IETF Logo Mail Archive

Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs

"aebecke@uwe.nsa.gov" <aebecke@uwe.nsa.gov> Thu, 24 March 2022 13:18 UTC

Return-Path: <aebecke@uwe.nsa.gov>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D69F3A0FC4 for <spasm@ietfa.amsl.com>; Thu, 24 Mar 2022 06:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uwe.nsa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5_Z5ZV0sXNf for <spasm@ietfa.amsl.com>; Thu, 24 Mar 2022 06:18:50 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20609.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::609]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 159473A0F61 for <spasm@ietf.org>; Thu, 24 Mar 2022 06:18:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U5dGjffLFRza98fgxXsnNmLK66CSDezBp4kZHPVx4nkxF61LCVoyoZlCcrMeTtoB/Wp4S4Vgs7L3WrEU1QCSsh9sL9qUbVkDPNrMxe+nZRGJAK6jLAUn72xU1zWHXpW6nMmreTkaY9C5PE6thLMETB2akuBivvZisfMGEHUBzLMS7gZqi2DwbQBzjOhTpsXY2IMN8cx5nszrQuqwxCrP29to9APlodqOddQZAapE+XvFfCKUYKbqRkiV2bGBEhW0cUV1n/kKaeIqBpt8a1MBLt3ybw3muCtu9Dc0Z8GvUzYfCf2Rw5C6+ZZ4BI2MyftLFa2t1wgGkPKO0uqhrypWVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Mxif4Ut5xDQYL+b8E1uxV6lJlON8bvdzaskTTNRIsOo=; b=mcpo4ulyBtyDBevUYYUEHWB0pwrGQYOmSRp6GX7fHw1wYYPe2EYDeEBctaAfEp68uUHVxHG6MvnslRorFn0FUH74ydMkaB0d7MgAkA49Ufi6bvdlm8Yed6QsDudsz2+xw6xsQrTjif9p8aBLKJWO+I5jZWhWRlmSD0sf/+bdSIUBmwmY8JwJerfCPFI4AH4SARmKqHvat5J/BQZ46o79OLgu1IA7GRXvfMU59BwcqmnkHUi8Wd3ft+aR66JL4S3xKil7ZPZpASbZ9N2RIN0BcE12dZA9irrFPQZ+0+xQq+gBnIJkCOMsDc2xDS/bwavs0fGLdsUncNjwJTGoYA3sxA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uwe.nsa.gov; dmarc=pass action=none header.from=uwe.nsa.gov; dkim=pass header.d=uwe.nsa.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwe.nsa.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mxif4Ut5xDQYL+b8E1uxV6lJlON8bvdzaskTTNRIsOo=; b=BcFNpquVGgXTPXKbFXrzbeJgcIzHVtwUFOJnCcIm+vdxxAwAzemy4SPp8rWc0+vZ96Yf1XybE5PenBcEi/M6d2rfAH2jQrVXOhJ4L5QkEk3OzUk2ITO3Z/0YgIwsI9iNdAtb+u03wd82IxUboRC2QVa3UAKR3JiBDUEZWY+b+VaFs/m+f3jDkfvdSDn+TOlcXjgxZVrxAnVqmpIozKJQ3BVM129bxxSq82otUIStQUyPbAYt3kSTlEoElePjB8EJR18MIwGaIxhC8V0002Lba7lCjC1KLuiB9tWWuB0mpu+4s4qskwxD6krkEGjsIwyXmVkGuwoqzrQt2CHHQ8zc/w==
Received: from SA0PR09MB7241.namprd09.prod.outlook.com (2603:10b6:806:7a::24) by SA0PR09MB6778.namprd09.prod.outlook.com (2603:10b6:806:77::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.16; Thu, 24 Mar 2022 13:18:44 +0000
Received: from SA0PR09MB7241.namprd09.prod.outlook.com ([fe80::c1c7:6c2b:3f1d:bbb4]) by SA0PR09MB7241.namprd09.prod.outlook.com ([fe80::c1c7:6c2b:3f1d:bbb4%7]) with mapi id 15.20.5102.019; Thu, 24 Mar 2022 13:18:44 +0000
From: "aebecke@uwe.nsa.gov" <aebecke@uwe.nsa.gov>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
Thread-Index: AQHYPhZsKWTcCtspaEezW3V04zRZ9qzMCCIAgAJ+FVY=
Date: Thu, 24 Mar 2022 13:18:44 +0000
Message-ID: <SA0PR09MB7241116708E9B97F14319E21F1199@SA0PR09MB7241.namprd09.prod.outlook.com>
References: <SA0PR09MB72412B7DA4F1DDA68A40AD1EF1179@SA0PR09MB7241.namprd09.prod.outlook.com> <CAErg=HHCo_SSNmq111oUZjw-L+445jQrARUHDzjZExQZr02SJw@mail.gmail.com>
In-Reply-To: <CAErg=HHCo_SSNmq111oUZjw-L+445jQrARUHDzjZExQZr02SJw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 5c5d3286-e530-1c9f-f2fe-bb62365ea7be
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uwe.nsa.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b81ac159-0f48-42d3-ee96-08da0d98d2a4
x-ms-traffictypediagnostic: SA0PR09MB6778:EE_
x-microsoft-antispam-prvs: <SA0PR09MB677814ECDDF25C4EDCA7AFEEF1199@SA0PR09MB6778.namprd09.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9SAkLT6IpUVtptE4H0WDSMhsnzUqgUtwCONDwkzdVa4Dtu9qC/K1tTUnX2blTAPtxeTJDApwITvre+cIeR/7nkfJkeM4r1tnsk2ivwlfnyFJMXMtY9RzJf4Vj7y0DBEQp+QPEYAK9vRFM+JBxvH73hPU36Nbu2hB/M7abGz4XQRA4CWNsVLxpjqThJBQV7dNU/CeKK+xPgjZg0z/UEj8iy0p3mK0JahHXBKW5YVjsYQUQmKGuqIGMF1QIMGitiRSRwOUSxgRTqv4OpNfnPrWxWYBA2HQHvEYo3X21Xi8ZmQLFcYf2qJlPcVIEm84G94gAGGZBL5oxE5L87PFBzBfZMyxCVN2Q/0XSeWBeoZqkBij90Ij4xqc4F0cJOmO2Gxxahr7/x4c6r2kubvsu7hoLoPQwyjOXdlYgToYvqqCpAc7Hjv+fXetkrSITeu1BDTz1ncPQrYPnZ341H8Gv3zxiKdkZHBlWQ5oLnXoSnZt8lOSZ8VDoaha834Fl3Iaj15cCzYpeW8bx362jZEOyuOm9ahv1AZJjuk0jvLjbaDf9n8C3Iu39iBQUWrApQwgDlV4aOg7Pt9JY68Ivwckp4Ak3rm1+aIClEwXtqxoEVQf1moAvQGil7BuIkWM//y2ZocxwpF1my/djlFyFwWe7neQdV+P00eVwIAV+5NCAn+8P/UE075phSP2Lj/c1I2YIUvtXuldb+Qlko/TLJh7+dvAEgIgzDPdLDJu0C+LJ/Jt6s6KznbyPEXSM0lCQnyT8nsywsgimw5C7xr+CTXfxIVUJwEGdgGTwSAUnFSK+PQBlq4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR09MB7241.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(316002)(55016003)(53546011)(91956017)(4326008)(66946007)(66556008)(66476007)(64756008)(38100700002)(76116006)(33656002)(7696005)(66446008)(8676002)(6506007)(966005)(86362001)(71200400001)(186003)(66574015)(38070700005)(26005)(6916009)(9686003)(508600001)(83380400001)(166002)(82960400001)(5660300002)(52536014)(8936002)(2906002)(122000001)(19627405001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?oC6c2rV4Qav0fhayie7d2f6taGxHOyq+UhJobmM6/mPP0n+m+kRJgkXn0+tu?= =?us-ascii?Q?yDJ4GGaTdmswJamjeufgT9PnSOh0VYi8Lode06iLHioPUSge2fEID4ZuLpeE?= =?us-ascii?Q?TE3OK8W6krDY0b4rUdsIKrOPAMMQigYIwyU5AP4i1zUqzEedndFMVV3gA9Ya?= =?us-ascii?Q?4Z8fqsusr33dU6EzHDJ6m75ghCttCmCOBPBXaWJhzoy3jUbF4KTaFVH8xN5+?= =?us-ascii?Q?34ysMKMsJVYBEkEZOi4vexPr/J2gxBE5xaGUIA92brGU9lym90AHuYlzUMYB?= =?us-ascii?Q?+F0FoxM0HF40jksOaBw5xThLkEUt+8VKwEYm65mT2ic2GL0MLepuUS8/lonR?= =?us-ascii?Q?yPR3k8QcBwRQUZwYHCqmgZu+Z4JxgfwSrSjK90lf5bROYr55HtFSlJ9rFoba?= =?us-ascii?Q?bFYMmcmDzKH6oAZjenfRMb8Xzvq45fhc+i13Bxt9U84Z2aO7SlqQNz37vBf5?= =?us-ascii?Q?DkXBnZfsUBX0V8cbWQgMdm64mTZFyROBKMAU5O0PQt0pVPTNeYEKitdsaRaw?= =?us-ascii?Q?0gvLZHeCMNYXR36cCUZtYkOiMfYjcbXrNNCMhR0yduse+f3+0TNiVUybiUFG?= =?us-ascii?Q?xSVg2qSPBp7alZOsxftgy3V3Jl9hOfi/5Ei/0ruQ7kxcy6yy06i0W3tyq8eD?= =?us-ascii?Q?V+cagAXjcNidHdYQD2HjdABEIetF+YY0mDwKKU7tQ8l4w9kE2cJrGTuZ3lPb?= =?us-ascii?Q?St4h5AkQqiFvTqIBHrs9vWo4M8YJRkR783rAWlTUXmxQroWeM0P5dj1YWdAv?= =?us-ascii?Q?cPJGrJ4IOeYVDNkZE0vquVGDtsyo1l7Yu/1HYanm5yZbQxoUAoA6ZjsmpdAX?= =?us-ascii?Q?4Ugt33ORbE1H7f9tEMwicuxCfTxltDVnjX0glAQkg5XWkiWQAWYKUWzH5GjN?= =?us-ascii?Q?MEzlbwcM6n2dK8TzY0OJFSbk7zHm/gHh61O6N8V3jnTqFi7SGIg5CqQ0K+dL?= =?us-ascii?Q?x2dkoq0xymJq9O3+uqN+fsn38hLqSevAOWTSoMjGcSO4+Trun92Pov46AkMt?= =?us-ascii?Q?zfNqxJm04jed0tmwVwOnK5Ye1hWtNr/ohb4QaY/2XGBoAI178JAHabUcnE6D?= =?us-ascii?Q?OpK4QeG4SeN0FZnDB9opS+E/VyBXfkGqvFsemx3ciHnwp8AYxVcd5Gicjp8m?= =?us-ascii?Q?q3q8glK2UasvxNNlwZiY/6arACyk+W0oJpIiVP085w1509K4A98J8CXjqSCB?= =?us-ascii?Q?74/qqxCVxEMyr7MGd4z2/NxrXQpXiUosqymFKRcA1OfNMruLq5RYn4fOuO/C?= =?us-ascii?Q?VnrtXHY8B23XkyG66wPSVs9XUr3XLeK7o6q8a7LLWLuPW0ifyM+nAayIOHoL?= =?us-ascii?Q?1e1Dc/DZzvGauemz+9sL4AeQzEsUcqvPwcdfS1Qbyizea6x9Vpu0Y/9gC8YM?= =?us-ascii?Q?ZKN5g5WdglVYt71U8oeHofqbAa2ZoKvEu4an23uhisTHM6wR2Gad1TjSG5ht?= =?us-ascii?Q?/mSWhsqhy6BOn0Cv9Jcx21bgS3WS3REIn+6zZnqfRF1ukdqjh2IaBsF6nudI?= =?us-ascii?Q?mi8Wahb6REwweo/cDvZ0xyIAFciEKOVQHDo/tUOFnd0afxJwHUZIQlVTJuSM?= =?us-ascii?Q?eYeqA5MJTsXp1mrw9ofB7V/RHIjRuNdk6BUPJPgr4IFvZq2h84/FXMADDWke?= =?us-ascii?Q?zxbDvzmFK+P9YlWHDGLfXdTgfOZ0jMhA0xD1kQ02jPSAyrns3LuidVP9tY4b?= =?us-ascii?Q?50Y8f/Bx+CZILEnqeeZ77XzLDmz2eCNMVPzAJx7ECv47VIBieqicq7EPbijD?= =?us-ascii?Q?W2dA/+rNdA=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_SA0PR09MB7241116708E9B97F14319E21F1199SA0PR09MB7241namp_"
MIME-Version: 1.0
X-OriginatorOrg: uwe.nsa.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR09MB7241.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b81ac159-0f48-42d3-ee96-08da0d98d2a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2022 13:18:44.4530 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d61e9a6f-fc16-4f84-8a3e-6eeff33e136b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB6778
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/4Sk2iuc18YtPaRu-mHkkIKaahuU>
Subject: Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 13:18:55 -0000

Hi Ryan!

Thank you for taking the time to review and comment!
A few thoughts to your comments -

IssuerAndSerialNumber was chosen because it was small (< 1KB) and we figured it was something an endpoint would already know how to construct. Hash of entire certificate would also work, and something an endpoint would also already know how to do.

Regarding the example you described, perhaps we need more clarity on the issue you have raised! The extension merely provides a hint to the peer that a certificate listed in the extension is owned by the same entity that provided the cert. A peer using non-composite hybrid auth provides two certificates for use in authentication, and if one includes the BoundCertificates extension, the protocol should check that it appropriately names the other cert provided- however, both certificates would still go through the normal validation process before communication is considered authenticated.

There is no presumption that all certificates are issued within the same PKI. There is a presumption that the endpoint will not accept certificates that it doesn't have a trust anchor for. This mechanism probably doesn't work well for endpoints with liberal trust anchor inclusion policy.

Concerning renewal, each certificate is valid on its own. The newer certificate would only need renewal on the expiration of the older certificate if a relying party still needed what that older certificate represented. The extension is just a hint to relying party that some care has been taken during issuance that the new cert is being issued to the same entity as the old cert. It is no stronger a hint than any PKI the relying party dares to trust.

The goal of this draft is to aid in multiple authentication (particularly for PQ migration) by ensuring that all certificates provided by a peer for authentication purposes are in fact owned by the same entity.

Appreciate the feedback!
-Alie
________________________________
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: Tuesday, March 22, 2022 7:11 PM
To: Alison Becker (GOV) <aebecke@uwe.nsa.gov>
Cc: spasm@ietf.org <spasm@ietf.org>
Subject: Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs

Could you explain the rationale a bit more for the IssuerAndSerialNumber construction?

It won't necessarily unambiguously identify a certificate, in the absence of a global directory. Within a multi-stakeholder PKI (like those deployed on the Internet today), it's possible for two distinct entities to have the same encoded issuer value, but be in possession of distinct keys. The path algorithms involved in X.509 and PKIX are able to resolve this (by virtue of signature checking to resolve which issuing CA), which also applies to OCSP responses, but it seems like it wouldn't apply here.  Broadly, the assumption of X.509v3 that Issuer and Serial Number would be globally unique and unambiguous didn't hold, as previous communications in the IETF with the ITU revealed [1][2][3], and that Distinguished Names aren't, well, Distinguished. Is there reason not to use a stronger binding (e.g. the hash of the certificate being referenced)?

If two certificates, A and B, both identify the same Subject ("Subject Foo"), but with different keys and numbering schemes, it seems that if a bound certificate was issued to entity C, with IssuerAndSerial of "Subject Foo":1 (referring to A), that B could issue a malicious certificate bearing that same serial number, and have it be accepted as legitimate for C.

That said, I do feel I must be missing an important use case, because I'm not fully sure I see the utility in this. Is it fair to say that the assumption is that both certificates (the original and the bound certificate) are participants in the same PKI hierarchy and same set of PKI policies? If they weren't, it seems like the issuance of the BoundCertificate may introduce operational considerations for the renewal/replacement of the target/original certificate, in that replacement of the original would necessitate issuing a new bound certificate. Wouldn't that unintentionally affect the security considerations/agility of the target/original certificate, in unanticipated and perhaps harmful ways? Minimally, it seems such chains of binding would have to be ordered from "slowest to fastest to replace", to mitigate, and that seems like a relevant security consideration.

[1] https://www.ietf.org/proceedings/70/minutes/pkix.htm<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fproceedings%2F70%2Fminutes%2Fpkix.htm&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TNI2q6HoF1jGtYBjJ7yi%2BK83wkvejqqFa1r2uMmWD4Q%3D&reserved=0>
[2] https://www.ietf.org/proceedings/70/slides/pkix-4.pdf<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fproceedings%2F70%2Fslides%2Fpkix-4.pdf&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3KTtbo%2FlFN%2B7lOv14H%2F%2FKOATIGEtX7HY2nfcz43%2FwB0%3D&reserved=0>
[3] https://datatracker.ietf.org/liaison/375/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fliaison%2F375%2F&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hGHr1zaIyMuWFk9N6v%2BsTLqo00a%2BiigjRX47%2B3GBk8U%3D&reserved=0>

On Tue, Mar 22, 2022 at 2:16 PM aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov> <aebecke=40uwe.nsa.gov@dmarc.ietf.org<mailto:40uwe.nsa.gov@dmarc.ietf.org>> wrote:
Hi LAMPS,

  Two new drafts related to PQ migration are available here (note- these drafts are an update to the talk we gave at IETF112 in November) : https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-becker-guthrie-cert-binding-for-multi-auth%2F&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Bx4qCS%2B5H%2FKRK331Uu47qRdT2oddFKt8dKLgP6x3bDU%3D&reserved=0> and https://datatracker.ietf.org/doc/draft-becker-guthrie-noncomposite-hybrid-auth/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-becker-guthrie-noncomposite-hybrid-auth%2F&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=uNkGPxzPeJqsWpYDTHPotu4Iaq8Zm6FA3JDpTIk4gJ4%3D&reserved=0>


The noncomposite-hybrid-auth-00 draft is an informational draft that gives a general overview of hybrid authentication, and details the solution space of what we are calling non-composite type hybrid solutions for authentication.

The cert-binding-for-multi-auth-00 draft defines a new CSR attribute, bindingRequest, and a new X.509 certificate extension, BoundCertificates, which together provide additional assurance that multiple certificates (used in non-composite hybrid authentication) each belong to the same end entity.

  Please feel free to provide any comments and feedback!

  Regards,
  Alie Becker + coauthors Rebecca Guthrie, Mike Jenkins

  ----
  Alison Becker, PhD
  Center for Cybersecurity Standards
  National Security Agency
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Caebecke%40uwe.nsa.gov%7C1415fa5db4e5444470f008da0c595c4e%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637835875937999273%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2YIar7Ut0i2WJk7zJB58BFix15e7PzSs9%2BE%2FYj90%2FmM%3D&reserved=0>

v2.8.7 | Report a Bug | By Email