IETF Logo Mail Archive

Re: [POSH] I-D Action: draft-miller-posh-01.txt

Peter Saint-Andre <stpeter@stpeter.im> Tue, 10 September 2013 22:23 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F2C21F9E11 for <posh@ietfa.amsl.com>; Tue, 10 Sep 2013 15:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geVAQe6-aJKN for <posh@ietfa.amsl.com>; Tue, 10 Sep 2013 15:23:37 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 9A21E21F9E1D for <posh@ietf.org>; Tue, 10 Sep 2013 15:23:30 -0700 (PDT)
Received: from ergon.local (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id BE9ED415BD; Tue, 10 Sep 2013 16:27:56 -0600 (MDT)
Message-ID: <522F9BE2.2010809@stpeter.im>
Date: Tue, 10 Sep 2013 16:23:30 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
References: <20130906221429.28168.74635.idtracker@ietfa.amsl.com> <BF7E36B9C495A6468E8EC573603ED9411EEF0966@xmb-aln-x11.cisco.com> <BXjoBrNAVf0RUm7aeEneuOrDeilOdDr46RJxBKrIrAEgG5pLI@smtp.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411EEF6359@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411EEF6359@xmb-aln-x11.cisco.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Tobias Markmann <tmarkmann@googlemail.com>, "<posh@ietf.org>" <posh@ietf.org>
Subject: Re: [POSH] I-D Action: draft-miller-posh-01.txt
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 22:23:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WFM!

On 9/10/13 3:42 PM, Matt Miller (mamille2) wrote:
> Thanks for the feedback!  Requiring just the "x5t" makes sense, and
> we can incorporate that change in the next revision.
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com > Cisco Systems, Inc.
> 
> On Sep 9, 2013, at 3:54 PM, Tobias Markmann
> <tmarkmann@googlemail.com> wrote:
> 
>> 
>> Hi,
>> 
>> Matt Miller (mamille2) wrote:
>> 
>> FYI, the latest draft incorporates just about all of the feedback
>> we received as a result of the BoF, minus ASCII art; we'll see
>> about that for the next version!
>> 
>> 
>> - m&m
>> 
>> Matt Miller < mamille2@cisco.com > Cisco Systems, Inc.
>> 
>> 
>> here some feedback based on an initial read of the changes.
>> 
>> Section 4.1
>> 
>> 
>> Additionally, each JWK object MUST possess at least one of the 
>> following:
>> 
>> o  The "x5t" field set to the certificate thumbprint, as per <a
>> href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">section:
>> ] <a
>> href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">3.6:
>> ] of [<a
>> href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK:
>> ]].
>> 
>> 
>> o  The "x5c" field set to the certificate chain, as per section
>> 3.7 of [<a
>> href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK:
>> ]].
>> 
>> <div class="message-gap"> <p style="margin: 0px; padding: 0px;
>> "> 
>> 
>> <div class="message-signature"
>> id="signature_1378760946803-1670277853"
>> name="signature_1378760946803-1670277853"> I suggest making x5t,
>> the thumbprint/fingerprint, a MUST to reduce the mimimum possible
>> code paths to implement this draft, considering not all TLS API
>> provide access to the public key's modulus and exponent. In
>> addition, verification using the thumbprint is independent of the
>> type of key (RSA, ECC, ?) that the certficate uses, which further
>> eases implementation and straightens the codepath. I'd still
>> allow (MAY) inclusion of x5c, for debugging purposes though. <div
>> class="message-signature"
>> name="signature_1378760946803-1670277853">  <div
>> class="message-signature"
>> name="signature_1378760946803-1670277853"> Cheers, <div
>> class="message-signature"
>> name="signature_1378760946803-1670277853"> Tobi
> 
> 
> 
> _______________________________________________ posh mailing list 
> posh@ietf.org https://www.ietf.org/mailman/listinfo/posh
> 


- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSL5vhAAoJEOoGpJErxa2poWIP/15hKeMaMbnnBL7B5WNrlFaA
nb1q5c47R/mG3CP5U+tde383fIDAFrOZ7WWFhB4YAZIpSiSlQY7CTuMlA5Ezv8Nb
UooOvDOZ8DzPViRFX6NPuhqjnr3/uJ3O2pSZI32ftako4dTnXXaptFNsHpEl9x9s
WiG6K/ESDf1qs8MxPpqL+lb5jrCrmydVhOU2ZnjAgwbmIoJD1mkVeS3QwkN6Bhjo
pvLG148Ux6Wf+17jzMjBw5dMgIpn8EHx9bVVvrywcB6rYY3/hQrJT29DVpOQ3VLU
RA1FXy5R53LKpTuT/DStUywgNfjyWh6rKGYURkkIRxWS3Nwuz0BV5uPJasBq2GXK
HzGacqeAobH9kD+MwMIL7d3TmqvxSR6yyJOrTCtYP5dhYkF8ZAkaK2plbZ7gWLaT
qQl2Y1x2S1n2a3QnBI4ziJ5U3zAHrz6BkVDzVMM6xEuDdsTppWLdx6YZA2B/nD7h
+fR9QsPZuKfgt8igf6GJJ6DbZ1zLoMrzGzbUdFVhCtJToaGYEQBj+ytAs71btyTQ
9k6efC1TNFvzwsruBRnPYIzIwYb4NVP8Il2BmJsrz27Ci12G/TGwfqF9IPZ6Z6Yn
CkG8orS3AVwwvrqfxo1/1mbhU7UTMBIABIa69KjvfbmnauRIozH4f+rFaPurPZGt
JkSASPz6dlfmCOnbduBK
=tF3x
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email