IETF Logo Mail Archive

Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 26 January 2023 23:16 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA39C14F74E for <spasm@ietfa.amsl.com>; Thu, 26 Jan 2023 15:16:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egmhNi88-7jz for <spasm@ietfa.amsl.com>; Thu, 26 Jan 2023 15:16:41 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 686E9C14CE31 for <spasm@ietf.org>; Thu, 26 Jan 2023 15:16:41 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30QMDlMC008535; Thu, 26 Jan 2023 17:16:34 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=1rfHgqo09gGxVi4Q3LomVWkGdR9jKdR6JgGkBLSOm18=; b=JR406D18mkrkJOJzcoiSFaZOgqG5q8fB1C7IuVwlKMjFoD4FnVvjT6JwahfpZ3z30ZwR rjmDWvAnyLzhtfHDkUmM8EHveaqQ9nqTZzPy1s6+/y+AaPpcKmYBTGCC9H9XaKwAqJkO 6jCrAaqo6GpzYCNkqCDzaqfkK3X74AOaw3OKWTokdXsIF1xaWREDcWJj4hD3lfgMGo2U eFH8MlZop8iauF6d+3U0x6JVwFt0/56hMaFWvQ+QYyVuJCka5r3Ig1vcFsbJCr7W2CN2 gv0yvLZ6/wHTG/INzi/uQByfPSklx3e0L/JN+EQ0TZGUwMraYZwf5zxg+wBn9xBWGu9P ug==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3n8bwtexh7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 26 Jan 2023 17:16:33 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TkP36+TufjlarUzS00Ig2LBc75wFi0v/uEkuRk0rVIog9sUstjRUE2yMRq6mVOl9cQyGNuHDZywP33Wb9h6ALV59mhIqKcttV5KsPIpXNXbllfC9evdazKG/hewoVl+dMvgNY01DYusoK0bW4FgDkwQlryr6k9UuaG1kC0zm0Ba7B/lYMXSVlM++dfGGxZG6YrKVprImENwJy4FkbdJR11GuzH8flSPr6xs5OVXW+mityT1AY6MaV+eD7HWFe+svo3HDyO0XIam16Usr4BEoYr0UsvchxbMvjnFoF/bQexPUP+T2vJ90VhjNMWRPHN30eDb7Y933fnJN32aM3FQHqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1rfHgqo09gGxVi4Q3LomVWkGdR9jKdR6JgGkBLSOm18=; b=ivYmjm+zB6CUMjoJFV+Gy4a0q/y+7wmmWpOSemDNKNB9BtKBDuA0DJWPnJ7qn6dFLKYnTh13CnWJ6TTQJwZkWXXU2/pjkgglLpOm5Z9fEz4Rcq3JkgZ9DAJ/jLbWdOr9wX/pI1c4MZaoTLnPggfowseTpGqY7kfGJjtdRZ0fBJaVOBh1N3Fq1/4Qw7qHnVjBFISru532W0UpYLKbWsDygEkqwO1NU4DkZhVANFA3OyHMC4Ckx8rIA//2WDPqCuvME6fCAUd/cc7CtKaLE9pwmIN6pq8ekdUhOd8Z+W9xqODLS2FVD75qEfpZMUBq8dabbo6Z3Wg4A+FptDwG53XClQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MW3PR11MB4634.namprd11.prod.outlook.com (2603:10b6:303:54::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Thu, 26 Jan 2023 23:16:30 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3000:a478:192a:3860]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3000:a478:192a:3860%9]) with mapi id 15.20.6043.022; Thu, 26 Jan 2023 23:16:30 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael Markowitz <markowitz=40infoseccorp.com@dmarc.ietf.org>, Santosh Chokhani <santosh.chokhani@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
Thread-Index: AQHZMdaqO/LITI7UvEeR/nbTdW+08q6xUWag
Date: Thu, 26 Jan 2023 23:16:30 +0000
Message-ID: <CH0PR11MB573983C0342556E12BC5E33F9FCF9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <bd5a491c78c8406b8de6414aff4f5223@amazon.com> <SA0PR09MB72412D6BBBC556716B5FBDEDF1FF9@SA0PR09MB7241.namprd09.prod.outlook.com> <adfdcfcfb0f84c63b83bc60cb9a48cfa@amazon.com> <CH0PR11MB573917AD78637794B2A424249FFC9@CH0PR11MB5739.namprd11.prod.outlook.com> <ca14b6a4dc624d5a8721a76fba0e0b2f@amazon.com> <SJ0PR14MB5489CD14C3163F8DA79E948A83C49@SJ0PR14MB5489.namprd14.prod.outlook.com> <ee73c65cc85c4f2d82b6f6c444ae1ad5@amazon.com> <PH8PR09MB9294D762B0934D9746A1DEFCFCC59@PH8PR09MB9294.namprd09.prod.outlook.com> <SA0PR09MB7241E7948D0A08850295FF93F1C99@SA0PR09MB7241.namprd09.prod.outlook.com> <fde38c18356148d5bbcb26e2e3857f96@amazon.com> <0d0c01d931d3$977d1dc0$c6775940$@gmail.com> <DS7PR12MB59832EB5498E6AADF915DF26AACF9@DS7PR12MB5983.namprd12.prod.outlook.com>
In-Reply-To: <DS7PR12MB59832EB5498E6AADF915DF26AACF9@DS7PR12MB5983.namprd12.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|MW3PR11MB4634:EE_
x-ms-office365-filtering-correlation-id: 2a93ba6a-1413-4ae0-b821-08dafff35b52
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UD4gYUploW12JYT4Mi181VuYzvP+bq7PJjcTCtPjzfNAmJrCpCYYK7CoCA04hX/XT7T/K0rXnPeG43/MXWKym9xVAa+Vho1iDEyeIxx106zOTp3iYyf7PncBi/5Jvsp/RJM6yQhHw0yBIKe326j7RxnsSW88i2lKQRTyrf3OoDrpYYY9kR2vokemvpG3z8tnjINciEYnmuiJqyfjWdy/IQFz/pfyLDE1uPiUfbRLXQViK90LOCgf3C49EZ5WHxKwlLAmKQUlnj+ocI2LGmpg7AhEpSKFP0QLveEx0/2860ieBHrlWAhCGW8NWwgtnk8bITPX4Z8bT7kevawZcPGwdKIzUOw58quyUITNASV9Wv064mOfutb2ZhDIwYEs342mOZ2CJfbA9l5XHZrXALNgWqzs4es32tzc5pzi+CpeMQcfCcu11Uuv1m17+CL6fQ/U85V2SvN3/BpI4xklH8cnDYnAhs9qIzEmDLCC9qlORU9eURiV+8bXRDxYwxXqAc4zSIU7zl7Ydc/sjDv037E78DT10uPeDs3Gm8AhOmfZlc8rpbZJnychmGOVZBCunRWmp46Ydt64341CiKL07UqiKFhPxT8Z9GbgC5rSTVvN/hpVsx8pk+XcHGkFkzRgCZgrrNzo5W8aADdchdCjdPiPHuW1PHun7O2B+IjSrKWP6uqkMy4nyz21tN+kneCKQc8FR/nlVuUAYF2u4b0opLxLkA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(376002)(39860400002)(346002)(366004)(136003)(396003)(451199018)(64756008)(316002)(38100700002)(122000001)(41300700001)(8676002)(76116006)(66476007)(66556008)(5660300002)(86362001)(8936002)(66946007)(38070700005)(52536014)(55016003)(2906002)(6506007)(53546011)(110136005)(66446008)(33656002)(9686003)(26005)(478600001)(186003)(7696005)(83380400001)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HN8sWNFTYBHHp7/BauLFqgixp3+1N6zKTWsPtq+MG50ixwRIUdZRSm2ZUobiy9frRUDFqXyWPvsgodP8DrkNP0GRcs8GivIXkysh9JhR/vxiGqy92SE11Z5fgL+z2rx8qToWox/ZzaKIqDZ9K470pObibv4ZgvRpMZLyuxHlHm0b85lM2b7qkFPgtcpfdMEA8DeK8uDkqjrV0u5hNVfHxL4bthxJLoE3m3rTv2WHaMFBKmtwQGKCBTg0+Kr8CZvzb4lBaoC0UA0B9OHMBw5FeVJYC2q+uiISjGrXHcfAtj+ko/eovJbU7CfEtZW8iAQQsVJfPvBujFBu5TI1E8iVIYpN4iGgxOUqwOjJrwG5YIQHx0zcGYxc0pUe5dXXqhvOn/iDRZYmVMTHi3mae3w6ya4W7m/EhFbhedcgaeHAtL03KhrY/J9A2zLVlfxEwZHUaJ+hZGXv0tD5laHP3vo1rC0tyUgqxEph+RmtAUXE/5cPd6GYh0I4rWDvAT0o5NuDw6vEiBRPxqlNkZPDaFysbqNLoOtz2GFrjaK9iP/jnCSf2Aa9fojhnSb7JJVs5Chis7yx03ZYNLskOOjB4Uzb5nxiAbrMm4uBuHrA+TTIHz4P7N91IVwwLFCSMIHp7mVUSAKF02ZvVvhJhlkLYHISEeL1AONgltzu5sR1uI1mYhCjy1RE3xbZWwVhFRYbl4k9GyUnsDqOEhG+UiPjTp5prG4orrNDyGgzOdumK/z7VCd4qewYmi6K2kN8pB6dYxMtasxhgj4HspCTpWhfJN3E9BoIaKub1os1NJWknDXZ8a0q8cIuBplzoZr19TYbQhfjUf+bd8GzbxLkAf4SOY9zKBpAOmj8LuSDGKpAth8CYqtwKo97w+6y4mgtGPzoh1Dw0GDTBB0sm/VoM7pyYReBuDAVgCKfg0moQYjYXPaMyGVaKzV5c58ucxA1U6w/hbffblbQJbzF/TbUyQae/gXenrbbBWGLGYk//En+oxSpapIFj/8GPhrG3huTkBA0Ozxo99Hqyvq/ct7W8JBZyn+LtzQLuMIafle1NSpJ9ZaIUgC+ea7S6usCZn+XnVnYVxSHmdnC84VrAnxNagkZ4sNklbRXZlGI1YFXoPWIwSPQAASFyeFIygGSSyN89Zw16+xFrq4XatZlI9477hZ74qzkjadtHr33oG/A2jJeP3JWz+jRW0GO83OmjO6HMGTK6ibQ3p6WEw6j1/4J+Jim3yeJw/uXpeosy4FCh/c//7Z9asIYt8NwzfAATNABdavXU5QwvWEKNdXTaZMWZwh311C7ofU6vqj83nmWv+Qo0S9o4IN5GEEv5klPL3MPWfiG8/GQYplpf1AtZ2b3APIBuPcdUDXHxnb/Dgo6qd6plcbAMcS94ggKv6mRgNzXewikN8oE0b2Ce82JKFbu8pRPaKqn1MCsvc+qFpy0oKKKYc8817yyrSgbhxyjGGEeP6PcobL6BYNag2pJfBcG6ipALOkxT37rQ673MONmtQptvhvbNu+yVClxKM+u4ZYVotUvssIzjTBOZhhqYxcR3XzQK/b10t30yKm0/dcGwIGvGBIduoSlLJ1WgQc/+SRnVA9vaYfQ
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB573983C0342556E12BC5E33F9FCF9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a93ba6a-1413-4ae0-b821-08dafff35b52
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2023 23:16:30.0474 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QVAKw+LHAoiIS21O12ZiUxORipqW7vp2tNy0jy/I9H4bT4n/B+sXu5LWtL8wPQQrZaGktqAllYXQdgEtFDjx7Wauk/6v1FRxXbdB5JkqreU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4634
X-Proofpoint-GUID: FnnP_pZR1L55RcOd1zKL2RNXtAVzGd4v
X-Proofpoint-ORIG-GUID: FnnP_pZR1L55RcOd1zKL2RNXtAVzGd4v
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-26_09,2023-01-26_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 spamscore=0 clxscore=1011 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301260216
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/WY3jKVLO34dOBG7Y1aoHANJUiJ0>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2023 23:16:46 -0000

At the risk of getting baited into a religious war, when it comes to statements of “these two things are related”, the definition of “weak” is relative.


Name matching proves that the two keys are owned by the same entity, for some potentially weak definition of “same entity”, depending on how the PKI is operated. For example I have a driver’s license and a health card, but they are not really “connected”.

Simultaneous proof-of-possession or usage of two private keys proves that they exist together, accessible by the end entity at the same time. If I present my health driver’s license and health card together at the same time, then they start to be connected.

If the issuer validates PoP of both keys at issuance time and cross-links the two keys (via some sort of X.509 extension), then you have you have a statement from the authority which is “stronger” than name alone that these two specific certs are a pair. Like if my driver’s license and health card were issued on the same day with the same photo and have matching serial numbers.

Bonus points if you have key attestations for both keys proving that they live in the same piece of hardware. The same piece of plastic serves as driver’s license and health card.

When it comes to statements of “these two things are related”, the definition of “weak” is relative.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Markowitz
Sent: Thursday, January 26, 2023 4:36 PM
To: Santosh Chokhani <santosh.chokhani@gmail.com>; spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Santosh wrote:

>If the authors have not already done so, I would propose that there are ways the extension can provide crypto binding between/among the certificates which would be superior to simply name >matching.  Name matching is weak.

If you’re claiming *notarized* name matching is weak, I think we have to throw out the whole concept of X.509 certificates!  😊

-mjm
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.35.0 | Report a Bug | By Email | System Status