Re: [Lurk] Fwd: draft-rescorla-tls-subcerts
Carl Wallace <carl@redhoundsoftware.com> Tue, 12 July 2016 17:19 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C4812D544 for <lurk@ietfa.amsl.com>; Tue, 12 Jul 2016 10:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=redhoundsoftware-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1wSbE-tCk6c for <lurk@ietfa.amsl.com>; Tue, 12 Jul 2016 10:19:06 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC56C12D536 for <lurk@ietf.org>; Tue, 12 Jul 2016 10:19:05 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id o67so20189725qke.1 for <lurk@ietf.org>; Tue, 12 Jul 2016 10:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware-com.20150623.gappssmtp.com; s=20150623; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=rlPm7bEj5EPJrajXbutLNsfxMvoRaZNQ4GtfNuYwCZo=; b=TULzsOR/Zfq7aUTgjZ4wbIvDOaNcIDXBDrzEk3TQMe5fPjz5hLPDOOte4tOgmFAkb7 W0a3IMe9oazOXWF5qfqdbkx6S3KdRlLAwQSsxqqnr71qaYATxcV//XQE45fcdOhyZu0+ viRsg3G83dun9Ex/EmuPP1yKfQKM2BILV0VMfMTxZjCkutvHHesytt2hd7GqjjeuHZWl ozIgBer4sOZIuIpV8MAbpIureboVEZSbZAQqD6lCe+FLefAw0SYAJCfSd3zOGGmf8J+F uOxC8fI0vhgVtBNu4dLEl6VhcJpdOO44fF+DHx2Hh1MNGSog2vaVVd8Aqi7h3b4z726G SAJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=rlPm7bEj5EPJrajXbutLNsfxMvoRaZNQ4GtfNuYwCZo=; b=BjHzYrfJGBgg0mx1sEOTcqdGZQOV1C+31NKB15tUdSiULbkAfkM1RaZuXfJuhhjVYX aZ8mNkgyNIgzWmRrtbyuVqPex4tjtuVGmL/m+qdnHbxercPgfe4Z7Vqni9BZWaSGRO51 KuEZiM1FMVRmUYj5c8aLVmFfGzLsMnXmhlfDY6EP/+SU1GqqfEtvUeFfwwoytu8Ul3o/ wdy2sez1PKI8jvplikBFcORHQ6PRQvpYzAM8Se+9IOXq8JfScAogyVF/uccNiJH03LqR EB1krNeUz44z6vmDg32a3l2u6qMSB0wCEE5k41Tt8ZZ9reczsXoWi+GPZ8dDr/J7Fc6A G4uA==
X-Gm-Message-State: ALyK8tJnkxPXnO8XGGGZ5O8zbGhabbWmmGocCncJ6CDeHl6TNwPrtCv1hqNsoQ02y5OzmA==
X-Received: by 10.55.43.229 with SMTP id r98mr4498798qkr.62.1468343941018; Tue, 12 Jul 2016 10:19:01 -0700 (PDT)
Received: from [192.168.2.28] (pool-96-255-23-4.washdc.fios.verizon.net. [96.255.23.4]) by smtp.gmail.com with ESMTPSA id y8sm2248882qkb.21.2016.07.12.10.18.56 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 12 Jul 2016 10:18:59 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.5.8.151023
Date: Tue, 12 Jul 2016 13:18:52 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Leif Johansson <leifj@mnt.se>, lurk@ietf.org
Message-ID: <D3AA9DBA.68322%carl@redhoundsoftware.com>
Thread-Topic: [Lurk] Fwd: draft-rescorla-tls-subcerts
References: <CABcZeBP+6AP50L06knsnOmyMqbv3fFw6TrcSrqs0x9FgoxyKcw@mail.gmail.com> <CABcZeBPvKfLAWgAyJhSMbOnECF5vSWyduwD0zWOHn_reP96pzQ@mail.gmail.com> <5785217D.9010405@mnt.se>
In-Reply-To: <5785217D.9010405@mnt.se>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/zot-zZUO-xqYIgohcnRT2YJwxsE>
Subject: Re: [Lurk] Fwd: draft-rescorla-tls-subcerts
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 17:19:08 -0000
On 7/12/16, 12:57 PM, "Lurk on behalf of Leif Johansson" <lurk-bounces@ietf.org on behalf of leifj@mnt.se> wrote: >On 2016-07-08 16:59, Eric Rescorla wrote: >> Perhaps complementary to lurk. Being discussed on the TLS list. >> > >https://www.ietf.org/rfc/rfc3820.txt ? 3820 suffers from the fatal flaw of using a critical extension, which has limited its adoption. I think the sub-certs spec could address this and use a non-critical extension in a CA-issued certificate. The non-critical extension would contain a structure signed by the delegating party. The structure for the TLS extension in the sub-certs spec probably has the content that would desired in the extension. The pre-certificate structure in the experimental CT draft would be another approach, but maybe more complicated. This approach would require validating the delegating party's cert in addition to the proxy cert. However, it may also be a means of addressing the problem of authorizing a content inspection proxy when mutually authenticated TLS is used.
- [Lurk] Fwd: draft-rescorla-tls-subcerts Eric Rescorla
- Re: [Lurk] Fwd: draft-rescorla-tls-subcerts Leif Johansson
- Re: [Lurk] Fwd: draft-rescorla-tls-subcerts Carl Wallace