Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 11 January 2023 13:33 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4B7C14CEFA; Wed, 11 Jan 2023 05:33:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.995
X-Spam-Level:
X-Spam-Status: No, score=-6.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXpMn5xmqHmb; Wed, 11 Jan 2023 05:33:29 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD474C14F747; Wed, 11 Jan 2023 05:33:28 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30B19Z04027090; Wed, 11 Jan 2023 07:33:26 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=WJVfGaJjPrIBbHI9A+HLXJg3nn/jB5ZocqE6nJ3JApU=; b=X++mq5XW48OifqG/LmvP9ZovINMP6XTokR8e3yXu2NO+2BdG8ibp3MdmHA+X7effczBb dScFNAJ35mQmgESEBEDffHI8KLB+eKH/6UpmK+CROWPhVK4Tbpl5PpBo+OHCh0HxnyQU 0xiMmYNmFD4fKcZyXxf7I80/xi3gwm70BdCCmIQWwJdT/ClgtmflsUHkOFoMp81fSgY6 mzvCdkkqEfy5vjdgOpXAwp2gecT+cd46gCM5FpLsdywKRt36F7v8TSul7kamvj2gOSsV ZhFJ3vSAxRlxAZe9SuqmWj9MWw+oUwI+OxruZQS9wzGDOleKQUMmcvooOAwMYYPKqicq DA==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3n1k64hq1r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Jan 2023 07:33:25 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z6jH1ZBhNzrmgKqT5dXbt+e7j5wK2oi7xWSGlJ6uiKnFvawdFb2B294KGO/wtKy+Tv7IhKl65hWxdi8fMRTTjciEVYTiElT0+1nkEOJ6sjedu91+Rjwmyqu1Oo0FUG00+mUWDVorJFWIY62qFuhc/W2Dh/vipKDxpp/FZqVs7VgAOeZ7LQNjeP6abq6WrIEl7BhTx6ve2FSyX2zTkl7SlU64F4QW5F4WHFx7RtXBi/QLjSZClTJB0bkAKxMpuwxsq/tKMpavYhvVOHmmCz7rphl4nnCevC/6mCABnxPkJx3lmnEtW0jQNMV+H1DAFsE3tCy9CmP6M2BKVVAhM0x1Dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WJVfGaJjPrIBbHI9A+HLXJg3nn/jB5ZocqE6nJ3JApU=; b=dYZXyx+4H8kBjqkGUmmJs88285TgRT3VFCnjO+7Ooz6RzVdFyxHfwKPpDEDCLH7BFXzJ+fjWilqiuxfQrd/3N1456tCNKStH8VC3T7+YfXZc1YrshWDPTeYDiW3qz1BCF39yYo7a/IMyqaSkvdd74uhX7m8LRLWHiMyn04dB7vauRGyiqBfOxDnBYzUyovKDbrHIGAAciKycvc9Bga/V6MLCtSjIHuG2pvOwVkBtFDOBXq/SMbZ3We9zjFJ22f03M7mEuit+9dEAHq7ZgjDR/GL/hdCHQQzZ6SjpDUaqj5ejiquvaiE7LvAD86l7IOheEDMleKEHcoIxbykUB6rr1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SJ0PR11MB6623.namprd11.prod.outlook.com (2603:10b6:a03:479::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Wed, 11 Jan 2023 13:33:22 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%8]) with mapi id 15.20.5986.018; Wed, 11 Jan 2023 13:33:21 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, "aebecke@uwe.nsa.gov" <aebecke=40uwe.nsa.gov@dmarc.ietf.org>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
Thread-Index: AQHZIX+pn12YR/e35kCX+0VEcvSFGa6X8W+AgACYSQCAALPowA==
Date: Wed, 11 Jan 2023 13:33:21 +0000
Message-ID: <CH0PR11MB573917AD78637794B2A424249FFC9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <bd5a491c78c8406b8de6414aff4f5223@amazon.com> <SA0PR09MB72412D6BBBC556716B5FBDEDF1FF9@SA0PR09MB7241.namprd09.prod.outlook.com> <adfdcfcfb0f84c63b83bc60cb9a48cfa@amazon.com>
In-Reply-To: <adfdcfcfb0f84c63b83bc60cb9a48cfa@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SJ0PR11MB6623:EE_
x-ms-office365-filtering-correlation-id: f144a57f-37a1-4098-60b8-08daf3d86843
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uHSDTsOP+03K6yw4fO7BOasGhu1s7JVo9JkiSwSLnqelW7bDp7cMePE/NkVCMR33pFdgzAcWjls0Zx/Yifft2sFNhn44wYL73brozAA3Nkwy/k3jfs0UsVo4T6B3n3yL2fRR8ZYabryKIX5nFqAHT70rgjsE7nXMyuRhatt7SFC2wSjCWsBDT7EXeKCcsXidEnsb6PumiTPt2zDLZDfPX0hU6QHprGA4J5x2yJWGsgfVRtPA0TcD/TL2rk1SvT7biRp80T3Er3oOzFZbV2kSYfILex8hAX8zuVuBljJb9KiJYEkKT39i/hdK9KH6uIPp4nrluF/6KEZ81Sdp0m6IczqXHv9CTroB0BdqYGF3mdYcBqCZLJ8iUbYrGHpLadE36wtvMU+tiuvlyFb2XTMm2BWEcbHPdnzylvWlL4a26KvUlhzUO0Absffl3yQIE+a4EXA7cIcM14Cau0H/zRoHXGb/eDpqbsXdA7RMQsgkB/WI6vtIDWje94Lt1jeYnWtocf2cEuYhRq1vt7x7kUMLtuGVxTxuVR+/D2BJWgNeRt8rD7E3Xc31k++qh4svG/ly/wcOJjUpXSEoOSJ74xKuZFzMPt3BOs7FZT8AAZH/UTFKZ3s0yDK5Bt8dC5VUewcJ5F64adwKl/d6ULaVZMlL5R64rHsDRyYoWFzpsceuAcr5GFWngXC1T1QuLF2m1QVbLuNnqQfVljIozn5iq+074ZSLkauGbNb7VqpuASF1a2PS4VHD0Jw6ru0yPzNPSf1H
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(136003)(346002)(366004)(376002)(451199015)(478600001)(66574015)(8676002)(86362001)(66446008)(38100700002)(110136005)(76116006)(66556008)(5660300002)(122000001)(66476007)(66946007)(38070700005)(64756008)(53546011)(166002)(52536014)(41300700001)(8936002)(71200400001)(316002)(33656002)(966005)(7696005)(83380400001)(45080400002)(2906002)(26005)(6506007)(186003)(9686003)(55016003)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tKIJz6TlRlKkQoCunmqu3uFU7ZijNava1UqW670BVJyFBdI0yS1su2blsgbTvBvg9Ygb+cg8p2iYZAd5bSJR/rdDyhthbvY0DCdmCM6+0HTU1PBRqR61oC2ff2dHiuZTiMqVGxhB+fFM2/FgFKKfcwB/1ub69od9hlduKswdOefu9H7q4L40q9O2x0cs75kpVRnAWQS+OVJARFxxsWv0LN5PzEkin1UEx0os4h5rXUqJgxs1bwjcsR9lDPjf3ZpyxWJdkF+1aYWQwxLoC4Yy5azw8mQoOU+FcPJdg+9DmTcv/dKNc24yLQnZMG2KVv1dH6X6rv8QF3kmfdYFfysKmfW6fLZuGTfYjIO53iYt/nkIVWAnwNwvouZJicrnKTjjUHXM9/HZ/6xqdySj7l0fPgP9Jefr4fL/aIWAqr1WGnUJuOPCTleO0WssocgwORjNHL/otKoSvE0bKUj90QZ+qr9Kzf8VMY/cTT/nKWEPO0bcX8ppFbN79Zn2ulTVP0mHzR0+5QFN9VMr2pUKqC/X5LPzu8qEezj1y5EBqohTtxfJguVtuDOzDmgzNKhCL4WjFx61Ixwsc3zbuhhW1bD44gfGrZT+ZpJzVoZk+766LJ0bPJCs7GW53qs3wWh7J8XTSF8DNsTYa5kk7o0ywXP+sEq7zzjiAA+S21BbT0YrvBoeSOPeBowU3awVtirEJiBdVbd/o+efacFVrf4c88HpEQBq16Cu51fp70dcflwigg3WL8Bzd+VecgKP5M6vp2Xl6w43SeW4iuhPZM+rzQg/bdYzs6IL+Op3Jh6XTyrQpldfNdG+jGlYD+lk1pvTI9QPrwPLWi28urX51BvGHXjb1dN+50/VlShzmPfkzzKCOwc9h0g3BshPYL3nKqtOO+IBpel6+cQhRxIl7lNs5YvVXYY+mJRP9Ztmk+gFFlg53ugJ3x0NQjfzGALipeB6KiVouA8v3YC1jJVrudBrHr+PkLq+bmIMaZ4MpBeFQEfLyZ71pafJjWmu6tsC9yr4w5maZnK974e82qazHG3hUQElim8X8jgmvUfEthI0UOdY36C7fr2Q/7THFnvaJIUSZJiNU7mkRT5MUlLGSUHgntv6PQS6gi0POkE9FM1eafHt71Sq90Ybfo2o0+P8ugCr08c8AjTyuv4NUJfmI+1qVolWFEvuhRWj8ROSv7vhBn5INA+ySbptkI2Xbn3TQYLHlal8HuMWuOFd9KULIT37hFUlH15vAQeU/aob3N9znR3NmDOaGViPq5mIjR1SWyLyQkMHaYSVwW0o8iYeGEyX3OAU15jflLC63SLCLuTVEbh5NNLgiMD/JKhnrYy1TUhj7t3Xmc27HeUEFO4XgI3hec2B4ssosS0HVzngL573m3aH8LdqEYAu9+uGfjp8wuUAWoci6nBBEcQUADpNPkU9DiAxFc0t/oZQ+si36nbkHUWzLxeL4Lw+BZzG2mby6Vhpbk/V4G4orYcm5y5YEsZ6vMX8UJmAWnd0B9EPmLXfBeADgMloQ51iKxCHMcUJObZvhbu7uKud52iWaBlUEai1IUlyPBtlF1PkZWWm79D2AMwK4AqixgYu0YVVkVeWkA56Vy9T
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB573917AD78637794B2A424249FFC9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f144a57f-37a1-4098-60b8-08daf3d86843
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2023 13:33:21.3765 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SX0xbPr321nwawpLUg6OkEesYH4TwyW++oE8hW3Q18MN85H0Ylk5X8chHIIl1ns3cJLRgK6FQP1G0o0L9Lqyc5C07DGpYNwTuk+DKOnwxKs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB6623
X-Proofpoint-GUID: XMPeAzRlW2edXavMq9j9JuWbCn5nWxl1
X-Proofpoint-ORIG-GUID: XMPeAzRlW2edXavMq9j9JuWbCn5nWxl1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2023-01-11_07,2023-01-11_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 clxscore=1011 priorityscore=1501 impostorscore=0 suspectscore=0 bulkscore=0 mlxscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301110098
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xXhhQ7cppbvK2rgwISrVmdFLFrw>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2023 13:33:33 -0000
Panos, I assume in their use-case, endpoints will treat matching SANs as necessary but not sufficient. Making up an example here, if you're receiving a TLS client-auth connection from DN: cn=Alice,dc=example,dc=com then both certs had better have the same DN (otherwise it's totally unclear which user is trying to log in) *PLUS* one of them had better have a RelatedCertificate extn that lines up with the other cert to prove that both private keys are contained on the same hardware device (or wtv the semantics of that extension mean in their environment). --- Mike Ounsworth From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos Sent: Tuesday, January 10, 2023 8:43 PM To: aebecke@uwe.nsa.gov <aebecke=40uwe.nsa.gov@dmarc.ietf.org>; LAMPS <spasm@ietf.org> Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02 WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ________________________________ Hi Allie, Thx. If there is no overlap between the Subject Name or SANs in the two related certs, should they be used at the same time in a PQ transition scenario since the verifier can only be talking to one identity at a time? To rephrase that, if the two related certs include completely different identities, wouldn't that be a problem for the TLS, IKEv2, etc verifier? - When the verifier is presented with a classical RSA peer cert, it confirms the identity of the cert is the identity it is talking to. - When the verifier is presented with just one PQ peer related-cert, it will confirm the identity of the cert is the identity it is talking to. - While still in the PQ transition phase, when the verifier is presented with one classical RSA peer cert and one PQ peer related-cert, what is it supposed to do if the identities in these certs are completely different? Verify only one identity and assume the other one belongs to the same peer because of POP at issuance? From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov> Sent: Tuesday, January 10, 2023 12:38 PM To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>; Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi Panos, Thanks for the comments. It is not always the case that SANs will unambiguously identify a certificate, as they are not globally unique. Especially in the case that may arise in which a different CA has issued a related certificate, we want to provide strong assurance that the certificate is under the control of the correct end-entity. Matching names depends on mapping the namespaces of the issuers (which may suffice for discovery); our draft provides the existing (traditional) PoP nested in the new (PQC) PoP, which we think provides more assurance. Cheers, Alie ---- ________________________________ From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>> Sent: Thursday, January 5, 2023 9:33 PM To: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02 My previous objections and concerns have not been addressed, but maybe I had misunderstood the spirit of the draft. So let me repeat the last, most important, question after Mike's presentation of the draft in IETF-115. It seems that the draft just wants to provide an extension that says cert A and cert B are related and owned by the same entity and allow a CSR to prove that the requester of Cert B also owns the private key for Cert A. In other words the flow would work as: - Entity X generates a CSR for CertA and proves it owns the private key for A. The issuer generates CertA after verifying the ownership of private key A and the identity of X. - Entity X generates a CSR for CertB which is related to CertA and proves it owns the private key for A and B. The issuer generates CertB (related-to-CertA) after verifying the ownership of private keys A and B and the identity of X. - Entity X owns CertA and CertB which it uses to be authenticated in protocol Y. The protocol Y verifier gets CertA and CertB, it verifies the peer owns the private key for CertA, CertB and it confirms it trusts these certs were issued for Entity X. Now let's forget the draft and say we do not use a new X.509 or CSR extension. And let's say the flow now works as - Entity X generates a CSR for CertA and proves it owns the private key for A. The issuer generates CertA after verifying the ownership of private key A and the identity of X. - Entity X generates a CSR for CertB and proves it owns the private key for B. The issuer generates CertB after verifying the ownership of private key B and the identity of X. - Entity X owns CertA and CertB which it uses to be authenticated in protocol Y. The protocol Y verifier gets CertA and CertB, it verifies the peer owns the private key for CertA, CertB and it confirms it trusts BOTH of these certs were issued for the same entity Entity X. Why is the former flow better over the latter? In other words, if CertA and CertB were issued separately, why could the verifier not just use the Subject Name or SANs to confirm the certs relationship while verifying? -----Original Message----- From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley Sent: Thursday, January 5, 2023 6:02 PM To: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: [EXTERNAL] [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Do the changes that were made in -02 of the Internet-Draft resolve the concerns that were previously raised? On behalf of the LAMPS WG Chairs, Russ > On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote: > > There has been some discussion of https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-becker-guthrie-cert-binding-for-multi-auth%2F&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=nVzReEXbWrb8sHQPdGWv9G95WoP1GiKdjlHZP6DesmA%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fdatatracker.ietf.org*2Fdoc*2Fdraft-becker-guthrie-cert-binding-for-multi-auth*2F&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=nVzReEXbWrb8sHQPdGWv9G95WoP1GiKdjlHZP6DesmA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsgkQtebag$>. During the discussion at IETF 114, we agree to have a call for adoption of this document. > > Should the LAMPS WG adopt "Related Certificates for Use in Multiple Authentications within a Protocol" indraft-becker-guthrie-cert-binding-for-multi-auth-01? > > Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption. > > On behalf of the LAMPS WG Chairs, > Russ > _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsjiZu1rhQ$> _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsjiZu1rhQ$> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] Call for adoption of draft-becker-guthrie… Russ Housley
- Re: [lamps] [EXTERNAL] Call for adoption of draft… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Call for adoption of draft… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Corey Bonnell
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Jenkins
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… John Gray
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Rebecca Guthrie
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: Call for adoption of d… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Jenkins
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Call for adoption of draft-becker-gut… Stephen Farrell
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- [lamps] Call for adoption of draft-becker-guthrie… Russ Housley
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… aebecke@uwe.nsa.gov
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Carl Wallace
- Re: [lamps] Call for adoption of draft-becker-gut… Tadahiko Ito
- Re: [lamps] Call for adoption of draft-becker-gut… Julien Prat
- Re: [lamps] Call for adoption of draft-becker-gut… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Richardson
- Re: [lamps] Call for adoption of draft-becker-gut… aebecke@uwe.nsa.gov
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Michael Markowitz
- Re: [lamps] Call for adoption of draft-becker-gut… Mike Ounsworth
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-becker-gut… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-becker-gut… Seo Suchan
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Santosh Chokhani
- Re: [lamps] Call for adoption of draft-becker-gut… Tomofumi Okubo
- Re: [lamps] Call for adoption of draft-becker-gut… Russ Housley