Re: [Lurk] keeping private key private
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 October 2016 21:51 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA955129566 for <lurk@ietfa.amsl.com>; Wed, 12 Oct 2016 14:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2nl7FD78IMk for <lurk@ietfa.amsl.com>; Wed, 12 Oct 2016 14:51:36 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 9836612954F for <lurk@ietf.org>; Wed, 12 Oct 2016 14:51:36 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 38A79F98C; Wed, 12 Oct 2016 17:51:35 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 277E621C2F; Wed, 12 Oct 2016 14:45:08 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Daniel Migault <daniel.migault@ericsson.com>, lurk@ietf.org
In-Reply-To: <CADZyTk=+YjfZM_rMJtS=D0KNX3nbQ6jx91=F2VqQ_QR12a5foA@mail.gmail.com>
References: <CADZyTk=+YjfZM_rMJtS=D0KNX3nbQ6jx91=F2VqQ_QR12a5foA@mail.gmail.com>
Date: Wed, 12 Oct 2016 17:45:04 -0400
Message-ID: <87bmyputr3.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/k6Wb2XtOTcBiheGHADVw6j_aJIo>
Subject: Re: [Lurk] keeping private key private
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 21:51:39 -0000
Hi Daniel-- On Wed 2016-10-12 13:10:04 -0400, Daniel Migault wrote: > Currently delegating a TLS service to a third party or multiple edge nodes > is mostly based on distributing the full private key to multiple edge nodes > that may even be in a different domain. Such a distribution prevents the > key owner to keep the control of the private key as well as to prevent the > key to leak. For example, with LURK, the Heartbleed attack would have had > very limited impact as the private key would not have been hosted on the > edge server. By design, LURK would have prevented the key to leak. What's more important -- the secret key material, or the traffic and information on your website that it protects? When the certificate is long-lived, there are good arguments for the secret key being more valuable, because it can be misused in the future when we don't yet know what the value of of the traffic and information will be. It's also conceivable that a single cert (e.g. *.example.biz) could be more valuable than any one site it applies to. But when the certificate is short-lived and narrowly-scoped, the things the cert is trying to protect are proportionally more valuable, though, right? secret keys are cheap! certificates are (increasingly) cheap! Making cheap things less powerful and using them freely seems like a much simpler approach than trying to invest certificates with lots of power and then trying to find ways to avoid the misuse of that power. > My understanding is that there are currently no mechanisms that prevent the > keys to leak in the case of TLS. There is a huge demand from the industry > to provide mechanisms that protects the private key from leakage. The > reason we focused on TLS is that by limiting the use of a single protocol > it provides more control on the usage of the key. However, the protection > of the private key can also be handled in a more generic way outside the > scope of TLS. I would like to understand whether mechanisms to prevent > leakage of the private key should not be handled in the context of TLS and > instead being handled in a more generic way. we have (a few) generic mechanisms already. PKCS#11, as horrible as it is, provides for secret key isolation. "PKCS#11-RPC" was floated as one idea in the LURK BoF, iirc, but i think it was (mostly) dismissed, though i don't remember why. But remote use of secret key material is also high-latency and prone to bottlenecks -- are these engineering costs worth the benefits? some people might amortize the costs of the high-latency handshake by establishing and encouraging the use of TLS sessions; this is in effect asking users to remember short-lived certs -- those sessions are going to still be valid authenticators (to those end users) even after the keyholder decides to rescind her grant of use of her secret key. So there are a set of tradeoffs involved, and it's not clear to me that the thing you're trying to protect is worth the energy and cost that would be invested here. can you explain how you see those tradeoffs? All the best, --dkg
- [Lurk] keeping private key private Daniel Migault
- Re: [Lurk] keeping private key private Daniel Kahn Gillmor
- Re: [Lurk] keeping private key private Daniel Migault
- Re: [Lurk] [E] Re: keeping private key private sanjay.mishra
- Re: [Lurk] [E] Re: keeping private key private Daniel Migault