IETF Logo Mail Archive

Re: [Lurk] New documented submitted

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 18 March 2016 23:56 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197AD12D76C for <lurk@ietfa.amsl.com>; Fri, 18 Mar 2016 16:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.35
X-Spam-Level:
X-Spam-Status: No, score=-2.35 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQl7AOD5silN for <lurk@ietfa.amsl.com>; Fri, 18 Mar 2016 16:56:55 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9014812D727 for <lurk@ietf.org>; Fri, 18 Mar 2016 16:56:54 -0700 (PDT)
Received: by mail-lb0-x235.google.com with SMTP id k12so97474781lbb.1 for <lurk@ietf.org>; Fri, 18 Mar 2016 16:56:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=y41+QvUWBM2VcyLwhs6PovofDE0u970kOriU0uqW9pM=; b=u3z/ZbqAW2LyPI0Ic9AOkko9QCHMkdesm8GR3Ylj9hsa12SAB+YCi0YURL6+h0cQEW 86SdEyeUqDxtPmdPm6P8UTTw/mk1/m1OEoBl2Ufxi4rfwZsDuFU5+xiEAdVn6O1Kv/Ed COq+HvxKmE5ZCuyeAoovN4Wdb9iMGTAHhajTo2JjKjT7szOXgQESI6Yv+xXPqAanzfOD TNY6pb5vm5pNYs+hMZKiaMCNqYq0P4I7NggZhFCLnpd0+S/U8Lz/C09Z8BzOEcf2V7Fe hHM4HWo4U5T1ukJBhglxs5jbAfcDtfB9ixmHFV5EBAukdQiZRpDGe0QZJqY+UTSJN0Gz tcHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=y41+QvUWBM2VcyLwhs6PovofDE0u970kOriU0uqW9pM=; b=EnVDqWFVgMSetSyZtObmft68kMAkeb74LUsksZU35ARnEOwWL6IkGLJhO3HiSpO8PA cXIAPPZEpMoa2R5DR2HrHZdobiqO/rLtmdIycZ2lnAyCHk52BcYet45gN/E33XN4nXvA 5Z5d298iB+VBehQTIeQWKEIzSACY0VpD1OG2EkwiZjPLgqfQlhWHHYJbUX737hQ+FBY3 9LeMFeFST3Ep/Xan4Rh2xCGvHMJhYlPmwTsJE1HeaHKh5pRNMiyBcrQ9VNgTKJDLgizl fnJJqKtwwBenntCQsMbB1HUxG61RDDZddv8UF4VIApjOks+6YmSYBztruUw5dxr9BniO J1Uw==
X-Gm-Message-State: AD7BkJJIPmYDtmzhwu6p4E0vETiUBgHBfp98Qtbi1BOiRsSuXsbCQRD23IlhGWYzvSaIPFTAKrGdQoNyClb3KQ==
MIME-Version: 1.0
X-Received: by 10.112.17.70 with SMTP id m6mr6849645lbd.142.1458345412716; Fri, 18 Mar 2016 16:56:52 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.151.67 with HTTP; Fri, 18 Mar 2016 16:56:52 -0700 (PDT)
In-Reply-To: <63a7eae4bab448a08d000f8168836a9a@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <63a7eae4bab448a08d000f8168836a9a@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Fri, 18 Mar 2016 19:56:52 -0400
X-Google-Sender-Auth: 3Unc3jQ4jsQteHm1Mfi39UcMnnk
Message-ID: <CAMm+LwhaNvBipXQ89dcGEHm0pUvjvQpdqwLYLFUAJY8u8t_mpA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/lurk/RWlvFgVTLtBCnDmrjJMY1a0WGg8>
Cc: "lurk@ietf.org" <lurk@ietf.org>
Subject: Re: [Lurk] New documented submitted
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:56:57 -0000

On Fri, Mar 18, 2016 at 3:03 PM, Salz, Rich <rsalz@akamai.com> wrote:
> https://datatracker.ietf.org/doc/draft-erb-lurk-rsalg/
>
>
>
> A PFS-preserving protocol for LURK.  If the WG is created, we will ask the
> group to adopt it.
>
>
>
> There is an IPR disclosure that is in the system. Our intent is royalty-free
> for anyone who cross-licenses their patents to us.

"   The protocol should not become a generic signing oracle, even if it
   is suboptimal with regard to network bandwidth utilization.  This is
   done by not simply signing values, but by computing the full
   signature hash at the KeyOwner."

I started off with that as a requirement. Then I deleted it.  The
reasoning is as follows:

First, what does the limitation get us? Is a TLS signature key to be
shared with any other purpose? I really hope not. That would be very
bad indeed. So what does this restriction achieve?

There is a measurable cost. It makes the protocol specific to TLS and
specific TLS key agreements to boot. It also breaks with existing
APIs. I won't be able to use your approach with IIS unless and until
they update the TLS implementation. If I use another Web server I have
to wait for implementation in OpenSSL or whatever or have to deal with
custom patches.

Many existing servers already have a socket for plugging in custom
crypto to support accelerator boards. I agree we should not limit
ourselves to that API but we definitely need to support it.

v2.23.0 | Report a Bug | By Email