IETF Logo Mail Archive

Re: [lamps] DRAFT LAMPS Recharter Text

Dmitry Belyavsky <beldmit@gmail.com> Mon, 14 August 2017 14:12 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4BCE132055 for <spasm@ietfa.amsl.com>; Mon, 14 Aug 2017 07:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8lzQ4oBbk9e for <spasm@ietfa.amsl.com>; Mon, 14 Aug 2017 07:12:49 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503231321ED for <spasm@ietf.org>; Mon, 14 Aug 2017 07:12:49 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id t201so38431802wmt.1 for <spasm@ietf.org>; Mon, 14 Aug 2017 07:12:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z/cEHwWFtsS7VBP8d9+co8eTo4HxxGPN0UAliMI8CwM=; b=tRTlidHLKMR8geix1qvh25s1DkY8YYOqozFwOn0c1GYMJoNRCYr2XPKZUrmMlyKkTf LZnkctHQHi+MiZw11uX6Z3ahHIna4CIPq9yslNDqzw8x/pevQuSlqJ922Yguto5+XuQJ 14nHKs7VcgAUvTYSvCNjTstrksOHwTaSoKeesNClAZqx19ErVBK/bK0wCeha/Q/UFHzY XE12yR/lW5KeM9q3Dkv+T84xYqyGd2R+fLygyaz5UbYis+GBLtWVbx/4emYJKvZ90VgQ YJHas8GwhqyPCoSHV+Naa4uOnL+DVmvBDTU1ae4ssaGTUyvUohQb497bJx5blrzA7PAI PH8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z/cEHwWFtsS7VBP8d9+co8eTo4HxxGPN0UAliMI8CwM=; b=DxloauESvAAAdIqnvm6lE80ySPHkMdQovDeuy4fNngHhvtbZcDaPVv6AFj9E4dQ4Qu 1o7B9KRyEsZGx5pSUXfOtHYB8hG2GVHLFoaSUoeyumzvFKoCRsNUOxUE5k3TfY6omF5p pYlaJ2qscyGFsCzioDsROL3fZJuJds3Sqp3krIkM318p4bw7ATUwsKSfWrHxRETmSYaM HvXsrU3hqDuEjGvypFKE2HPMw2PZgCZ/LoIJDi1dqu8M2ZQBt6U4xtm3PSlZCbpA1hoa lwJEmpON5gFpL+LYfv3wS41NLKIrHl+lsyIyGU5mbeWgpH5vNp3hKdjKkqkLXHWd5aGn gk4A==
X-Gm-Message-State: AHYfb5i0siGTMxNPDb8r1rj9Bj/UPYboko/4an3XTbVFNRkGESsEFfaD ieOECc/ZybkxWAWOrJwoQH5z69zuH0vi
X-Received: by 10.80.176.68 with SMTP id i62mr24479695edd.147.1502719967837; Mon, 14 Aug 2017 07:12:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.143.3 with HTTP; Mon, 14 Aug 2017 07:12:47 -0700 (PDT)
In-Reply-To: <3EC3EBBE-D17D-4A25-A61C-27872613FB4D@vigilsec.com>
References: <3EC3EBBE-D17D-4A25-A61C-27872613FB4D@vigilsec.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Mon, 14 Aug 2017 17:12:47 +0300
Message-ID: <CADqLbz+sCbp+dy+oyMyfvng6A4-kJYnsS25wdux1KisD6dEcWA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c853ee1409e0556b74162"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/t5fp2POSG1zBDKIVI8d07zBE2d0>
Subject: Re: [lamps] DRAFT LAMPS Recharter Text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 14:12:53 -0000

Hello,

On Sun, Aug 6, 2017 at 7:51 PM, Russ Housley <housley@vigilsec.com> wrote:

> At IETF 99, the LAMPS WG considered several potential recharter work
> items.  The attached draft is a result of that discussion.  Please review
> and comment.
>
> Russ
>
> = = = = = = = =
>
> The PKIX and S/MIME Working Groups have been closed for some time. Some
> updates have been proposed to the X.509 certificate documents produced
> by the PKIX Working Group and the electronic mail security documents
> produced by the S/MIME Working Group.
>
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working
> Group is chartered to make updates where there is a known constituency
> interested in real deployment and there is at least one sufficiently
> well specified approach to the update so that the working group can
> sensibly evaluate whether to adopt a proposal.
>
> Having completed the S/MIME 4.0 specifications and updates to support
> i18n email addresses in PKIX certificates, the LAMPS WG is now:
>
> 1. Specify a discovery mechanism for CAA records to replace the one
>    described in RFC 6844.
>
> 2. Specify the use of SHAKE128/256 and SHAKE256/512 for PKIX and S/MIME.
>
> RFC 6844 describes the mechanism by which CAA records relating to a
> domain are discovered.  Implementation experience has demonstrated an
> ambiguity in the current processing of CNAME and DNAME records during
> discovery.  Subsequent discussion has suggested that a different
> discovery approach would resolve limitations inherent in the current
> approach.
>
> Unlike the previous hashing standards, the SHA-3 functions are the
> outcome of an open competition.  They have a clear design rationale and
> have received a lot of public analysis, resulting in great confidence
> that the SHA-3 family of functions are very secure.  Also, since the
> design of the SHA-3 functions use a very different construction from the
> SHA-2 functions, they offer an excellent alternative to the SHA-2 family
> of functions.  In particular, SHAKE128/256 and SHAKE256/512 offer
> security and performance benefits.
>
> In addition, the LAMPS Working Group may investigate other updates to
> the documents produced by the PKIX and S/MIME Working Groups, but the
> LAMPS Working Group shall not adopt any of these potential work items
> without rechartering.
>
> MILESTONES
>
> Nov 2017: Adopt a draft for rfc6844bis
> Dec 2017: Adopt a PKIX draft for SHAKE128/256 and SHAKE256/512
> Dec 2017: Adopt a S/MIME draft for SHAKE128/256 and SHAKE256/512
> Apr 2018: rfc6844bis sent to IESG for standards track publication
> Sep 2018: SHAKE128/256 and SHAKE256/512 for PKIX sent to IESG for
>              standards track publication
> Sep 2018: SHAKE128/256 and SHAKE256/512 for S/MIME sent to IESG for
>              standards track publication
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

I suggest to add one more item to the charter:

===============
3. Specify a mechanism/language describing the application-level
limitations to certificate trust.

There are a lot of limitations applied to the trust model specified by the
RFC 5280 by browsers,
see for example
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/--aa6dYHhrc/xbozEdS2BgAJ
This limitations distributed in well-documented alienable format can be
used by various applications,
such as MTAs and browsers, and improve the overall security of PKI
infrastracture.
================

Thank you!

-- 
SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email