IETF Logo Mail Archive

Re: [saag] IETF 93 Agenda Request - Key Discovery

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 17 July 2015 03:26 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADDC1A8764 for <saag@ietfa.amsl.com>; Thu, 16 Jul 2015 20:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FMAkG1mKfRt for <saag@ietfa.amsl.com>; Thu, 16 Jul 2015 20:26:37 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F91F1A701C for <saag@ietf.org>; Thu, 16 Jul 2015 20:26:37 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6AD46284D68; Fri, 17 Jul 2015 03:26:35 +0000 (UTC)
Date: Fri, 17 Jul 2015 03:26:35 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150717032635.GT28047@mournblade.imrryr.org>
References: <55A7F601.9040902@cisco.com> <20150716185728.GM28047@mournblade.imrryr.org> <CAMm+Lwjxj0viw99pJHFeETYALTbVcuXc5LAztwHqHgHzCouZFQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAMm+Lwjxj0viw99pJHFeETYALTbVcuXc5LAztwHqHgHzCouZFQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/fxJ6kG7YdyLFHhCg4SnP9ONpJ0U>
Subject: Re: [saag] IETF 93 Agenda Request - Key Discovery
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 03:26:39 -0000

On Thu, Jul 16, 2015 at 10:14:46PM -0400, Phillip Hallam-Baker wrote:

> Since DANE has now been around for what, four years without making much
> headway, I think we should be very clear in saying that the field is wide
> open to alternatives.

That was DANE for browsers, now we're starting to see uptake in
places where it makes more sense to start.  Plus TLS library support
for DANE is not there yet, so lack of uptake is not surprising.
This too will change.

> That said, as a CA, the last thing I ever want to see is a customer's
> private key. If it is not the liability that would kill me, I would have
> lawful access demands every hour of the day and night to handle. People
> have asked me to provide that type of service on numerous occasions. It
> isn't for lack of demand that it does not exist.

Well, the proposal is not quite to store the private key at the
CA, but it is to use the CAs to authenticate the server where the
private keys are stored to the user (an MiTMed user is likely to
disclose access tokens and compromise the private key).

> I do not use PKCS#12 in the mesh following my 'no new ASN.1' design goal.
> It is a seriously complex and poorly documented spec. I am using JOSE JWE
> instead. 

I did say PKCS#12 or similar, can't say I am exceptionally fond of
PKCS#12 either.  The similarity need neither be a requirement for
ASN.1, nor an exclusion.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email