[stir] Quick look at draft-peterson-stir-certificates-shortlived-05
Eric Rescorla <ekr@rtfm.com> Mon, 18 March 2024 07:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52EDBC14CE52 for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 00:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1U2J_1RFbm6U for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 00:22:53 -0700 (PDT)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD8DDC14CF1D for <stir@ietf.org>; Mon, 18 Mar 2024 00:22:53 -0700 (PDT)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-60a0579a968so43048427b3.3 for <stir@ietf.org>; Mon, 18 Mar 2024 00:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1710746572; x=1711351372; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=LcigdFz3Op/llz4fZdpD86a7KaAaP+XvPE2tNAGlTSY=; b=NkAz7QFLioZl27mBT8pHztZlIZ24cawddnPAk9J95ENZqesV48IZqKum6LdNFCkKl/ IRe9IBqjjJpDu7jlp9IqKaw0/g4XLDCQnv3HD31PG5vJYtfHNrxVHJAlIjIoL04KwIL1 5WTHAoPelhunxbQ449zYK8rgEGNDRrP7pJscaNQAmaWrzAC+DOj3xMBKhvXxNIKlB63T K3RfZS6HLKzFtGxk7z5A4vZ2lneTc1qS6n35pdNBzSdGGBmn4ZfrQSQy+rpYMm8wgDgw EWE/Njmuek9v6qb2Vi6hoUj+nu1jTYzvv4oiOSMZRK5oDykoIAGzCHapyiVy59532mpb BEdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710746572; x=1711351372; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=LcigdFz3Op/llz4fZdpD86a7KaAaP+XvPE2tNAGlTSY=; b=jOpxBnEe3mc/W+wP1zdOkYDuq2v6OVLnKwxRFcEdx4m8zAqw63Gb7mFkgKJyFU46xi LGw6Ys+zSRx9bXFvVRaOcTVkESx3xSgTkmrD2wfjy2QE5OSQVMHCxLy74lf7ZKoPm+8M AsUQ02xoLydsPV+iMwPRFiam0VDzdF7yXigtox/V0T+DgGybUx59NH7k/Ng8wVWzYAto Kn2JepsxeRlEgyt974wLUfx40TO+mdDx/vZNjxPmtNTbsL8iyDOh3PHjMGYWX9UV90C0 h9T9vpYIZnDFvscW3BjmPOBySoPrA5KQ/dp3N3Rzfi5gkhdxiNy+opMoVo8KNqV31f/X yCGA==
X-Gm-Message-State: AOJu0YxFCCY0pc54vm9Mk3IfFf0OfPSYbgZhE8pezbHYGkzVegr8qOn2 8lIJlOsIYeOJkErceZBbVAjdKC+b6VczEbOsb8Yu8kHO/vSZP5EWPRTcSokCBSoAki0vP3TbYrm elXaFR61zsv6f4O1Rxe0dz7+lRAgv6JClEh1q08ivCiJKH7dYMFM=
X-Google-Smtp-Source: AGHT+IFbXvz/pScNBhjI3mAC4EKXjVkRM86+c1I8gFD6KTcVJ7aUNi/2/lOeD03ZbCvdF9b4TX9rU3zXq71L0mhdugg=
X-Received: by 2002:a25:c546:0:b0:dcd:5187:a033 with SMTP id v67-20020a25c546000000b00dcd5187a033mr6899605ybe.2.1710746571566; Mon, 18 Mar 2024 00:22:51 -0700 (PDT)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 18 Mar 2024 00:22:15 -0700
Message-ID: <CABcZeBP8-ROMfO1e5dmkp90y5bssRhz0-HbJGADn0UCi4XtQtg@mail.gmail.com>
To: IETF STIR Mail List <stir@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b3156e0613ea3981"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/8GgOqHj_Z8e-d59Ah_ftoTUV6ts>
Subject: [stir] Quick look at draft-peterson-stir-certificates-shortlived-05
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 07:22:54 -0000
Document: draft-peterson-stir-certificates-shortlived-05.txt This seems like a reasonable idea, thought it should probably be clearer why it needs a new spec. It seems like that is because 8224 requires x5u, not x5c? If so, perhaps that should be made clear as the normative change. As an optimization, this specification permits the conveyance of the certificate chain for a short-lived certificate via the "x5c" JWS header element ([RFC7515] Section 4.1.6). The "x5c" element contains a base64 encoded DER representation of the certificate chain. STIR Verification service implementations compliant with this specification MUST support the "x5c" element; authentication services SHOULD use the "x5c" format for PASSporTs signed by certificates with an expiry shorter than one week. The presence of x5y creates x5c, right? PASSporT objects that are considerable larger than typical RFC8225 tokens, and the longer the certificate chain, the larger the PASSporT header will be. But provided the certificate chain leads to a trusted certification authority, "x5u" precludes the need for a round-trip time before validation at the STIR verification service. Depending on what you are trying to say, this may also be "x5c". If it's "x5u", then you should clarify the text.
- [stir] Quick look at draft-peterson-stir-certific… Eric Rescorla