2]) -- very similarly to a proposal from Topalovic et al. [3]. The only "minus" point is that the CDN still holds the content provider's private key. In fact, in your proposal, the "Remote Keys" in the LURK acronym aren't remote at all :-) Cheers, t [1] https://www.imperialviolet.org/2011/03/18/revocation.html [2] https://www.imperialviolet.org/2014/04/29/revocationagain.html [3] http://www.w2spconf.com/2012/papers/w2sp12-final9.pdf
- [Lurk] Fwd: New Version Notification for draft-sh… Yaron Sheffer
- Re: [Lurk] Fwd: New Version Notification for draf… Fossati, Thomas (Nokia - GB)
- Re: [Lurk] Fwd: New Version Notification for draf… Yaron Sheffer
- Re: [Lurk] Fwd: New Version Notification for draf… Fossati, Thomas (Nokia - GB)
- Re: [Lurk] Fwd: New Version Notification for draf… Yaron Sheffer