[POSH] PKIX Over Secure HTTP (POSH)
Peter Saint-Andre <stpeter@stpeter.im> Tue, 04 June 2013 23:25 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60CE21F994D for <posh@ietfa.amsl.com>; Tue, 4 Jun 2013 16:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VJOfU62bdIE for <posh@ietfa.amsl.com>; Tue, 4 Jun 2013 16:24:54 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id CB1A221F8459 for <posh@ietf.org>; Tue, 4 Jun 2013 16:24:41 -0700 (PDT)
Received: from ergon.local (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id D678741240; Tue, 4 Jun 2013 17:37:25 -0600 (MDT)
Message-ID: <51AE771F.6080005@stpeter.im>
Date: Tue, 04 Jun 2013 17:24:15 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: posh@ietf.org
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [POSH] PKIX Over Secure HTTP (POSH)
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 23:25:49 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Miller and I have been working on a specification for "PKIX Over Secure HTTP" (POSH), which aims to make it easier to ensure proper TLS server identity checking in multi-tenanted environments (where it's basically impossible right now): https://datatracker.ietf.org/doc/draft-miller-posh/ As the abstract says: This document defines two methods that make it easier to deploy certificates for proper server identity checking in application protocols. The first method enables a TLS client to obtain a TLS server's end-entity certificate over secure HTTP as an alternative to standard Public Key Infrastructure using X.509 (PKIX) and DNS-Based Authentication of Named Entities (DANE). The second method enables a source domain to securely delegate an application to a derived domain using HTTPS redirects. We love PKIX (really!), we love DNSSEC, and we love DANE (which solves some of the same problems for some application protocols as POSH does). However, we want a technology that can be deployed more quickly than DANE in order to solve pressing operational security issues with standard PKIX in multi-tenanted environments. This effort emerged from the XMPP community, but we have heard from folks working on other application technologies that it might be useful for things like IMAP and SMTP, thus the more generalized version of POSH that we published today (superseding draft-miller-xmpp-posh-prooftype). We are planning to hold a BoF on this topic in Berlin, but in the meantime comments are very much welcome. Please post your feedback to the new posh@ietf.org list: https://www.ietf.org/mailman/listinfo/posh Thanks! Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRrncfAAoJEOoGpJErxa2p91QP/3PvNnKN00cNLGAygbGKNUIV lE+MZopE0BBlpSEaf7hEBFT8uBO+e9EX4bCnV+IjRBlDU3O7W+E9qSD4FuwqRBau 9lQ1ayBt/SgOi3gkhxvwh00KfID0HAGo+09UsbLuF08TNMdOhRmng+qSXPLHmB3A FKDmHZVv7hUVz2m82HpU7ebp7Bjf/HQFOVlqg8wiXvn2imRgyRPH/7AY5tyeVk1p my0YFMdq9B/1EHqTeWMpF2sEo7vQeO59Jz3+ZuMwpXIBEUktjsLKn0jNNXtluoIk QgNJOYOA3UXsJDjZWaPwQMp2bMteZPmbS8wB08BNBOS4Y9q5WfgEUkV2xLl5yqJF SDBXmHK8kxfHPZUeUKHTuVa4kNMnK537Y4FqWt+E4Mv+dC0L3hcxj2sH/nZwRA/L A1iU438y7o1jxFWWpvqf5ekFkz4bBMEk7ZEqDaQHvyfqcnswjC27ZATd6rb1yigA qZg+NCMX3n+RlU1X7k1yQmAebZFq9WzTMFfjPcnzlIg6LRqns1Iuf/Hv2wDtpxeZ Ei2ASdusWG4PJKEOH+hoq3+w3PJqWR0AGVdTB6aAcb6yv7IdPmVJHrBLtrKbRCcz czWvvC0mEGXeu/anlVs5flQSikrSpnVe/1reKSjU7XwoWSRGEI3JMI/zLgMctxg7 hc8WGnHPzPAmbtGqzH3/ =gEbl -----END PGP SIGNATURE-----
- [POSH] PKIX Over Secure HTTP (POSH) Peter Saint-Andre