Re: [lamps] [EXTERNAL] Re: Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 19 October 2022 20:58 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCD97C1522C7 for <spasm@ietfa.amsl.com>; Wed, 19 Oct 2022 13:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxzsuOqIlREZ for <spasm@ietfa.amsl.com>; Wed, 19 Oct 2022 13:58:13 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E053C1522A2 for <spasm@ietf.org>; Wed, 19 Oct 2022 13:58:13 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29JEnAYW021923; Wed, 19 Oct 2022 15:58:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=hDR7d26KrnvqslwzUMVZkHxcHkY8lEj1dBBt13Oabdg=; b=Mo1HeDsE7L4oaPfXKQ6TKQMLilceQ+gajeRHguUpR7ld7bU/gXxSbb91a87Mln0pHkh7 u7OmvMdKo81f/FslVVLo6dMsG31BUQoc4WzmjvVmMTiSPO6sj3qiRsoqSBLJt3vDpynQ JTrwub7F1//ZxIyrak35DFU//xdrGVejmWxfgWzlrEwzJRF/q/ERTQNy9oRfluARn1xE 4qxMNHCwFrSJ/Irdn/vdqDsv7+8ppAkwkrvkpkl2UhcUxKekDE6kuaJIYMaAfsKqdC3V +bcHREXrGf4kiOiZRQ3PsV5kezsIRo4c+M9UuMJ1jv1RybAd/N8Pg/QGm8If8uGuqeD5 qA==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2047.outbound.protection.outlook.com [104.47.66.47]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3k7sj3vevd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 Oct 2022 15:58:08 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lD0st7fvvFSQwKZbLXlFOtgY3t0/dy7QMZrr+j/EYWVJsxzC3SbErMq6jYdtSAAubnoPxQAOpNtAZMVlugdTF4+wecgLwfj4eARNhhqyD3MJZShIOC2psw6KJhl233QTinK2k0Qp4Ld76GXWMPj781OzYJ01Rwf/EpA2Tc3vXTlrGPFdZaB09m43zViUxdDBtu/9uYYnINbM0zbOa1PMk3Hcsx3BAtVW2aUw75B1FJLB+FrMeWTOhFb0xNnli/4a3AXuV6C4GTdbBDkWuVwoZtpHk7xRok8VF5cx01Bh1FttGykkpJLiY/E+6LNvFhtZn5W4SX+rSm+hUidVOwrl7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hDR7d26KrnvqslwzUMVZkHxcHkY8lEj1dBBt13Oabdg=; b=iWgzrq6aNRrfPxqdiLIIVbME1aPxcinsnd6ggi8ud2q7R8vuNkDHz9g7/YamZhdSO8BKvjBtXC4MUiLAKHoTahAtAbyVcsI0GFe1NsxhnO2xRMtt530vJ0U+pFBe81ie87uNq/XnzzmIKE2n2zWsbfKNrqbic3hzWwdfRNrT/FEM4YJkABIFXa/3frogFZuZViYXX6l3+MJp+sRCw1qfC2EL+4MfJk6Mt3S3yB5Y4ywZy4VPzR8VMpQx6eZUi5uVVXwFyh8tTY6FgmuTM96QQ2+ICiqb7FQMqVAKkg8d+3aSIzH9binODtgHAwUzuM3GYsMH/KsBrfAtbghV/e2B0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CY5PR11MB6413.namprd11.prod.outlook.com (2603:10b6:930:37::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.33; Wed, 19 Oct 2022 20:58:05 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21%3]) with mapi id 15.20.5723.034; Wed, 19 Oct 2022 20:58:04 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
Thread-Index: AQHY4/PCkrK9fK/m3U6Pepmw6US0y64WJ1GAgAAHPWA=
Date: Wed, 19 Oct 2022 20:58:04 +0000
Message-ID: <CH0PR11MB5739FC54DA9B5399B3640CD09F2B9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <25D23241-1390-4F21-B84F-29D3629A3368@vigilsec.com> <150a89c8-11e6-7f39-7327-b03a5c18854b@cs.tcd.ie>
In-Reply-To: <150a89c8-11e6-7f39-7327-b03a5c18854b@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CY5PR11MB6413:EE_
x-ms-office365-filtering-correlation-id: c2fd7682-8995-48be-9a65-08dab2149e30
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HZmQF8w98HTxChIOH9gN9S9tU3Nedwtmx6b42yOpnNOObqcwKYvsrIAji+bbNZ1v6mfG9+sdwdf0gxiMM9Bh9q8hAO+8HVLgW42FJ6ykYpeT5jcgzEkBYst4aFKz1qdjrWzbMp/FKFJKhjBw5kXgmRhJKomrY1x6tfDzIlNFoTGFET4L1iR23/Q6aGbcmWwiTHTex1AOxELP85C4esLCkMUbBuf4DaNPEeqwt03P55eILAgkiD4uADCuGk7Z71S3aQNYMlmceRcxRPdhM20uIFV1YrN8f+k0bM/mNq5BwgbYQVnYAaxFgmxHFiIO5/a+TQPw6eqB079GcQQtW4pTTG2A9nulCv6FsymG2pClMHStrKYtMORdrYp/gNiPDW3Ybu/TEr3T4adzhoW6rrkoykDhBXO+q1mfSRjB6dZXBDWRPdFUP6N4dZHQbWXWnzCWCa6228aS64JQLRTx8tRSyjt9XAFXQjDFyMKzuQeh80wKUlJ61WRB8OewyhEBaluoGUNWQqFbvbGNEMrGctMCXWg2Z4K/n3UIQBsVYFhooqo0aG3WQEhLOJoPIkto5xW6+qkXiyflQKjcIl3hzedvpbg29b+kHZ0L2ZqlBvo7kHB5eQSugueggGCrJkhOgqYnXtznVfd3Arc0IFAcLZl/DQXif8KCRFNaBSjJM9J+jEwSW/Gwpq4Lpr3aJNWDnZxasUrtunBsCkg0QjXscwmrDAUsnuxOxM8oAGUNv4L4BVrMNguIpekQWNx4ipCfc2cwhUGspz1n196A0GdJ6B1s1mio99kRYe7mtYxwhEzCE18=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(376002)(39860400002)(366004)(346002)(136003)(396003)(451199015)(110136005)(86362001)(316002)(296002)(966005)(52536014)(33656002)(8676002)(2906002)(66556008)(5660300002)(66476007)(66446008)(64756008)(66946007)(8936002)(41300700001)(55016003)(83380400001)(122000001)(71200400001)(38070700005)(76116006)(6506007)(7696005)(478600001)(186003)(38100700002)(26005)(53546011)(9686003)(66899015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9Z5xdmTzt4b+yk34zPzj768I4+gdgD7g3yROqpexW2bfUbaPgxh1oy+yMbHgqnGnA6Fu8C/Wgcw6paGcwn7Oy+gZB6g4kFO+IMkXJTN7h9CJ6dbpUk5Rv3sBcgXrnb4YmY1XJ/ImYmwVr+nYV4aoPmikuGlGYsfmQQotxCf1K29OcYnLLV31t3GWJ9bFOOyEO3v2GAvW+RAy/PB7dSSVKKyMCk91x9uh+OjtPKhC/aTbnkKgtzF3PWHBQdB2w9MiN9ZlfaZYE6IJy+XPbcQFN2clzePqG3cYs0FintVTZzVD9pN42DrWE+jUW1sGjhLUQ2VbkJFK8XqbIj+hWgkautJ/fboshTottuAe87UYxSsfvWvv7xU8GhqBfSubklAn7o1q8Bnhjk9MrMl4xzMPr5a6gxqKy/R3eUzQUbvqCafHumrAZ/WqNodm/zrLKJNiFbsMprOG/WLWgYM2d830/oPnD3tkEfuxQ5m4mqUkwmPTAGCza08/NGyrrPLDbVa73XbYS7b6Mbwb5eEro9auQUvOxmQzE0mzPichB+854XwTnT4Hp1B3vqckq6LEETmmGebltvLaeNEBkhVcin7WCHf4byoB7WZOzW4NUER9PsOPoji3TTGi85AWoEp3FDqtp7nvzcMoG3HZMveFGWt655N9rENtAu8hjagv9HtoicovyqCijVwOAQAWsWAtdkGXI18IPziGF1NMgsxZJN0uZMhO6nsFweMMAu7VI3R97kr7LM622zwOCcKJDWSd1q2kGvu3RHRlqeI2/tFtal001KuQITluxcrkggaUt7AGywXmaebpb7P8inuGHF4MtoO5pgvR/bm/CQS4ytdX/ygLQGnyylP8HsdTk03jUSsu4QDdp21s9rOwhZOHArHpTHV+dJLc7Ova7AkP/8JZ/EC7xsI3ID/WF8XDhnidKQ6owXw2b4qo0l7K/reCg0Hlx8B+m2V8rcCDe/jUP7F/jon190rH7qvz3v3D8JkvQluJ4y+ArKPEZ6yaLeRDulw5VmHVFhCcKyvOhx/sldL6BGK0lL3aVPRxCHnQLd0/E+mTYQp2ioj45JFunvAXxhWmjXcZAjukQjL9xxUUGdj0sda3FQsGAprDR0w/i/P91iM65w/ZSdJ2bIjAlRao7LubKa/AdRHh3/YzR0kK5Sg4aNOebovP9wPsF6QG3BOZh5PBoi53/AVKMxH2bWDLMy/68K5+ioNHSRPQPPdw/qP7QkP98brKmePnP5U2Sx8HS/otBjE0Zsx2NQGL+LEWJUTE9+fDR/FAgGTvrEPLnrxAVG4lP3QpICUEZ8cJTz50ZLWKMhrNeALXSkwUO8y48hQNDTMnM4LnDPq35rCS1uvx+6pmQdAVMFTN8WW5djnVsYrrP/Hgd4uqlFT6+CBJdAU7WyKRKEXQB1D7suI2oSc/ZUlCNWcJ/aEnOC3EU6OuptKFu+mWnqG7F3mylFikOeiBLOqLYxLIOMUJNTESQZc645NcVL8GmMqHAYY+HQF730mRBa3Nxwj3BDvPs1Kn3UGHGDSV/Mrt1l5cyREbjdnQnTmmZBv+NanMSP4d1yoFjgSDit4QsJN2ynZPgZuNO50ESOcHOWPB6VDbkSZv7KR5hX9+OA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c2fd7682-8995-48be-9a65-08dab2149e30
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2022 20:58:04.8953 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 009ol/ijFf5y2Ewu8wkNis6qqLoteQR5nAwtb6RFRIQsqfFEWZnjNKI5UHJGk5ZXAmJ5gx269O/kEaGXxed1VOZBhXSAm4nE7/FQgvEJdHk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6413
X-Proofpoint-GUID: LmnmnOJzn1VbtkO1fs0KCFX0cKr-3mXI
X-Proofpoint-ORIG-GUID: LmnmnOJzn1VbtkO1fs0KCFX0cKr-3mXI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-19_12,2022-10-19_04,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 suspectscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 phishscore=0 adultscore=0 priorityscore=1501 malwarescore=0 clxscore=1011 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210190117
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5jynIejCBm_YuUDZGyvqyFnpPYY>
Subject: Re: [lamps] [EXTERNAL] Re: Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 20:58:17 -0000

I am also not fully swayed.

I have no objection to the technical content, but my concerns are about implementation and adoption: I'm not convinced that binding certs to each other is going to scale nicely for production-size public CAs.

It would probably be helpful to see a sketch of the intended usage; IE the broader solution that this is intending to be part of. Are you intending to issue a new certificate that is bound to an existing certificate issued months or years ago, or are you only going to bind certificates that are issued together? Are you only binding certificates with the same DN / SANs but different crypto algs, if not, then what are the semantics of binding seemingly-unrelated certs? Can certs be bound even if they are issued by different CAs? (I assume yes because your PQ and Traditional certs will come from different CAs, so does that open a can of worms about people trying to bind an Entrust and a Let's Encrypt cert?). Rebecca answered some of these in her reply, but it's still not totally clear to me what the PQ migration strategy looks like when using this cert binding extension.

It might also helpful to hear from public CAs that are planning to implement this (which may or may not be Entrust; I don't speak for our product teams, but I can connect the authors with them for further discussion).

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Stephen Farrell
Sent: October 19, 2022 3:16 PM
To: Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________


On 19/10/2022 20:47, Russ Housley wrote:
> Several people spoke for adoption, and several people spoke against
> adoption.  The I-D authors responded with a response to the concerns
> that were raise, and no one has responded to the authors.  I would
> like to hear from the people that spoke against adoption.  Are you
> swayed by the discussion that has taken place?

For me: No. It might be easier to discuss at IETF-115 though but I've no idea if the agenda allows time for a discussion of non-wg items.

Cheers,
S.

>
> Russ
>
>
>> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com>
>> wrote:
>>
>> There has been some discussion of
>> https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/.
>> During the discussion at IETF 114, we agree to have a call for
>> adoption of this document.
>>
>> Should the LAMPS WG adopt “Related Certificates for Use in Multiple
>> Authentications within a Protocol”
>> indraft-becker-guthrie-cert-binding-for-multi-auth-01?
>>
>> Please reply to this message by Friday, 30 September 2022 to voice
>> your support or opposition to adoption.
>>
>> On behalf of the LAMPS WG Chairs, Russ
>>
>
> _______________________________________________ Spasm mailing list
> Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.