Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com> Mon, 24 October 2022 11:42 UTC

Return-Path: <Tomas.Gustavsson@keyfactor.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7911AC14F734 for <spasm@ietfa.amsl.com>; Mon, 24 Oct 2022 04:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.808
X-Spam-Level:
X-Spam-Status: No, score=-6.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=keyfactorinc.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMky9O0agiT4 for <spasm@ietfa.amsl.com>; Mon, 24 Oct 2022 04:42:46 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2131.outbound.protection.outlook.com [40.107.247.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C6F6C1524B1 for <spasm@ietf.org>; Mon, 24 Oct 2022 04:42:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JHMUcWZhTUkhy1GC65+Lzo8sMLP0uBVkYtPVa8fKi5U6Ie8f9RN8OWow3MCSR8By/eNRn8AdWvZ11/JSU0cXwt1zm5jiDWmBwBQe041q87MpS/y6BzxOdXJ5LXgjpz9mZ+DTbn1QP3MLpiisDaL4nmDc27mJHXJe1VTKZN3ivzOnNon106SYl5dULvH1pyZQhkv0tz2/AHqU6jGiQa88nfTDdlm6BG6NosxxqY2K+hUsegzlGvODN0Q7LIR5ewizPQ5gqVuGeSw/GjW7CH24spOvj+ROw6dayc5dC7AJoSuhFshrCZpkI20l0SpyJtvlW/R2iq3Elz/l3dlWd4Nu1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GDZXLl0Y3nI2dt1oN+EaOqi6Y/xtEVCPlO9X52Zcx1s=; b=NQt9n0P2oFqFVlTrb9jpIC2gDPohxOzY8wdlk4Mng8+QWnpLjlaXRmL0aZD9J4E4DUswOmhWChx8GLVt9V8XeV1PsHLIiQDdCVMibOPEv+7sUf1d2wHZxRsB1ZgNBdlSh/w5v6RnjR/byQgCIbib5vl1SZOhrcjqWgOWijtMGfOmufvSOE8zQlShhDCd1BvLCBDi/1AqjuF3OhChZVjPj9gNxWLgGzW1GPogmdlEoqem/KP9PMpMPetm5QRb2CYs9jtUpnkB+e7KX4L3N6bz6V6UGW5D7vGSjWawWdYCe6SsOAPX5Fxa2N16UeEwHNTOsVD80ZLc+h2bS46yM0GcUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=keyfactor.com; dmarc=pass action=none header.from=keyfactor.com; dkim=pass header.d=keyfactor.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GDZXLl0Y3nI2dt1oN+EaOqi6Y/xtEVCPlO9X52Zcx1s=; b=UfuKC9vjgVR534hwktcAczJYRAfTuuSCzoF5k9r7le8hya8IWrydxHsOM16f/Jq4b/1fdaiLmEp/z9uB7CGEDEk5NdrrRfN2z/wTeALgNRr/magbVvGNayPrWuzDQhmEiBLPMzbuM4LRexN2BJz7slsuZlz5doYfWSWBlKUy+vA=
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com (2603:10a6:10:3ef::5) by AS8PR03MB7112.eurprd03.prod.outlook.com (2603:10a6:20b:297::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Mon, 24 Oct 2022 11:42:21 +0000
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::4359:3a88:f9c8:8830]) by DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::4359:3a88:f9c8:8830%7]) with mapi id 15.20.5723.033; Mon, 24 Oct 2022 11:42:21 +0000
From: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Michael Jenkins <m.jenkins.364706@gmail.com>
CC: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
Thread-Index: AQHYyRoSekELXCL5hUGrRp6HIzhLwK4WVOqAgAB5z4CAA/ZGgIAAtQkAgAALHQCAAE1A2w==
Date: Mon, 24 Oct 2022 11:42:21 +0000
Message-ID: <DU0PR03MB8696CFE0F0BCBF2447A23D76862F9@DU0PR03MB8696.eurprd03.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <25D23241-1390-4F21-B84F-29D3629A3368@vigilsec.com> <4835bc312c5540a99a9f4b51665e2f75@amazon.com> <CAC2=hnf9k9cHXrFFXXApPRvF8hNUmwFsX5onYneo8eBVoDWV0Q@mail.gmail.com> <4027a47b3b05438b8c02069bac280555@amazon.com> <A9F70D16-145B-4D3E-92DF-9019A3D97803@ll.mit.edu>
In-Reply-To: <A9F70D16-145B-4D3E-92DF-9019A3D97803@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=keyfactor.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR03MB8696:EE_|AS8PR03MB7112:EE_
x-ms-office365-filtering-correlation-id: 8457fdb6-466d-4b24-ccc8-08dab5b4d002
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RZ3bRkM85kTMIk1aeu41/Iu/YgwteHhDMpappDDyjwVDchJJm4ag3Yzigxvb2SY7sSD8khQKVf8WGLhLYtPuZcfv+bfB8kwI81Lf+bGH2+f+9sSHwfgUq8WKreSm/1EO4AJWF6BID1jW0BM0ZJSZ/XAfDdfASnmhmf21rt93ajomzv4PNmoEpVYv9XNa6TOEHY3v6iMwHHSuZlt1leT+g0jgiaGPyAQaA+6bbTfV67oM1kwTndSXt50fy9YvL3Gw8DqpidjrXEpKBU6pYQnu846HAHm+AtGwOzBylOXrm8ZMo5RMJJWiBSX3lRn1Eso1J176ZeIMCOmTwCG1h584bzYgpY0jcmUDufJC9lIAfTTTlvwps8E02zDs+Wc4eXl3V4xQxyXs+Xlb1Apb13GCEwfrmoL43R5kG0LunF6BlnZePYQiUYuzDIIBur70uqV0hTntorrmvXKHdxV/arUqtPO/TtK7Ww7OYWFRgvcZSvcNLPfORIX6mXqBibXxM91oNjDkX9WSoX+16yLHsP32TFYVIO7Pwv+XOaoSwhMBQ9esozomyFJrx0jyxM5pdN8mN5RZnKkezsNI3iay3Q3A+su6Qd/KxTzD9taneKvy6ybK9ZDP7fivbgqKM4Tc8PId/EOfJUFDp8XIB+PpIBH/s6+0SpP/PrNSlctedpGTmHBke4/mpx9H8fesWNiFkoWYNuOE2GwNakUCHBrd4wgtxxQF5dSd4M7Sb2yTwkxFC60tplUa5nZvyKPUxGdv7YennawR0YB/+gJzkRifes2SdRYSObb/0AUVC6lEcwpRyZ8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR03MB8696.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39840400004)(396003)(376002)(346002)(366004)(136003)(451199015)(966005)(71200400001)(86362001)(83380400001)(478600001)(19627405001)(64756008)(76116006)(91956017)(53546011)(66446008)(66946007)(66556008)(54906003)(110136005)(8676002)(4326008)(6506007)(7696005)(9686003)(52536014)(26005)(41300700001)(8936002)(5660300002)(38100700002)(122000001)(33656002)(55016003)(30864003)(2906002)(186003)(66476007)(40140700001)(166002)(316002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ww70qp/Jsy0bJ7s2aM5pcom4SRYbwooWX0yHatuSQlKw8gQJwNKJVEjF9fn0XtppVFhoDHbZKXRSCQ3HMhnbzSqWCtay4Do4O7OzZF+QtmSA60Tl+xrFtxSoqxNZOLKj8ijhp09CJgxDWa4uIh9Neg8cpbxowkGr6ng06wCpwIsgFO7pZOpeOAVIUvrFF3+ic4Ybhuc4yfFHMUY4F+PDbO/AePy4tYl9r3F0F/sG+2nyeUfRpyoiYl711jxPNhiViFzHPX5ZJ0uIOqJyAMQ579X8TT5BPiKFzYZE/x2ldeqvPkw12+jSJ0KW6ibrQmkfaawnxrQ4EPRUGmGzLQLERx0PEtNVvnqnYXwEgln/fWtuIJjtSC7Y8GmggqN0QZ5k4QV2B4AJThMDB0yS50sFxbwzSoy8ZATZ+WkMvQVZbhPJkt/X2DODKOMd+cxa9OR1THlNRm8lCKBzNKO/t+sRupcvJfyK8Ne1/85mySMm4K3o7R6sBKhkn1tyuEwM/DUpQxZFD2/orysM7MQG6q9f/BNevexhcmcY/Q2gBbq3GYonYnb06uV9o6PwZ1pD0Vhz8gaSgfuSCmTQvLJAYzGagThGP4lGfOTd8lJ4bhfVTsx3opPb4sNTabwfvzTh/dw/oPZcWY7CPK4VvTN80VxLowxDs4XwEmHa7xAV3q6BewSrP4iDTosj9d7o/JlYOzJ5NsEc+nhM/YtOa9AN+8u2tYtADDXeoYtUseqzhdz3rZjjzH/44hUeQEmCi54oMYz7zE2Nd8yqK9t6gpcueGDSapFpx5wtwj7tP3I957oEZ1lZL6xFkYcTH+XXNeyJdAIGc+wcaqfrSCg4w7rwjEB2+rWcWiDZgBbUDiBto1VcUM0xJAgVYnimQ1DYBbQ46jwgnZFufkL8kzQ0qt/OblpSSFNgdxGom0v0DpqZvwwLkt9Lo32FejqxXxewWTUo3k37uRFbVXRManygW8gzvpWGc0YOoSI4rQMa7rey2ZcJTQu+k8H5NPkhYKv+DYwtpWagC77LXk6taC72e5YUDphj+d/8UMDlDLVtsxX9MfFDx3eAK06hJXLf6MaGqnyxjYcwb1Zui9SkbsSUop5AIPVnVDb7sEKUv2dVegYoUiPTwleqVKMGaxijuagPihRHTVHApJ7lWj5QprFw3qeMwsv0RNrA5ytZqm3n4G5KrLECBbUM6aholKRytfrIL2rI2+QXNWTBK/676C99ZitX8XffxTTxtEWKdzjt/GBXCex2Jc8TMaU5EmPloYB1btmPYLEnQ/qVoGArQrgJEQ2dSDVu65EuMeQ8FFK/ut/Bky7esek32crtSPfuWOxNFBglpDkI8jA7HnnG9ja8W7MZ0+RcbWQMVYiAab1HuKh8/Qex6w50bMf8YoG8oKCFmCFdViaOq1kdqEAphnDGbjiCUHggDFg0fNSn460JRzzlVXhrcP1y/U5mKsaXtdTRXPI+0coWfGyNLlHHvjSeCARpq3tTYDIbqH3WmH7p9sLA8kVAc8NwYLyBX7NXtBpDB9KEA/qJFQcZQPzTds05i2VvZsfcWtzqnUJzShzSfNKifxuO8ida4VE/YJ7drkIT+xXLqbdt
Content-Type: multipart/alternative; boundary="_000_DU0PR03MB8696CFE0F0BCBF2447A23D76862F9DU0PR03MB8696eurp_"
MIME-Version: 1.0
X-OriginatorOrg: keyfactor.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB8696.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8457fdb6-466d-4b24-ccc8-08dab5b4d002
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2022 11:42:21.4462 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zcTt2gaP7WnIaWvqyIP+2/BKOXMg2YNKGZubuefZ6/x8441bJaTT4lh0PxCTH8Fto27en9y2NcKbHA4gWe8wDSCWb9190IDwdBXtFhd88+U=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7112
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/H0CfFTUInjf7tERDG-r2DOGR6K8>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 11:42:47 -0000

Hi,

In my experience It is not true that some RFCs do not affect many users. If there is a RFC out there, even with only a few users there is an associated eco system costs with it.
CA software will be asked to implement it, TLS stacks, validating APIs, etc.
In addition, with multiple users there will be multiple interpretations of anything that is not explicitly called out in the RFC, for example how to validate aspects of the new field. This leads to on-going discussions and development and cost, and even customer wanting to violate the RFC for their own purposes. It happens all the time.

With this I just want to say that there is no RFC that does not impact the eco system, let's not tell ourselves that it can be "free". The question is: What is the cost, and is it worth it?

I read through the draft again and have a couple of technical questions/comments. Not considering other email discussions here, so there may be duplications, but just reading the current draft.

1. The functionality specifies a CSR extension, it names it coming from the RA but typically it comes from the subscribers, allowing POP to be used.  So the RA is in practice just a "proxy" for the CSR itself, possibly doing different types of validation, but the RA can not add extensions to the CSR, except in the case of CRMF, using "RA Verified" POP. This is a unclear from the draft.
2. The draft asks the CA to fetch files (CMS certs-only structure in DER format) from a user provided location (URL in the CSR). This is often not allowed directly by the CA. This has potential to significantly affect CA architecture and implementations. I think this part needs more evaluation. I can see a lot of potential practical issues here.
3. In section 3.1, the draft mentions "signed using the signature algorithm and private key associated with the certificate identified by the certID field" and "use the ECC KE private key". How about certificates with PQC KEM keys?
4. In section 4.1 it says "The algorithm used to hash the certificate in the RelatedCertificate extension MUST match the hash algorithm used to sign the certificate that contains the extension.".
The notion of same hash algorithm smells "classic" signature algorithms like SHA245WithRSA/ECDSA where it is obvious. How about Ed25519/448 or PQ algorithms where the hash algorithms used are kind of "hidden" inside the signature algorithm? Seems non-trivial for CAs and validators with the need to externalize knowledge of signature algorithm internals, being non-agile as algorithms change or update. I don't think OpenSSL or Bouncy Castle provides Signature.getHashAlgorithm as part of the API. In this aspect the SCVP structure mentioned that mentions the hash algorithmIdentifier seems a more agile approach, even if there are more bytes used.
5. Section 4.1 says that the CA "MUST ensure that all certificates are intended for the same use case", but how is outside of the scope of the document. This is a potential sink hole for implementors. Why leave it out of scope? If out of scope how to do it, it is better to not require it at all since it doesn't really mean much.
6.  Section 4.2 basically modifies the RFC5280 Certificate Path Validation. It is only SHOULDs. If the validation client wants to use the extension, the validation steps should be MUST should it not?
7. About use cases. Technically I'd guess you can say that the draft creates a "POP" that the entity has the private key of both certs. The use cases mentioned in the draft are CMS, S/MIME, TLS and IPSec. From the brief description in the Overview it's not clear (to me) what the benefits are from the already built in mechanisms in those protocols. It just says "A validator that prefers multiple authentication types may be assisted by the inclusion of relevant information in the signer's certificate". Some specification of this would be useful in the draft? In for example TLS, I'd expect each certificate to have to be validated by CA/B Forum validation guidelines independently.

Cheers,
Tomas

________________________________
From: Spasm <spasm-bounces@ietf.org> on behalf of Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Sent: Sunday, October 23, 2022 5:00:58 AM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>; Michael Jenkins <m.jenkins.364706@gmail.com>
Cc: Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com with any questions.


It looks like there’s a legitimate use case for this extension, and a “Community Of Interest” that wants it. More importantly, people/organizations/CAs that don’t plan or want to support it, don’t need to (you see it – ignore it). So, no skin off anybody’s back to adopt it.



So far, I haven’t heard any technical reasons why this extension would be “universally bad”. Just stuff like “it does not make sense for my organization/business”, or “if I support it – it would interfere with my <whatever>”. To all of which a simple answer is “then don’t”. Let those who care, support it and use it.



The way I read this draft, it says “if you need to do explicit certificate binding, do it this way to be interoperable”. Which is fine with me – nobody would be forced to implement or support this extension.



So, I vote to adopt it for the above reasons.



> Mike said:

> So, I think Panos' question to Rebecca / Allie / Michael is: what is the advantage of relating two certs by an

> extension if they are already "related" by virtue of having the same issuer and DN or the same SAN?



I doubt they’d be related by the same issuer – but IMHO it’s reasonable in general to expect the same DN and/or SAN. But I can imagine situations when this would not be the case, and the only way to ascertain the binding would be this extension.



> Is there a case where some mischief would be caught by the Related Certs Extension that would otherwise be un-caught?



See above – you assume DN and SAN (and/or SAN?) would have to be the same, I think this assumption won’t always hold.



TNX

--

V/R,

Uri



There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare





From: Spasm <spasm-bounces@ietf.org> on behalf of "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>
Date: Saturday, October 22, 2022 at 22:22
To: Michael Jenkins <m.jenkins.364706@gmail.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01



I understand the draft. I had shared some technical concerns for issuers that would need to add the Related Cert Extension which had not been addressed.



But let’s say that the extension does not mean that the issuer has to do any additional checks which some are suggesting has pitfalls. Let’s say that as you are suggesting, the issuer just needs to check two signatures to confirm the requester has the private keys for both related public keys. Why do we need the extension anyway? The relation of the two certificates comes from the identity (CommonName or maybe some SANs) which should be the same.



Why not avoid the hassle of standardizing the extension in LAMPS? Entity X can get two certs issued independently. Then it sends them both along with two chains and two signatures in the TLS handshake. The verifier needs to verify both signatures and chains independentlyand confirm the identity in both certs (e.g. CN, SAN) match. In that case you only need to update TLS  in the TLS WG and IKEv2 in the IPSECME WG and you don’t need to update X.509.





From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Jenkins
Sent: Saturday, October 22, 2022 11:33 AM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
Cc: Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



If there are no technical showstoppers, I don't understand the objection.



Mike and John have a well defined scheme, for which they have prototypes and apparent customers. So that will exist.



On the other hand, singleton certificates will also exist. The US DoD will have oceans of them. So will companies with limited resources that will balk at the idea of being sold something they already have bolted to something there's apparently lack of confidence in. Singleton certificates will exist irrespective of our draft; we are not creating a necessary precondition.



All our draft does is provide an indication of assurance that one certificate is related to another. The specific relation is that the entity controlling the private key in one certificate also controls the private key in another. Those certificates exist separately. The relative context of those certificates (validity period, etc) would have to be part of a transition plan.



If you don't like the mechanism, if you don't understand it, if it doesn't fit with your transition scheme, you don't have to implement it, or buy it. If you encounter it, you can ignore it. On the other hand, if it fits with your transition scheme, it can add some assurance. This is explained in the overview of the draft.



Mike Jenkins

NSA-CCSS



On Wed, Oct 19, 2022 at 11:03 PM Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:

Hey Russ,
I have not been convinced either. My details for the operational challenges this draft would bring still remain. Willing to hear more counter-arguments from Rebecca and Mike to address the concerns or discuss it further.


-----Original Message-----
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Wednesday, October 19, 2022 3:47 PM
To: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Several people spoke for adoption, and several people spoke against adoption.  The I-D authors responded with a response to the concerns that were raise, and no one has responded to the authors.  I would like to hear from the people that spoke against adoption.  Are you swayed by the discussion that has taken place?

Russ


> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
>
> There has been some discussion of https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-becker-guthrie-cert-binding-for-multi-auth%2F&data=05%7C01%7Ctomas.gustavsson%40keyfactor.com%7Cb8455c1f99b94cb7409108dab4a2da36%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C638020908836639752%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZwLeEbIdSYfQ%2FPFOdf1yl3QotOpM%2B%2BUhMj55rjPmOn4%3D&reserved=0>.  During the discussion at IETF 114, we agree to have a call for adoption of this document.
>
> Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01?
>
> Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption.
>
> On behalf of the LAMPS WG Chairs,
> Russ
>

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Ctomas.gustavsson%40keyfactor.com%7Cb8455c1f99b94cb7409108dab4a2da36%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C638020908836639752%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mi%2BvGK6rPLCEzPA0QyU4lAxm5JAwbYmCGc4Uz6LY4zc%3D&reserved=0>
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Ctomas.gustavsson%40keyfactor.com%7Cb8455c1f99b94cb7409108dab4a2da36%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C638020908836639752%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mi%2BvGK6rPLCEzPA0QyU4lAxm5JAwbYmCGc4Uz6LY4zc%3D&reserved=0>


--

Mike Jenkins

mjjenki@cyber.nsa.gov<mailto:mjjenki@tycho.ncsc.mil>

443-598-7837