Re: [POSH] I-D Action: draft-miller-posh-01.txt

"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 10 September 2013 21:42 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB15F21F9A4A for <posh@ietfa.amsl.com>; Tue, 10 Sep 2013 14:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gO6rYB46MZ7q for <posh@ietfa.amsl.com>; Tue, 10 Sep 2013 14:42:18 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id C410821F90C3 for <posh@ietf.org>; Tue, 10 Sep 2013 14:42:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8405; q=dns/txt; s=iport; t=1378849337; x=1380058937; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Rg+DwqQJFFAFnm0YC5g8oYqqI0GDAq6ZLe7QrZtcv5Q=; b=F+gb9E7fGbgLoXp1b3k+HUyTUixPWQlUQzeGFQh3TnpyIPVO9yIzaD9P swa/vEt7/LGY33ILDO662li69fyHaug178OY/o3Ru3id4yEjMYhWNlCKb n/XRlyBX1Yi5bvZkVbXjbFQcV5Rbn210Ulz3WEhVDxo2jWQszka0P3lXE I=;
X-Files: smime.p7s : 4136
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmAFAESRL1KtJXHB/2dsb2JhbABbgwc4UboaiEeBJhZ0giUBAQEDAXkQAgEIDgoKJAIwJQIEDgUIBodiAwkGDLlaDYkzjHCCOhYbB4MdgQADkCSBLodTkDyDIIIq
X-IronPort-AV: E=Sophos; i="4.90,880,1371081600"; d="p7s'?scan'208"; a="258064843"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-3.cisco.com with ESMTP; 10 Sep 2013 21:42:17 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r8ALgAJV001220 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 10 Sep 2013 21:42:17 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.124]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.02.0318.004; Tue, 10 Sep 2013 16:42:12 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Tobias Markmann <tmarkmann@googlemail.com>
Thread-Topic: [POSH] I-D Action: draft-miller-posh-01.txt
Thread-Index: AQHOrm6bnaKN+OhdUU2qfldiJU3Jzg==
Date: Tue, 10 Sep 2013 21:42:11 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411EEF6359@xmb-aln-x11.cisco.com>
References: <20130906221429.28168.74635.idtracker@ietfa.amsl.com> <BF7E36B9C495A6468E8EC573603ED9411EEF0966@xmb-aln-x11.cisco.com> <BXjoBrNAVf0RUm7aeEneuOrDeilOdDr46RJxBKrIrAEgG5pLI@smtp.gmail.com>
In-Reply-To: <BXjoBrNAVf0RUm7aeEneuOrDeilOdDr46RJxBKrIrAEgG5pLI@smtp.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_FB85D585-8100-4E93-98F3-A58D7B4FE7F5"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "<posh@ietf.org>" <posh@ietf.org>
Subject: Re: [POSH] I-D Action: draft-miller-posh-01.txt
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 21:42:22 -0000

Thanks for the feedback!  Requiring just the "x5t" makes sense, and we can incorporate that change in the next revision.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

On Sep 9, 2013, at 3:54 PM, Tobias Markmann <tmarkmann@googlemail.com> wrote:

> 
> Hi,
> 
> Matt Miller (mamille2) wrote:
> 
> FYI, the latest draft incorporates just about all of the feedback we
> received as a result of the BoF, minus ASCII art; we'll see about that
> for the next version!
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> 
> here some feedback based on an initial read of the changes.
> 
> Section 4.1
> 
> 
>   Additionally, each JWK object MUST possess at least one of the
>   following:
> 
>   o  The "x5t" field set to the certificate thumbprint, as per <a href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">section: ]
>      <a href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">3.6: ] of [<a href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK: ]].
> 
> 
>   o  The "x5c" field set to the certificate chain, as per section 3.7
>      of [<a href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK: ]].
> 
> <div class="message-gap">
> 	<p style="margin: 0px; padding: 0px; ">
> 		 
> 
> <div class="message-signature" id="signature_1378760946803-1670277853" name="signature_1378760946803-1670277853">
> 	I suggest making x5t, the thumbprint/fingerprint, a MUST to reduce the mimimum possible code paths to implement this draft, considering not all TLS API provide access to the public key's modulus and exponent. In addition, verification using the thumbprint is independent of the type of key (RSA, ECC, …) that the certficate uses, which further eases implementation and straightens the codepath. I'd still allow (MAY) inclusion of x5c, for debugging purposes though.
> <div class="message-signature" name="signature_1378760946803-1670277853">
> 	 
> <div class="message-signature" name="signature_1378760946803-1670277853">
> 	Cheers,
> <div class="message-signature" name="signature_1378760946803-1670277853">
> 	Tobi