IETF Logo Mail Archive

Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

Michael Jenkins <m.jenkins.364706@gmail.com> Sat, 22 October 2022 15:33 UTC

Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822F7C1526EE for <spasm@ietfa.amsl.com>; Sat, 22 Oct 2022 08:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.855
X-Spam-Level:
X-Spam-Status: No, score=-6.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKmkwg8KKoXo for <spasm@ietfa.amsl.com>; Sat, 22 Oct 2022 08:33:29 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B30A7C15257C for <spasm@ietf.org>; Sat, 22 Oct 2022 08:33:29 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id b1so9976957lfs.7 for <spasm@ietf.org>; Sat, 22 Oct 2022 08:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=53r2WmObw6ZqQkL2ubtmsFbo5AauiTc29clqs1XrrOs=; b=AeGAp99A/jaIp2X8MDJkZqEVW5ebSmqnbb14sxDnZtZPkyG5kx5ey+M0csOryFNZj1 HYomW6kSkW6qHOGH8iOCneCjDoNrUKIwahC7HxQHHqbAZcE+R1xBzzMJOvxD03UhYGnu VlYyRfAa2RCpzY665J+Gvn8pmQ7/zcMJvU4ibR6jIZMqeq6gx7k4pF5ZxSlnx55tkYlO JZ8MtfF7y+9iJBOeTOO8feeCsHM5ZBQL8duTk19F6/eQZoVAXgY0Ryl9PnaUDhpCWCPm mIM5PxJoGydPmkyn2aMupW3eSRNKw4IMBGGwbwYIBMwaNVNsOPHIDv+0SZp9/7rLvEry 9/cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=53r2WmObw6ZqQkL2ubtmsFbo5AauiTc29clqs1XrrOs=; b=ujtaT3+eOBFqENBs4ApPrbBQSr/dOmVcwAryDcrNgcoGPVpuZ4PH1iCiBwBiWLzDzm oV2ikRsHZ1f5qgvFM1kn+UkPkb9Yj65M8EkC0DDTp/PISVplxA30gLCMdttPTC+MgBvn Rq6M7iQJ7K9hZxxN+7fF3dwwb/9tiQZtIdhd/vr2G+V7ke367VIQRDX1yPRz/D089EQt 7GCBM8yskeiFpcvElBQIXaeuFLqkNNjj3eQ4t86WFvNn64q7PJcToYWqwMriERp1zD16 xNe2wHv05GS8uYuVROhS/UGso/qCj4/nhBSgE5o/J2rjO2UQ3gQixuBhyv+x+APT8wLZ HtAA==
X-Gm-Message-State: ACrzQf0GAS0Ql9UW45/yQ7cMdrxshI61/TVlXggvhCTHjdt9jkaE0Ljl DN5u5PYfASp8hj7ejgrW6BQViLAlAS4rOj1ll8oe8T3b
X-Google-Smtp-Source: AMsMyM6pb4Zc3UFvgQU7Arb8Lr20S4Ffd25crmslHMbp0O3i4ZUXxQGH2dgOG4liqgs1zdXDHAbxeiJhd2Zi9U6IgQ8=
X-Received: by 2002:ac2:531c:0:b0:4a2:7c6b:4703 with SMTP id c28-20020ac2531c000000b004a27c6b4703mr8199516lfh.61.1666452807593; Sat, 22 Oct 2022 08:33:27 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <25D23241-1390-4F21-B84F-29D3629A3368@vigilsec.com> <4835bc312c5540a99a9f4b51665e2f75@amazon.com>
In-Reply-To: <4835bc312c5540a99a9f4b51665e2f75@amazon.com>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
Date: Sat, 22 Oct 2022 11:33:15 -0400
Message-ID: <CAC2=hnf9k9cHXrFFXXApPRvF8hNUmwFsX5onYneo8eBVoDWV0Q@mail.gmail.com>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a1b0e405eba147aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5xeyFctkOdu9vZDRmuy6WnebFJI>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 15:33:33 -0000

If there are no technical showstoppers, I don't understand the objection.

Mike and John have a well defined scheme, for which they have prototypes
and apparent customers. So that will exist.

On the other hand, singleton certificates will also exist. The US DoD will
have oceans of them. So will companies with limited resources that will
balk at the idea of being sold something they already have bolted to
something there's apparently lack of confidence in. Singleton certificates
will exist irrespective of our draft; we are not creating a necessary
precondition.

All our draft does is provide an indication of assurance that one
certificate is related to another. The specific relation is that the entity
controlling the private key in one certificate also controls the private
key in another. Those certificates exist separately. The relative context
of those certificates (validity period, etc) would have to be part of a
transition plan.

If you don't like the mechanism, if you don't understand it, if it doesn't
fit with your transition scheme, you don't have to implement it, or buy it.
If you encounter it, you can ignore it. On the other hand, if it fits with
your transition scheme, it can add some assurance. This is explained in the
overview of the draft.

Mike Jenkins
NSA-CCSS

On Wed, Oct 19, 2022 at 11:03 PM Kampanakis, Panos <kpanos=
40amazon.com@dmarc.ietf.org> wrote:

> Hey Russ,
> I have not been convinced either. My details for the operational
> challenges this draft would bring still remain. Willing to hear more
> counter-arguments from Rebecca and Mike to address the concerns or discuss
> it further.
>
>
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Wednesday, October 19, 2022 3:47 PM
> To: LAMPS <spasm@ietf.org>
> Subject: RE: [EXTERNAL][lamps] Call for adoption of
> draft-becker-guthrie-cert-binding-for-multi-auth-01
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> Several people spoke for adoption, and several people spoke against
> adoption.  The I-D authors responded with a response to the concerns that
> were raise, and no one has responded to the authors.  I would like to hear
> from the people that spoke against adoption.  Are you swayed by the
> discussion that has taken place?
>
> Russ
>
>
> > On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com> wrote:
> >
> > There has been some discussion of
> https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/.
> During the discussion at IETF 114, we agree to have a call for adoption of
> this document.
> >
> > Should the LAMPS WG adopt “Related Certificates for Use in Multiple
> Authentications within a Protocol”
> indraft-becker-guthrie-cert-binding-for-multi-auth-01?
> >
> > Please reply to this message by Friday, 30 September 2022 to voice your
> support or opposition to adoption.
> >
> > On behalf of the LAMPS WG Chairs,
> > Russ
> >
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>


-- 
Mike Jenkins
mjjenki@cyber.nsa.gov <mjjenki@tycho.ncsc.mil>
443-598-7837

v2.35.0 | Report a Bug | By Email | System Status