IETF Logo Mail Archive

Re: [Secdispatch] Marking SPKAC as Historic

Graham Leggett <minfrin@sharp.fm> Wed, 16 November 2022 16:30 UTC

Return-Path: <minfrin@sharp.fm>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 776B2C1522A7 for <secdispatch@ietfa.amsl.com>; Wed, 16 Nov 2022 08:30:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sharp.fm
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4qD6MDxuMSa for <secdispatch@ietfa.amsl.com>; Wed, 16 Nov 2022 08:29:56 -0800 (PST)
Received: from chandler.sharp.fm (chandler.sharp.fm [78.33.206.219]) by ietfa.amsl.com (Postfix) with ESMTP id 18043C1522A9 for <secdispatch@ietf.org>; Wed, 16 Nov 2022 08:29:55 -0800 (PST)
Received: from smtpclient.apple (unknown [IPv6:2001:4d48:ad5d:6301:6017:5a45:1bfd:d911]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTPSA id 27A9F1A1629; Wed, 16 Nov 2022 16:29:52 +0000 (GMT)
Authentication-Results: chandler.sharp.fm; arc=none smtp.client-ip=2001:4d48:ad5d:6301:6017:5a45:1bfd:d911
ARC-Seal: i=1; a=rsa-sha256; d=sharp.fm; s=default; t=1668616193; cv=none; b=XiOE5l3xCBtgfakydzCh6tSsvHLU8ToIk9qg8gmoB5ceCj0S3WREOgAu78mppT/vXMy8vy1ign77cLZP0rDYUn1wwSHaC7Fha48KZZmqMtcNkmCkTE5o2BL64+W4UvP9uPUB062tcJyw9ygb6p1rM1Wq+qj5a/DZ70OviY+BXJE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sharp.fm; s=default; t=1668616193; c=relaxed/simple; bh=CW+NHj7I9e50zYHKN3/r8GM6sHCUCgFaKGs86O5KNsU=; h=DKIM-Filter:DKIM-Signature:From:Message-Id:Content-Type: Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:X-Mailer; b=Ti/+d/9hY+GrncyDBNQK14kG2K06CtBGoHYXWbV3h08PJnwGbPReBztCT1WLwmWqXxmev36LEib4+/y5/hPSJo8x1rcDTZ/q5oRRiCFB7Fkp7nfwgetaL40lpb8EC/SFmvNjFFjIPhnJBEHzDDWj9gm33UpMo9MhuStEcybkQGg=
ARC-Authentication-Results: i=1; chandler.sharp.fm; arc=none smtp.client-ip=2001:4d48:ad5d:6301:6017:5a45:1bfd:d911
DKIM-Filter: OpenDKIM Filter v2.11.0 chandler.sharp.fm 27A9F1A1629
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharp.fm; s=default; t=1668616193; bh=wPLrif20mvRDg4uNnmvuxlUS60Wu1sE3ORnDXIB7JyM=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=GZGfS3k0kDa/7rJs0NrxWQmrQhi9m+TgBAqiLjHc2rmzJh3GfdH44s4lY9jfuqOww C5ubR+glTw3IIPLUxa1IULPOhjV0vYGCdTv3U9tCrUm9njHZPsxDWmoFDNDkUL3K1f vz4gcJ7sowWXqYLFCIsuVrzRkGHmfAX4Qk0f/18A=
From: Graham Leggett <minfrin@sharp.fm>
Message-Id: <94214F93-AD8E-4C63-9045-F4462FCC567F@sharp.fm>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1C237F52-4D13-4312-9E7C-E08E746A2C6D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 16 Nov 2022 18:29:52 +0200
In-Reply-To: <CAHbrMsBq4TgDRBT_qBF74V-akVZhLCK=aVXtVH6gdu18tYuWmg@mail.gmail.com>
Cc: Graham Leggett <minfrin=40sharp.fm@dmarc.ietf.org>, secdispatch@ietf.org, Roman Danyliw <rdd@cert.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <CAHbrMsAPOw-PRHOh9OO1fU3tkN2ywWvAihG-2xWyu_SPgTYzLQ@mail.gmail.com> <333D208F-05DF-44E3-95D1-D8B01E1BEA98@sharp.fm> <CAHbrMsBq4TgDRBT_qBF74V-akVZhLCK=aVXtVH6gdu18tYuWmg@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/BnZwuHpUC03IHztKbDQGAacRi9U>
Subject: Re: [Secdispatch] Marking SPKAC as Historic
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2022 16:30:00 -0000

On 11 Nov 2022, at 18:05, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:

> I am not finding any other reasons in the archives for not recommending this today.
> 
> I think this is backward.  My questions are:
> * Is SPKAC in active use today, in systems where it cannot reasonably be replaced?

Yes. There are projects that maintain forks of the major browsers with removed functionality intact. Obviously this is unsustainable in the long run. In terms of library support, the functionality remains and is still used.

To date, no replacement was every created.

> * Do we believe SPKAC is better than the current practice, in systems where it is not used today?

Yes, by a mile. Current practise is no security at all. A certificate authority generates a key pair (and therefore possesses the private key) and passes that key pair pre-compromised in a PKCS12 file, which is installed into the OS.

This is terrible.

Regards,
Graham
—

v2.23.0 | Report a Bug | By Email