Re: [Secdispatch] draft-leggett-spkac: Signed Public Key and Challenge
Dirk-Willem van Gulik <dirkx@webweaving.org> Thu, 10 November 2022 13:48 UTC
Return-Path: <dirkx@webweaving.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF01C1522A0 for <secdispatch@ietfa.amsl.com>; Thu, 10 Nov 2022 05:48:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=webweaving.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tgdrb5FC0QGl for <secdispatch@ietfa.amsl.com>; Thu, 10 Nov 2022 05:48:02 -0800 (PST)
Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7236BC14CE20 for <secdispatch@ietf.org>; Thu, 10 Nov 2022 05:47:57 -0800 (PST)
Received: from smtpclient.apple (83-87-209-247.cable.dynamic.v4.ziggo.nl [83.87.209.247]) (authenticated bits=0) by weser.webweaving.org (8.17.1/8.17.1) with ESMTPSA id 2AADgDTe023588 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 10 Nov 2022 14:42:17 +0100 (CET) (envelope-from dirkx@webweaving.org)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=webweaving.org; s=shared; t=1668087740; bh=BIE7z9j0TYf6usli1cN0rrN+nQEVDNG/GRZ4fc+hzjo=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=jvNywgqmowufIku8rWK2Csjug+KA8xhUF4PAB4DI9e/B/gtU08iPYwyRjOXk5Wpah lNC94qTa+/LZLws1Pp2tbnTEPqgZZyQUToM3sMhOOO3EVqOMIqGMixyvAGjP2but8P EUt1/hslAdWhd34Lcx2d8n/3WSydkfcn3ce9toKM=
X-Authentication-Warning: weser.webweaving.org: Host 83-87-209-247.cable.dynamic.v4.ziggo.nl [83.87.209.247] claimed to be smtpclient.apple
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Message-Id: <D948A5CC-3356-436A-925A-8F333BB11440@webweaving.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E9D46BDE-750B-4279-9B44-F44A9681B609"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Thu, 10 Nov 2022 14:42:09 +0100
In-Reply-To: <B1A55C38-2712-453C-99B1-883E1F2BB0A7@sharp.fm>
Cc: Roman Danyliw <rdd@cert.org>, "kaduk@mit.edu" <kaduk@mit.edu>, "secdispatch@ietf.org" <secdispatch@ietf.org>
To: Graham Leggett <minfrin@sharp.fm>
References: <77101A6A-7D9C-4817-B16D-70505FA10C6D@sharp.fm> <BN2P110MB11076DA8E19230F38F1875AEDC019@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <B1A55C38-2712-453C-99B1-883E1F2BB0A7@sharp.fm>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (weser.webweaving.org [148.251.234.232]); Thu, 10 Nov 2022 14:42:20 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/w1yKv1hGZdGWJEOukAmrMa8e--E>
Subject: Re: [Secdispatch] draft-leggett-spkac: Signed Public Key and Challenge
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2022 13:48:13 -0000
On 10 Nov 2022, at 13:39, Graham Leggett <minfrin@sharp.fm> wrote: > On 10 Nov 2022, at 10:51, Roman Danyliw <rdd@cert.org> wrote: > >> Thanks for bringing this work for consideration into the IETF. >> >> Section 1.2 says: >> >> The purpose of >> this RFC is to document the existing use of the protocol, address >> security implementation weaknesses in common implementations, and >> formalise the protocol into a standard. >> >> Could you roughly annotate or explain which parts of the document are (a) documenting the "existing use of the protocol"; and (b) "addressing the security ... weaknesses." Per (a), would implementations all agree on the definition of terms/ASN.1 in Section 2 and 3, or are changes/improvements made here per goal (b)? Is (b) primarily addressed by Section 6 where there is guidance on how to use SPKAC? > > The a) above is worded badly, it means “how the protocol works right now in existing code” Lets reword this perhaps as The purpose of this RFC is to document 1) the existing, use of the protocol; as implemented by various webbrowsers and the serverside component. And 2) to formalise the protocol as historically known to be interoperable into a standard. Finally this document will also discuss some of the security shortcomings; such as its mandated use of MD5. > All implementations agree on the definition of terms/ASN.1 (I am not aware of any that don’t, implementations of this code approach 30 years old and I would expect any interop problems to have been ironed out by now). No changes are proposed. > This standard is very well contained when Netscape designed it, the title “signed public key and challenge” describes the whole thing, the combination of a public key and a challenge exist, and are signed, that’s it. > > With a proper IETF definition, this message format can be used as a building block by other specs. > > One thing I want to be careful of is drawing too much of the history into this spec. We’re defining the messaging format only at this point. Happy to receive guidance on whether we need more history or if this is good enough. Correct - e’re defining the messaging format as * historically used & known to be highly interoperable between webbrowsers * only at this point. Lets stay well away from modernising this :) Dw.
- [Secdispatch] draft-leggett-spkac: Signed Public … Graham Leggett
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Russ Housley
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Rifaat Shekh-Yusef
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Michael Richardson
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Salz, Rich
- Re: [Secdispatch] [EXTERNAL] Re: draft-leggett-sp… Mike Ounsworth
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Graham Leggett
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Michael Richardson
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Graham Leggett
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Roman Danyliw
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Graham Leggett
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Dirk-Willem van Gulik
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Daniel Kahn Gillmor
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Eric Rescorla
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Dirk-Willem van Gulik
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Daniel Kahn Gillmor
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Dirk-Willem van Gulik
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Russ Housley
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Graham Leggett
- Re: [Secdispatch] draft-leggett-spkac: Signed Pub… Russ Housley