IETF Logo Mail Archive

[Lurk] LURK: proposed charter for review

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 07 July 2016 17:50 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A3012D832 for <lurk@ietfa.amsl.com>; Thu, 7 Jul 2016 10:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYXzc7ZhdY0K for <lurk@ietfa.amsl.com>; Thu, 7 Jul 2016 10:50:29 -0700 (PDT)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0300812D82A for <lurk@ietf.org>; Thu, 7 Jul 2016 10:50:29 -0700 (PDT)
Received: by mail-pa0-x22d.google.com with SMTP id dx3so7883068pab.2 for <lurk@ietf.org>; Thu, 07 Jul 2016 10:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=3F7WvDnNplVDB46KYdHJtb0xnHFMH5HynbMW5gVFFKs=; b=Z16aeuq4jr/FDZ/IdTf1rjof2C1+AzrruPxhpkYPxT2JE8m6/OXQ6qfchcYOyBsrR6 fsMr1hUKi6Ns50VK/YBqMgMrExrd5GQUSCs1AL7EYPbxvx0WYGm4HDWo1ucvOymRFGsZ JGpIlpLKCHyKcoIxZmKGz7PpvBnX6ActIu+N7AfZ//G9UBbOozIwAVgwhM6BHA+ClF2j NyqUJlNxwXeLIfRxdOh3cohMEPqi7uQyWObanvURnpfL5F+vD+sPPqXIR4fXIkkWYkEs jGFYCprfVpHXYANBOkmCqANa7ACJW9f1EZwRIInzkZZ5PVQ9lnya7J6hszZqdpzv0IUp 2jpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=3F7WvDnNplVDB46KYdHJtb0xnHFMH5HynbMW5gVFFKs=; b=ikJHRxON4uOUm+58UWNVPXHJ3FZ2PLblieowJmr8591SDOc5Wh96EN+NF0JbWlCWuC f5AoHSkzjKc1XBa7ykjiBXgfRzg9y/HWST8x6O0aXRiTvTSyK1IMYw7Lkg4EAACdebqv XqmyX/tTF8PaASKg6n8yTIhbN6gVsaSJ4/PN9AlYx9YbP8DgbetVKc5pTCHDb46hURkH LE/qPpWTdGJuGn4gUlHQd3RIxRmHgB79ySESGIwM/nGBvxjeqYknpNdiV1vY9u1PufIL sVpUWQP1jfP66NvQgfmhMAKNbCkfg+9yhqoJA5wsYcoU8G3gh6nQE5qwJYsuSBhVRoFn aaPg==
X-Gm-Message-State: ALyK8tKoVx7CGxDP1eJFGX9guQhlE/fc3jpuAJEtNskHYVMs8SNCyWzdMRSTFApzQGjdWA==
X-Received: by 10.66.126.178 with SMTP id mz18mr2384054pab.15.1467913828129; Thu, 07 Jul 2016 10:50:28 -0700 (PDT)
Received: from [10.250.252.18] ([116.212.180.68]) by smtp.gmail.com with ESMTPSA id h77sm5278844pfj.86.2016.07.07.10.50.25 for <lurk@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Jul 2016 10:50:26 -0700 (PDT)
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: LURK BoF <lurk@ietf.org>
Message-ID: <577E965F.6060508@gmail.com>
Date: Thu, 07 Jul 2016 23:20:23 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/R4zpf4B_nRg_LaguJg7V0QDaOUM>
Subject: [Lurk] LURK: proposed charter for review
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 17:50:31 -0000

Hi Everyone,

LURK is having a second BoF meeting in Berlin, and we hope to conclude it by forming a WG. Below is proposed charter text for this tentative WG. Eric and I would like to initiate the discussion before we meet in Berlin and then use the meeting for issues that require deeper discussion and/or to get feedback from people who are not regulars on this list.

Thanks,
    Eric and Yaron

---

Classic HTTPS authenticates the server by proving ownership of a private key associated with a public-key certificate. Most trust models assume an HTTP server owns the private keys and the server is responsible for both the hosted content and network delivery. Although these assumptions were largely true in the past, today the deployment of services on the Internet largely relies on multiple, distributed instances of the service, not necessarily operated by the content owner. In such architectures, the application - like a web browser - expects to authenticate a content provider but is actually authenticating the node delivering the content. In this case, confusion results from using a secure transport layer to authenticate application layer content.

The WG will focus on a solution that allows offloading TLS termination to a content delivery network (CDN) without giving the content owner's private key to the CDN. In scope are TLS and DTLS, including TLS 1.0-1.2 and, when available, TLS 1.3. This working group will not propose any changes to the client side of the TLS protocol, and the solution should support all widely deployed TLS cipher suites.

The current work items include:

- An Informative "use cases" document, which will cover the CDN use case but may encompass additional use cases.

- A Standards Track document that defines the interface between an edge server and a content owner. Security is a key concern, specifically avoiding a "signing oracle" where possible. Provisioning/management/monitoring of the protocol's endpoint is out of scope of the working group.

Delegation of RSA/ECDSA keys for other purposes is out of the scope of the working group. Such work would require the working group to recharter.

v2.23.0 | Report a Bug | By Email