Re: [lamps] [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt
Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 22 September 2017 08:07 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E9C11342CC; Fri, 22 Sep 2017 01:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-n-ZH7TxNHJ; Fri, 22 Sep 2017 01:07:12 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAE0D1326ED; Fri, 22 Sep 2017 01:07:12 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id l25so304929qtf.13; Fri, 22 Sep 2017 01:07:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=vBJE8mrBdTSyBWtBoTFZsowcFqF8InTDMATdgzA1yJ4=; b=HsWc5Y+Vvfu+6mNOxADaWNEFc0s/ZbkN9N7Scb/srqRFOd467GXidiYJbQ+YfVYasF BzIPeD3MHjomDqMA9KNLYFnv+2dE9+majeN7qloOLGswlrEF27IjzOOVYMR6NuZnsCT/ DElsD5ajILwjgrgVsYZl0vxJlcPy46gu0gguaL/yv5nSleQWgSJMTnaquFVSSsEpgqId 4fmbfq2GTLaONAtTDpcoRb+7J1wr9aw686YeCvyC7eftPZphd6bk3XERx2GDeP2vGQNJ X+79EGiai0TsUQbinNHIz29TPX0k7ml6ULm45Xm+tI1UtEBCZ/qejhJQT+xo3cL3WCf3 EPxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=vBJE8mrBdTSyBWtBoTFZsowcFqF8InTDMATdgzA1yJ4=; b=FqTQvhtFkluruTYJU+tq2+gPafdwxmRyXRmQ+7Z9XBSHnhbxDo0JdX/zCLo8EYkbaO JJ9E6wp41jCyH2QG7WviUf97mTzNqx5Vsm6SCPJ5l+VX917YXZ5Nn0vEuUSA33njurvF VRV5FnqpaQ8E4W8wu6i25xwRVEVE8emTrNeFYHBSSrcOvs/MNMkjYSmaJF8Zg/qkemQ8 jP2wXXuUddAoh20exaz0eQ1Oxq6WjoGlV9wWQy+S03nof+KlLWbiZVg4S5eJq1zjxAsn bNmZSVyoDtub75jRpwPm771/1OZRxvp8LEOt18dAhEHSjkCrLkgD8xxqi57Fn39lBI9o 62mA==
X-Gm-Message-State: AHPjjUitKmWE5FwblPVLKuIVtj5jG0AANLuF2AavM1rve9FbMusP/EyA M8aOfKApyLzFZYholQNozBkRndTi/WHlOEzQBpBlB197
X-Google-Smtp-Source: AOwi7QDDOO2NS5wxjNzH3OX/LY9A3hbgBfwO1y1ijziCfn7cGbynxVFrc4HGMEU8oz2GLD9fw47GsLtQxjYYqPClqPI=
X-Received: by 10.200.52.60 with SMTP id u57mr7361042qtb.107.1506067631778; Fri, 22 Sep 2017 01:07:11 -0700 (PDT)
MIME-Version: 1.0
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.12.175.136 with HTTP; Fri, 22 Sep 2017 01:06:31 -0700 (PDT)
In-Reply-To: <CADqLbz+-86OoH6wJQj4cu4daCUmh6mDPCkmVhbBYnLgv9AmOHw@mail.gmail.com>
References: <150522092693.4724.2532571098567577114.idtracker@ietfa.amsl.com> <CADqLbz+OB86s4E-Ntr6eaEow+sBtxscJ703nGN+PAS7zQmJ==Q@mail.gmail.com> <CAJU7zaLsza65gvERm__njLYM82jGWx9ht_QwHi+e6WQAtFKsZA@mail.gmail.com> <CADqLbz+-86OoH6wJQj4cu4daCUmh6mDPCkmVhbBYnLgv9AmOHw@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 22 Sep 2017 10:06:31 +0200
X-Google-Sender-Auth: Zg2LgTczXlHytCnGWbVTaghDHQU
Message-ID: <CAJU7za+TVnhmyATbwdzC4B0Ci3CtdxrqPTzVQnP9BfN_RX+8kw@mail.gmail.com>
To: Dmitry Belyavsky <beldmit@gmail.com>
Cc: "saag@ietf.org" <saag@ietf.org>, LAMPS <spasm@ietf.org>, dev-security-policy@lists.mozilla.org, pkix@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/V9zjBwwXja5L8zwvQkGoJOy9yPA>
Subject: Re: [lamps] [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 08:07:14 -0000
On Wed, Sep 20, 2017 at 3:21 PM, Dmitry Belyavsky <beldmit@gmail.com> wrote: > Dear Nikos > > On Wed, Sep 13, 2017 at 9:39 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> > wrote: >> >> >> 4. How do you handle extensions to this format? >> >> Overall, why not use X.509 extensions to store such additional >> constraints? We already (in the p11-kit trust store in Fedora/RHEL >> systems) use the notion of stapled extensions to limit certificates >> [0, 1] and seems quite a flexible approach. Have you considered that >> path? >> >> regards, >> Nikos >> >> [0]. >> https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-model.html >> [1]. >> http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html > I've looked through the specification. It's OK for me, but I do not get > whether the attached extensions are crypto-protected. No, as these values are inserted by the administrator of the system, or us (the distributor of the software), we didn't feel we needed the introduction of additional PKI. How do you see the infrastructure on the draft-belyavskiy-certificate-limitation-policy? Who do you envision signing these structures? (I assume that distribution of data will be done by software distributors?) >> 4. How do you handle extensions to this format? >> > Simillary to CRL. Do you have ideas of the extensions? One problem with that is the fact that the existing CRL extensions are about extending attributes of the CRL, rather than adding/removing attributes to the certificate in question. To bring the stapled extensions to your proposal, you'd need the Extensions and Extension fields from RFC5280, and add into limitedCertificates structure (I'll split it on the example below for clarity) the following field. LimitedCertificates ::= SEQUENCE OF LimitedCertificate LimitedCertificate ::= SEQUENCE { userCertificate CertificateSerialNumber, certificateIssuer Name, limitationDate Time, limitationPropagation Enum, fingerprint SEQUENCE { fingerprintAlgorithm AlgorithmIdentifier, fingerprintValue OCTET STRING } OPTIONAL, limitations SEQUENCE, } OPTIONAL, }; stapledExtensions Extensions; <----- NEW } Another difference between this profile and the p11-kit one, is that the extensions/revocation here is done on the certificate, while in p11-kit is done on the public key. Both approaches have pros and cons. Another question. I also noticed the fingerprint field above. Is that to distinguish between same CAs with different keys? In that case using the SubjectPublicKeyIdentifier may be sufficient, and more natural as this is how certificates with matching DNs/serials are distinguished. regards, Nikos
- [lamps] Fwd: New Version Notification for draft-b… Dmitry Belyavsky
- Re: [lamps] [pkix] Fwd: New Version Notification … Dr. Pala
- Re: [lamps] [pkix] Fwd: New Version Notification … Dmitry Belyavsky
- Re: [lamps] [saag] Fwd: New Version Notification … Nikos Mavrogiannopoulos
- Re: [lamps] [saag] Fwd: New Version Notification … Dmitry Belyavsky
- Re: [lamps] [saag] Fwd: New Version Notification … Dmitry Belyavsky
- Re: [lamps] [saag] Fwd: New Version Notification … Nikos Mavrogiannopoulos
- Re: [lamps] [saag] Fwd: New Version Notification … Dmitry Belyavsky
- Re: [lamps] New Version Notification for draft-be… Peter Bowen
- Re: [lamps] [pkix] New Version Notification for d… Carl Wallace
- Re: [lamps] [saag] Fwd: New Version Notification … Nikos Mavrogiannopoulos
- Re: [lamps] [saag] Fwd: New Version Notification … Dmitry Belyavsky