Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.txt
Tobias Markmann <tmarkmann@googlemail.com> Mon, 09 September 2013 21:54 UTC
Return-Path: <tmarkmann@googlemail.com>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826BB21E809A for <posh@ietfa.amsl.com>; Mon, 9 Sep 2013 14:54:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymCpCQgVVkMy for <posh@ietfa.amsl.com>; Mon, 9 Sep 2013 14:54:21 -0700 (PDT)
Received: from mail-ea0-x22f.google.com (mail-ea0-x22f.google.com [IPv6:2a00:1450:4013:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 7852D11E8102 for <posh@ietf.org>; Mon, 9 Sep 2013 14:54:17 -0700 (PDT)
Received: by mail-ea0-f175.google.com with SMTP id m14so3411936eaj.20 for <posh@ietf.org>; Mon, 09 Sep 2013 14:54:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=content-type:mime-version:in-reply-to:references:subject:date :message-id:from:to:cc; bh=H6mCM7gkPCTHsvzuJR5r2J5zVClwNbvzkrJOrS8tstk=; b=vzReNCBm8NC+VSCtvQwCxXNbnnCtHBWld1+xDCvBAX/246fkLtR7mZAh8KhZYglXtj Wo++Ek8kNtWhEpsUa83V1G7b4guK9OrWT77ivfKzR7DX6xDRcjBsgvAb0uFYkMLFag1F UZPndAJ4BxTy1nXBveZW78UOoaLV5Txl/6USfHU1b9CVWWb4ahNZ3fLUR4w4DzTBHL3A z8YKG1vjI1BHuGxucnVhL+QIaeSsAtsDSbNtGIaMVvwMFqhlHfn2dKaFS40yj2GBNH/Y AaskZWYZWMT4MJDDEtUhOAFgdI7wCC9KbzDzMo3HahGOTVb5SKDeqo0+sflBRwAEFeYL 5umQ==
X-Received: by 10.14.113.137 with SMTP id a9mr33086648eeh.3.1378763656514; Mon, 09 Sep 2013 14:54:16 -0700 (PDT)
Received: from ruediger.fritz.box (port-20237.pppoe.wtnet.de. [46.59.140.178]) by mx.google.com with ESMTPSA id p5sm25380878eeg.5.1969.12.31.16.00.00 (version=TLSv1.1 cipher=RC4-SHA bits=128/128); Mon, 09 Sep 2013 14:54:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary="===============0223118658=="
MIME-Version: 1.0
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411EEF0966@xmb-aln-x11.cisco.com>
References: <20130906221429.28168.74635.idtracker@ietfa.amsl.com> <BF7E36B9C495A6468E8EC573603ED9411EEF0966@xmb-aln-x11.cisco.com>
X-Mailer: Inky (TM) v1.0.51DD.C559 ("Epoch")
Date: Mon, 09 Sep 2013 21:54:15 -0000
Message-Id: <BXjoBrNAVf0RUm7aeEneuOrDeilOdDr46RJxBKrIrAEgG5pLI@smtp.gmail.com>
From: Tobias Markmann <tmarkmann@googlemail.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Cc: "<posh@ietf.org>" <posh@ietf.org>
Subject: Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.txt
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 21:54:21 -0000
Hi, Matt Miller (mamille2) wrote: FYI, the latest draft incorporates just about all of the feedback we received as a result of the BoF, minus ASCII art; we'll see about that for the next version! - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. here some feedback based on an initial read of the changes. Section 4.1 Additionally, each JWK object MUST possess at least one of the following: o The "x5t" field set to the certificate thumbprint, as per <a href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">section: ] <a href="http://tools.ietf.org/html/draft-miller-posh-01#section-3.6">3.6: ] of [<a href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK: ]]. o The "x5c" field set to the certificate chain, as per section 3.7 of [<a href="http://tools.ietf.org/html/draft-miller-posh-01#ref-JOSE-JWK">JOSE-JWK: ]]. <div class="message-gap"> <p style="margin: 0px; padding: 0px; "> <div class="message-signature" id="signature_1378760946803-1670277853" name="signature_1378760946803-1670277853"> I suggest making x5t, the thumbprint/fingerprint, a MUST to reduce the mimimum possible code paths to implement this draft, considering not all TLS API provide access to the public key's modulus and exponent. In addition, verification using the thumbprint is independent of the type of key (RSA, ECC, …) that the certficate uses, which further eases implementation and straightens the codepath. I'd still allow (MAY) inclusion of x5c, for debugging purposes though. <div class="message-signature" name="signature_1378760946803-1670277853"> <div class="message-signature" name="signature_1378760946803-1670277853"> Cheers, <div class="message-signature" name="signature_1378760946803-1670277853"> Tobi
- [POSH] Fwd: I-D Action: draft-miller-posh-01.txt Matt Miller (mamille2)
- Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.… Tobias Markmann
- Re: [POSH] I-D Action: draft-miller-posh-01.txt Matt Miller (mamille2)
- Re: [POSH] I-D Action: draft-miller-posh-01.txt Peter Saint-Andre
- Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.… Alexey Melnikov
- Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.… Matt Miller (mamille2)
- Re: [POSH] Fwd: I-D Action: draft-miller-posh-01.… Peter Saint-Andre