Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Santosh Chokhani <santosh.chokhani@gmail.com> Tue, 31 January 2023 14:26 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDC9C14F693 for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 06:26:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhMIDirGJxPC for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 06:26:33 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54767C14F74F for <spasm@ietf.org>; Tue, 31 Jan 2023 06:26:33 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id d66so16169538vsd.9 for <spasm@ietf.org>; Tue, 31 Jan 2023 06:26:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :from:to:cc:subject:date:message-id:reply-to; bh=jGMHLL8UB4iol21Iq0FuKJ0c61eel3Le1Z8QrNmUSNg=; b=o9FwLnaK56HhXRdYi/sIOMXnSBnONMkc8KdIy1MMLen6j4ivF+po7LuD3XtJ7/LIJb 4u6xxEV2azaLzB7NAysR6B/rG6jFStQX5OZ1LRQeOcbKOcc3jP2KY9bc9pB6xA3TVqTm SjzvlDriZR8g/Y0BSyQEoQMAaLdtxRr4Udd0kuMJ688w6gokh91wNulpo/dlTbpx96Ho YXk2R8KZ6kOWnHCvXGNtTsKZY9z/3/GDJQ/wRdxaBAcHOvb38gQ/7tp+n34oRn2xusbY vkWIZvSJcK7bUNegc74Z1h94UAh5QGXIsZIJYq3sGkFgLPQfovNQfidZDyArmvC0VGjT zCcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jGMHLL8UB4iol21Iq0FuKJ0c61eel3Le1Z8QrNmUSNg=; b=MGTKZ0l3X2WPgREvsG1CMIXONuADe2wERJL3Pb/GduvewgIEhJJ5wU2aodAYz0iu9a m5qTSFgU81mulmN+BEHITX6u8TjhRzzCcTZ2EgTFkdMIWVLkNdwzlm0/NiHRi4EXvUcU lBgdcKQl2wycD0Xt/K6oUF4yfZLUvfQ0ttm2d6PH7jZAVtdgoyhfokhgqgw45wWVVb8s tnmP1wTkGSXI5eYzvuwWO9sd3lJHUzVmY5ifOoIZB4T/iLjuF24Xjm2kUY6Kga7W18sj MLbYfZ+pxEY96njgxrp1iKi1+Z2UmjBLIMfV003dw0sCcsuPkzkuiPmygt2gawHnJwYq b9hw==
X-Gm-Message-State: AO0yUKWO/1R/Sl4x4V/OO7oTuxASwqvTrXL67NVtfoJ6+9uNFZIyG6hC e+MOWMI5E8ysQks8SyOYsg6hoBnGLBg=
X-Google-Smtp-Source: AK7set8gkB32UDVQvRLzasWvQHdBJZWZVq/N8yOmfaE8I2xg9sQRv+LSUGDJpk7e4+hmeOBiCONaBg==
X-Received: by 2002:a05:6102:20c8:b0:3e8:cd3d:f64f with SMTP id i8-20020a05610220c800b003e8cd3df64fmr11641237vsr.25.1675175191913; Tue, 31 Jan 2023 06:26:31 -0800 (PST)
Received: from SantoshBrain (pool-108-28-3-134.washdc.fios.verizon.net. [108.28.3.134]) by smtp.gmail.com with ESMTPSA id b4-20020a378004000000b0070736988c10sm10043158qkd.110.2023.01.31.06.26.30 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Jan 2023 06:26:31 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'LAMPS' <spasm@ietf.org>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <85c60b8b-72e2-5342-7ccb-d69b84d5444f@gmail.com>
In-Reply-To: <85c60b8b-72e2-5342-7ccb-d69b84d5444f@gmail.com>
Date: Tue, 31 Jan 2023 09:26:30 -0500
Message-ID: <158201d93580$0387ae90$0a970bb0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFljVpxtnCxG7UiG+pMgVJh6HLfMQJdeOP5ASevSnwDQU/WgALUGXf4r1MNJnA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zNz1YM0iSjw8d9cSIom-5dnSaZI>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 14:26:35 -0000

See inline

-----Original Message-----
From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Seo Suchan
Sent: Monday, January 30, 2023 1:47 PM
To: Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Not sure how it can used safely with backward compatible : If I want this to be backward compatible this would be extension on classical cert that points PQ certificate: but if one is in position to break the protocol why would one can trust this extension will point anything reasonable? for example attacker can point another RSA certificate they forged, or just strip this extension.
[Santosh] You can protect against that by cryptographically binding the linked certificate by putting hash of the SPKI or hash of the whole certificate in the extension.

2023-01-06 오전 8:01에 Russ Housley 이(가) 쓴 글:
> Do the changes that were made in -02 of the Internet-Draft resolve the concerns that were previously raised?
>
> On behalf of the LAMPS WG Chairs,
> Russ
>
>
>> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com> wrote:
>>
>> There has been some discussion of https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/.  During the discussion at IETF 114, we agree to have a call for adoption of this document.
>>
>> Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01?
>>
>> Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption.
>>
>> On behalf of the LAMPS WG Chairs,
>> Russ
>>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm