Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 25 October 2022 16:38 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EDFC1522B4; Tue, 25 Oct 2022 09:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.705
X-Spam-Level:
X-Spam-Status: No, score=-2.705 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSU2zxUtmQES; Tue, 25 Oct 2022 09:38:01 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EAFAC14CE3C; Tue, 25 Oct 2022 09:37:59 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 29PG5p1k015164; Tue, 25 Oct 2022 11:37:56 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=OBs4blD2z+A0OKcj9VEG7wyGOPGtQKZjC65Bnmxw7qA=; b=erE2ZA19YR2keUPOIaUcn3LxWzzmykfiDz+WpNCFcWz4QNTzzStMROmieTgUcN0p8CAI G7MbhpXqb8k7RTwRSSw+8PzEPLVVHDa5H/wiEGDUP3ySv4FnAswgDHTJGW95Cca5r1ud Y8zIbA8rJzhQJPZFu+BBAU3ZoMOaLKlcKlBp4iLvr0qz0w0Bs48RdmvkfjBUnOiQruKH 7eQ5O0iBD3TzEBQ2hcny6tWKTtN9iSZ9j+Q6KQCBPT6RPxDcyN0/ueH/X4dccNiFJvFM Zo107xo81ZOqQGooTgqA3SsbDuVRLFrAAgrfbWVkl5bXkeTeSPr07HpNBzw155ThX1PQ qg==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2171.outbound.protection.outlook.com [104.47.57.171]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3kcd74n0jt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Oct 2022 11:37:56 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rzwwo9Rr+zLIjY+QOwfIDS/Fh8DW0VDA7J95/oUPvUq4ZGJL0cvduBWWO/dq2QE2d/LVJIK0tMTsonVS5A0EfKZ6dkQ7lWJfVSMn46Lvjl/To0bYR3qTSHgsthxkQfveakqsQ6MIbxSZFHpdX0bwnTMIu2ZlsDpvRO05gxFAGQqGRKed7BSL0zu1loXrgwSFUKbt6kLCVTfM3nnjlfNofI9SvDgk46IHFzBzj7mwJEmHR0IDk6DB6lHXmtYfFyC3OPSZRsqLZobzExvypmLXgRU6X34xsjcZ4FaM0BDXwIX4KUyXpuU/MFHz19zQMMmpdp3lS1FBzvWMzfry1RO64Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OBs4blD2z+A0OKcj9VEG7wyGOPGtQKZjC65Bnmxw7qA=; b=TV3Y3kiswFi/uDRpd58SSjatSBwUT42Kft+RZ0fC9OQNiO40Q8+wwwHjqjPS8JzVDYqbAUl9TzvorH/bkc3QPCH4bnJNiwLAdcmvA+X4f2+ClydyvS4OXNmnHkT5bOnhyRnnS2m7uGSlQnccPEu/zn8zYaRbIRavnLUVnfZjIyLdub8e4lA/SWGBhrz3qy07RdTmGIhwVC7KolSviFFTFGzQv9IoIw9+q7CzD607SWfdMNHX26NQSptPY1oODgwV38JCgfOqZP5jQcf+MccxNDkGGrBYDfahDBtkqAR0DIVvVme1ePYzldnVJHUEpiqwn/CmBPDEHgsLm5iNjmihDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SA0PR11MB4669.namprd11.prod.outlook.com (2603:10b6:806:99::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.23; Tue, 25 Oct 2022 16:37:53 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21%4]) with mapi id 15.20.5746.028; Tue, 25 Oct 2022 16:37:53 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
Thread-Index: AQHY6BwgUQhu3+rVYEar12qDA/P3FK4fSvNg
Date: Tue, 25 Oct 2022 16:37:53 +0000
Message-ID: <CH0PR11MB5739FEF38CC5F2CF42926B5A9F319@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <25D23241-1390-4F21-B84F-29D3629A3368@vigilsec.com> <4835bc312c5540a99a9f4b51665e2f75@amazon.com> <CAC2=hnf9k9cHXrFFXXApPRvF8hNUmwFsX5onYneo8eBVoDWV0Q@mail.gmail.com> <4027a47b3b05438b8c02069bac280555@amazon.com> <4CD87936-392D-4E20-840F-A1895F2C127C@vigilsec.com> <326a99415c304811a80c527e77f1a2b6@amazon.com>
In-Reply-To: <326a99415c304811a80c527e77f1a2b6@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SA0PR11MB4669:EE_
x-ms-office365-filtering-correlation-id: cb747c35-6472-406e-0252-08dab6a74370
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2bnAjSlleX+2ioGWqohHJEPwn7n4BBENFMttCDPCkq359k0Hlg25lASA/3CPb4bsGqRTjdf98pc99qLeVbzObUmIywn/BnDn0OnIdoI+L09sUk9SZm3mVF9uafBKNOji7jv9HmDnr7jDqVfmwXBOUQzC+3jXsfTQYcN4lx6wdUKcMACGDB+ZXpmTzd1vHOh+mqOLHZG4iLNktgjJ6as50fWhhqX4swS6e/MWUMccQrbeE9Ashc7vEgznJWOxIZF63aPaEh2L69xeENIDUJVJzx2FB07QSBCLIhMj3bpJ0wJC93lyVdJXwvBGqMjV3YBEUxXR/Iz5SxRGCovfkC+DvuWKpDURpcoouqBOEkPo3ZCVaDAG7DbtLgewf92m0oZxNj983LfJ6QlNuf5Bd0LD1aB/gB3QQTNXbLAPnf6Tf0YkKSFOZavWEOJKoF52mfRGR+9AZHzvkZC+qyF4rnHt7EnWRvQZR7lzTQ+AKJOEvhkyPnpOA99tITMicXdCBHsHigqtfPGCMyBEdhsvcuqfmiXFrm/Ngp0RGRQqJEkX/7gLYFDwLsWhEal9RtdoF7hljEsIpL8plg8PA4X9SZUPSmRk58NaH1ATjpBaLY4m076lMktBpunrIapnQ5FP8PUvFkpEk3twbNnNqqLMbNo74tqpVeq22+KlDS7zJL9iQLwqTvJboVdSSGtnUjHXM5+FRXzCeRjkr6+bZqHfn83UYHAFAbWy2OJ2RSASrMzVXvMgTjt9AODIB3ssR1ESkqZ0c8GyBrUgkP2rd9twLxR2D4t/f6D0gawMdXNe0ESp4aYVcn96oLo0IjkbedTK9heZRu0A8hpxhST0t6VAm69/sA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(376002)(136003)(396003)(366004)(346002)(39860400002)(451199015)(478600001)(186003)(966005)(71200400001)(55016003)(7696005)(41300700001)(6506007)(26005)(9686003)(83380400001)(76116006)(86362001)(110136005)(38100700002)(53546011)(122000001)(64756008)(40140700001)(2906002)(8936002)(66476007)(66446008)(5660300002)(8676002)(66946007)(66556008)(38070700005)(52536014)(33656002)(316002)(166002)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +0ip+CQlr6FcpuD+wvjl90+yjcWNI/L/Rh+NAsv3lS+N/vewgZH67diD6cDjgqZP7TxJcBrmHLTVBHadRnvCmBiqVnV1RFxR6sXrgNJb6UYAAdOBclTs+ZP/jLvRH/j4d1wtWhZDPwORSxOJ/HAGjTFG4A67eGm+bQrwYdi1o/8EUZkM4y/OfOpPt60jX/4pYisbylQgDL7z/HJHUfh1izs6JSVStiHOoM8pNqodGFOf7mAF9Cc321UFFFBaf1jP4quu4dSrjp+gVw3rvc+CrGMomIR4EKuXPqyad9tJ5fADRnXQ2+/Ppft3fC14pnxzBxfvsIR6G63scUVIsCVsHKPVidKMbWdNRgyPgV8ZGv7G/DkShtfBR4yylulLL5gQt3ax+5GS7vtJA7zFL+wgSBycA1Y0RNOBHR3Qp6ijlBacSmD5ed3AZU+tGaHUf51hxkMn4t/8r5vsPn73yPqYVYyNPp+NBTpLckTRvnwqfsAvp4FB5QlD08hTO0L0nnN33K1zec/D5UQp7eUY6Nr+yO8vlf+Yl1Vp7fI9iT+swZElucFu30Ol0Y7RQOXb7twopwNzag0pP/wepVPzKVVnWjVM4xQNpGBZ+ciY4J21tVo51pdRld792OoQMSWFJ9jmsl72w4Gg3T2c9tFMYWW9za+uOFa+oppy0SwT11nl4R+GzLDYuEHv9lloJwQdLvHxAPAmGC03992mkL1mfJ5VeEbzKUdXA8bENxVX5k7IqhPX7wSzLWXsX+g37oHr7djkQIAdXlo64RxK72GUwh9Y56J/7NbaJHCrjF9e9u62urIfRVK1/cw69E0wJFXZma1VzexRZpw7RIwgSA4kV+BL/3gdQ3ZgT/c/MzEsWGytLoyT1nInnAD7NMpLJzHi/cHninx/q5NLhi9cJFTx5Km8v8RF21jcKhYicnUq7uRnuKio2AG8pDH07KmsDP72JgEHOz6cABvhaqf5M0c9sYOrWEsXJ9Z6eb8Y6QuMGBFIw4KH7rzbZlQzt7rwel3sT32+aB95VbXFo/OXkPzUf7DabJ0x31FCNIC7WcF98mEHB+nmKeVS1Cxaa6KhV24qoAOjxj0l7nvb3r/mqR9SMdzS3PcyTO3SyyyQa0kdxjsWPorGPrfZ/imKGc9WVZVAiVIeti97FHdGEHukgD/9mn+n+DmvdZpl/AFEmy6i8nCE4Ov1IBTX7R3rnRpZGXR2cF1RLwsm+U1+QYCA1U3r7+QGiLZASbsv19uhFUzNTniilIwHVp31xlHOs5IdYarrJVPe+Q2gjJizSlv43P5gwvwatksH7NMRqIKYnQxX8WYqt2//lWOYxwXVn6hUhjt0J5t6bgni2hr/LthQ3qcbSN9cRi2MNoWPOplDwKoOo/KfpYgqoWRzlhuLJ9DOfiLWm2lURMmgBNCnlscpESJl7fag6yd2m2SSlpNDP1HVH9g6DrlsQny3U0T1DdRYwk45r/vP1pdkh9sJDmJsxnQa9hXQRfT8gk1tvAvP94EWpcXJTSbVbQ0TCvqYfxlnxNteuVKbxcCiL6vglTFhs7KwyCIzVzjrY3RyYmV8hxRQDt/SBPC3upBB/LR2AjW88v16TyiqHYQrtQrmDkzZHCxs0ix00w==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739FEF38CC5F2CF42926B5A9F319CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb747c35-6472-406e-0252-08dab6a74370
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2022 16:37:53.3241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WbW15Q55+70qFgaCQSCvzhx4qovujD6U2nBntFuAprKqj92TEiASsoK9l9/C+x1ayo5j0JahrTytI1G9tk7vYGx9koHQpuCyof1M+mB9Dvk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4669
X-Proofpoint-GUID: stB-A94LoC-vthppS56jpa6MIlm49PRV
X-Proofpoint-ORIG-GUID: stB-A94LoC-vthppS56jpa6MIlm49PRV
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-25_10,2022-10-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 bulkscore=0 suspectscore=0 impostorscore=0 mlxscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 clxscore=1015 lowpriorityscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210250094
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_zrsO27IIAEYT7evFnn2ju7mDN4>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2022 16:38:05 -0000
I was also not aware of RFC5697. It seems like both RFC5697 and draft-becker-guthrie-cert-binding-for-multi-auth-01 are defining X.509v3 extensions to carry a RFC5055 SCVPCertID. Draft-becker-guthrie allows a single hash of related certificate SCVPCertID and provides a similar-ish CSR attribute. No CSR attribute. So I second Panos’ question: it seems like this mechanism already exists? To Russ’ question: > I am not sure that anyone implements RFC 5697, but I do not recall anyone suggesting that a new CA paradigm would be needed to do so. IMO, where the complexity creeps in with draft-becker-guthrie -- and is also the one place that it’s different from 5697 --: the CSR attribute. Either the CA needs to be fully capable of handling this CSR attribute in arbitrary external CSRs (which has all the complexity already discussed), or it needs to ignore this attribute in externally-provided CSRs, but copy it in RA-provided CSRs, which I think is more what Michael Jenkins is suggesting and probably easier to not screw up, but still not zero. I can already imagine the Slashdot headline: “<CA> issues researcher a fraudulent RelatedCertificate for google.com.” Technical feedback: at a quick glance, SCVPCertID seems better than RelatedCertificate: carrying the IssuerSerial and hashAlgorithm along with the certHash seems like a good thing. --- Mike Ounsworth From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos Sent: October 24, 2022 9:47 PM To: Russ Housley <housley@vigilsec.com> Cc: LAMPS <spasm@ietf.org> Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01 WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ________________________________ Hi Russ, Hmm, I was not aware of RFC5697. It certainly adds complexity for CAs imo. I doubt any CA supports this. But ok, I am not sure if and why complexity for the issuer was not considered for this one. Btw, would RFC5697 suffice to link the classical and the PQ identity cert instead? For now we have an outstanding question which I think is important. If the Related Cert extension does not mean the issuer does some extra checks before issuing the related cert, it is not clear what value the extension adds. A simple relation between certs already exists. It is the identity in them. And these certs are expected to make it to the verifier together so it can check the common identiy. From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> Sent: Monday, October 24, 2022 8:13 PM To: Kampanakis, Panos <kpanos@amazon.com<mailto:kpanos@amazon.com>> Cc: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Panos: https://datatracker.ietf.org/doc/rfc5697/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/rfc5697/__;!!FJ-Y8qCqXTj2!eL4UzZPMXBnMdYQ3XMCyySmcpadQ9J2RQJg--ABb9fKu5e-xB6rO8E0xvsi_W1avPRvPFdRuYoZ99G0uq7J5Z5Aeum9SWE84cdKDb_gyhg$> I am not sure that anyone implements RFC 5697, but I do not recall anyone suggesting that a new CA paradigm would be needed to do so. Russ On Oct 22, 2022, at 10:21 PM, Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>> wrote: I understand the draft. I had shared some technical concerns for issuers that would need to add the Related Cert Extension which had not been addressed. But let’s say that the extension does not mean that the issuer has to do any additional checks which some are suggesting has pitfalls. Let’s say that as you are suggesting, the issuer just needs to check two signatures to confirm the requester has the private keys for both related public keys. Why do we need the extension anyway? The relation of the two certificates comes from the identity (CommonName or maybe some SANs) which should be the same. Why not avoid the hassle of standardizing the extension in LAMPS? Entity X can get two certs issued independently. Then it sends them both along with two chains and two signatures in the TLS handshake. The verifier needs to verify both signatures and chains independentlyand confirm the identity in both certs (e.g. CN, SAN) match. In that case you only need to update TLS in the TLS WG and IKEv2 in the IPSECME WG and you don’t need to update X.509. From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Michael Jenkins Sent: Saturday, October 22, 2022 11:33 AM To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>> Cc: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. If there are no technical showstoppers, I don't understand the objection. Mike and John have a well defined scheme, for which they have prototypes and apparent customers. So that will exist. On the other hand, singleton certificates will also exist. The US DoD will have oceans of them. So will companies with limited resources that will balk at the idea of being sold something they already have bolted to something there's apparently lack of confidence in. Singleton certificates will exist irrespective of our draft; we are not creating a necessary precondition. All our draft does is provide an indication of assurance that one certificate is related to another. The specific relation is that the entity controlling the private key in one certificate also controls the private key in another. Those certificates exist separately. The relative context of those certificates (validity period, etc) would have to be part of a transition plan. If you don't like the mechanism, if you don't understand it, if it doesn't fit with your transition scheme, you don't have to implement it, or buy it. If you encounter it, you can ignore it. On the other hand, if it fits with your transition scheme, it can add some assurance. This is explained in the overview of the draft. Mike Jenkins NSA-CCSS On Wed, Oct 19, 2022 at 11:03 PM Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote: Hey Russ, I have not been convinced either. My details for the operational challenges this draft would bring still remain. Willing to hear more counter-arguments from Rebecca and Mike to address the concerns or discuss it further. -----Original Message----- From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley Sent: Wednesday, October 19, 2022 3:47 PM To: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Several people spoke for adoption, and several people spoke against adoption. The I-D authors responded with a response to the concerns that were raise, and no one has responded to the authors. I would like to hear from the people that spoke against adoption. Are you swayed by the discussion that has taken place? Russ > On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote: > > There has been some discussion of https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/__;!!FJ-Y8qCqXTj2!eL4UzZPMXBnMdYQ3XMCyySmcpadQ9J2RQJg--ABb9fKu5e-xB6rO8E0xvsi_W1avPRvPFdRuYoZ99G0uq7J5Z5Aeum9SWE84cdLC4mBgPg$>. During the discussion at IETF 114, we agree to have a call for adoption of this document. > > Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01? > > Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption. > > On behalf of the LAMPS WG Chairs, > Russ > _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eL4UzZPMXBnMdYQ3XMCyySmcpadQ9J2RQJg--ABb9fKu5e-xB6rO8E0xvsi_W1avPRvPFdRuYoZ99G0uq7J5Z5Aeum9SWE84cdLEYPAN7g$> _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eL4UzZPMXBnMdYQ3XMCyySmcpadQ9J2RQJg--ABb9fKu5e-xB6rO8E0xvsi_W1avPRvPFdRuYoZ99G0uq7J5Z5Aeum9SWE84cdLEYPAN7g$> -- Mike Jenkins mjjenki@cyber.nsa.gov<mailto:mjjenki@tycho.ncsc.mil> 443-598-7837 _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eL4UzZPMXBnMdYQ3XMCyySmcpadQ9J2RQJg--ABb9fKu5e-xB6rO8E0xvsi_W1avPRvPFdRuYoZ99G0uq7J5Z5Aeum9SWE84cdLEYPAN7g$> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] Call for adoption of draft-becker-guthrie… Russ Housley
- Re: [lamps] [EXTERNAL] Call for adoption of draft… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Call for adoption of draft… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Corey Bonnell
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Jenkins
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… John Gray
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Rebecca Guthrie
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Jenkins
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- [lamps] Call for adoption of draft-becker-guthrie… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… aebecke@uwe.nsa.gov
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Tadahiko Ito
- Re: [lamps] Call for adoption of draft-becker-gut… Julien Prat
- Re: [lamps] Call for adoption of draft-becker-gut… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Richardson
- Re: [lamps] Call for adoption of draft-becker-gut… aebecke@uwe.nsa.gov
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Markowitz
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Seo Suchan
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley