[POSH] BoF Charter Proposal -00
"Matt Miller (mamille2)" <mamille2@cisco.com> Wed, 05 June 2013 21:01 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6385A21E805A for <posh@ietfa.amsl.com>; Wed, 5 Jun 2013 14:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCx+gBxnWsye for <posh@ietfa.amsl.com>; Wed, 5 Jun 2013 14:01:34 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 1420221F8EAD for <posh@ietf.org>; Wed, 5 Jun 2013 14:01:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8486; q=dns/txt; s=iport; t=1370466094; x=1371675694; h=from:to:subject:date:message-id:mime-version; bh=h36GJBPpug6BAA3pggwYQi+LgNXsJyGOK0ddGV23W7E=; b=YzmcAh0JeOATwOJ+FxoO8DdAWEzYuelVFVNO89tDOBVMXIwuFHh7OQpQ 5wM6oEtyrfLH3EN0qlnEXGLi4iQPfmSBV71gVHSfVN16fLeCDXcK7zh2e Ua4yl5GKuMvwwOI4eOXTWwD1NMhPegsLWQrvkxA9sxnzOY8gCE3dWy8Wg I=;
X-Files: smime.p7s : 4136
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AksFAM2lr1GtJV2b/2dsb2JhbABRCYMJML8/fxZtB4IlAQSBCwEqJjAnBBMIBg2Hcp0foDSNcIEKgzJhA5AAgSyXU4MPgic
X-IronPort-AV: E=Sophos; i="4.87,809,1363132800"; d="p7s'?scan'208"; a="219280567"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-7.cisco.com with ESMTP; 05 Jun 2013 21:01:33 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r55L1Wsg032022 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <posh@ietf.org>; Wed, 5 Jun 2013 21:01:32 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.24]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.02.0318.004; Wed, 5 Jun 2013 16:01:32 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: "posh@ietf.org" <posh@ietf.org>
Thread-Topic: BoF Charter Proposal -00
Thread-Index: AQHOYi/an7FibGZFXkWrpUojCtcORg==
Date: Wed, 05 Jun 2013 21:01:31 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411527D184@xmb-aln-x11.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.59]
Content-Type: multipart/signed; boundary="Apple-Mail=_B027E243-519D-4982-B906-898B9C94CF9A"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Subject: [POSH] BoF Charter Proposal -00
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2013 21:01:41 -0000
Here is the charter proposal Peter and I submitted. Any feedback would be greatly appreciated! - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. -----BEGIN CHARTER PROPOSAL----- Charter Proposal: PKIX Over Secure HTTP (POSH) Problem Statement Channel encryption with TLS depends on proper checking of the server's identity, as specified in RFC 2818 or RFC 6125 for PKIX certificates. However, in multi-tenanted environments it is effectively impossible for a hosting service to offer the correct certificates on behalf of a hosted domain, since neither party wants the hosting service to hold the hosted domain's private keys. As a result, typically the hosting service offers its own certificate (say, for hosting.example.net), which means that TLS clients and peer servers need to "just know" that the hosted domain (say, foo.example.com) is hosted at the service. This situation is clearly insecure. The use of DNSSEC and DANE has the potential to solve the problem, but that potential is most likely many years from being fully realized. Hosting services and hosted domains need a method that can be deployed more quickly to overcome the lack of secure delegation on the Internet today. For a more detailed description of the problem from the perspective of a particular application protocol (XMPP), see draft-ietf-xmpp-dna. Proposed Solution POSH (PKIX Over Secure HTTP) provides a way to solve the problem, involving two interconnected aspects: 1. TLS clients and peer servers retrieve the material to be used in checking the TLS server's identity by requesting it from a well-known HTTPS URI, where the response contains one or more certificates formatted as a JSON Web Key set defined within the JOSE WG. 2. If a hosted domain securely delegates an application to a hosting service, it redirects requests for the well-known HTTPS URI to an HTTPS URI at the hosting service. For a more detailed description of the proposed solution (at least for XMPP), see draft-miller-xmpp-posh-prooftype. Deliverables The group would produce a specification for POSH, and might informally provide advice about how to use the POSH technique for particular application protocols. Any additional work would require a recharter. Milestones To be determined. -----END CHARTER PROPOSAL-----
- [POSH] BoF Charter Proposal -00 Matt Miller (mamille2)