IETF Logo Mail Archive

Re: [Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates

"Salz, Rich" <rsalz@akamai.com> Mon, 09 October 2023 18:38 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls-reg-review@ietfa.amsl.com
Delivered-To: tls-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B424C008A66; Mon, 9 Oct 2023 11:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5nB053OzzGfr; Mon, 9 Oct 2023 11:38:39 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE69AC008A65; Mon, 9 Oct 2023 11:38:35 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.17.1.22/8.17.1.22) with ESMTP id 399HPWNx025350; Mon, 9 Oct 2023 19:38:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:cc:subject:date:message-id:content-type:mime-version; s= jan2016.eng; bh=it1eAOHXzQAB+cYGsw5t893mIiMFZeKDog/p4+QzRfs=; b= LfZ3JU8ZLUiYWbXLXwuGgLgqM43Sh1MOrk1k2ws2MnlXrCEdrZLhCgL64wMUKAEg SAHQsvEm6z+r+Lp/pHKmHDRQDrVxmy+cC1N1S1uCSeh3SoKpexSJBMWTaGU9EWXq qVAbNlzmdITAKmpiKomQETM5/b3ezL0L/V/AQfN68xyMe4Vm9ah28mL7d8uEDKWB uY+0SGE9Vvq0hcrCyKvm/ruiYXUQYw5L2vNo5PrmIyKaBa0A8bcJGh7xx16WYUzh eXZ1qnmTY4eQNjVzujKEosSDOlByeD/vN3C/AvP1OdQr9NtFwlTh/xtP6XETyjCv RCgOuq2oBp+0L+4N13SMrA==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050093.ppops.net-00190b01. (PPS) with ESMTPS id 3tkhvhjp9w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Oct 2023 19:38:34 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 399ILPMv010910; Mon, 9 Oct 2023 14:38:33 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.204]) by prod-mail-ppoint3.akamai.com (PPS) with ESMTPS id 3tmfa5u1eb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Oct 2023 14:38:33 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb5.msg.corp.akamai.com (172.27.50.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.25; Mon, 9 Oct 2023 11:38:32 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1258.025; Mon, 9 Oct 2023 11:38:32 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: "Stapleton, Jeff" <Jeff.Stapleton=40wellsfargo.com@dmarc.ietf.org>, "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>
CC: "Bordow, Peter" <Peter.Bordow@wellsfargo.com>, "Rao, Abhijit" <Abhijit.Rao@wellsfargo.com>, "Anthony Hu (anthony@wolfssl.com)" <anthony@wolfssl.com>, David Hook <David.Hook@keyfactor.com>, "Steve Stevens - X9 Executve Director (steve.stevens@x9.org)" <steve.stevens@x9.org>
Thread-Topic: [Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates
Thread-Index: AQHZ+t/OOaVb/QSjHky9PZWBXT36Nw==
Date: Mon, 09 Oct 2023 18:38:32 +0000
Message-ID: <C92208EF-A6F2-4D42-A9AD-B796BB1519C8@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.77.23091003
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_C92208EFA6F24D42A9ADB796BB1519C8akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-09_16,2023-10-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 phishscore=0 mlxlogscore=913 malwarescore=0 suspectscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2310090152
X-Proofpoint-ORIG-GUID: rNpzduJjqFCgwIqBgSUzYctoHyNSKqnj
X-Proofpoint-GUID: rNpzduJjqFCgwIqBgSUzYctoHyNSKqnj
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-09_17,2023-10-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 adultscore=0 priorityscore=1501 phishscore=0 impostorscore=0 mlxlogscore=930 spamscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1011 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2309180000 definitions=main-2310090152
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls-reg-review/5tp42xgHBg2PFY6F3F_FZnkMGLc>
Subject: Re: [Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates
X-BeenThere: tls-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TLS REVIEW <tls-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls-reg-review/>
List-Post: <mailto:tls-reg-review@ietf.org>
List-Help: <mailto:tls-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 18:38:43 -0000

Are you planning on submitting that draft via the datatracker?

Are you requesting 9146(decimal, or 0x23ba) or 0x9146(hex, decimal 37190)? Either would be fine, as both are within unassigned ranges:
6683-10793

Unassigned

35467-39577

Unassigned



From: tls-reg-review <tls-reg-review-bounces@ietf.org> on behalf of "Stapleton, Jeff" <Jeff.Stapleton=40wellsfargo.com@dmarc.ietf.org>
Date: Monday, October 9, 2023 at 10:26 AM
To: "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>
Cc: "Bordow, Peter" <Peter.Bordow@wellsfargo.com>, "Rao, Abhijit" <Abhijit.Rao@wellsfargo.com>, "Anthony Hu (anthony@wolfssl.com)" <anthony@wolfssl.com>, David Hook <David.Hook@keyfactor.com>, "Steve Stevens - X9 Executve Director (steve.stevens@x9.org)" <steve.stevens@x9.org>
Subject: [Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates

Attached for consideration is draft-stapleton-hybrid-x509-cks-tls-01.docx TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates. This document describes a Transport Layer Security (TLS) extension Certificate Key Selection (CKS) using hybrid X.509 certificates. The CKS allows TLS servers to negotiate with TLS clients for selecting the usage order of the native public key and certificate signature, the alternate public key and certificate signature, or both. The CKS options enable forwards or backwards interoperability when migrating services for large organizations during one or more cryptographic transitions.

The goal of this document is to introduce CKS based on the draft X9.146 standard and register the TLS extension “9146” for further development.

ANSI X9.146–20231002  DRAFT Public Key Infrastructure (PKI) – Certificate Key Selection (CKS)  for Transport Layer Security (TLS). This standard specifies a Transport Layer Security (TLS) protocol extension for certificate public key selection in certificates that possess more than one public key. The extension schema and its processing requirements are defined for both client and server participants in a TLS handshake. The current work focuses on hybrid (dual-key) certificates but its scope will include composite and chameleon certificates.

Note that X9.146 is copyrighted by ASC X9 per ANSI rules. If successful, this ANSI standard will be submitted to TC68 for ISO standardization, which per ISO rules will also be copyrighted. See links.

·         ASC X9 https://x9.org/<https://urldefense.com/v3/__https:/x9.org/__;!!GjvTz_vk!SrgNsy1QkgpiCGkSd-ArnFnwnPYWihywR_csGQpBqjgMBGD4xYVADiN5aI2cGHWp35_NxDsoB6vy2SjDA549aEN7kd7d$>

·         ANSI https://www.ansi.org/<https://urldefense.com/v3/__https:/www.ansi.org/__;!!GjvTz_vk!SrgNsy1QkgpiCGkSd-ArnFnwnPYWihywR_csGQpBqjgMBGD4xYVADiN5aI2cGHWp35_NxDsoB6vy2SjDA549aCmzdgxP$>

·         ISO https://www.iso.org/home.html<https://urldefense.com/v3/__https:/www.iso.org/home.html__;!!GjvTz_vk!SrgNsy1QkgpiCGkSd-ArnFnwnPYWihywR_csGQpBqjgMBGD4xYVADiN5aI2cGHWp35_NxDsoB6vy2SjDA549aEVvlpTF$>

·         ISO TC68 https://www.iso.org/committee/49650.html<https://urldefense.com/v3/__https:/www.iso.org/committee/49650.html__;!!GjvTz_vk!SrgNsy1QkgpiCGkSd-ArnFnwnPYWihywR_csGQpBqjgMBGD4xYVADiN5aI2cGHWp35_NxDsoB6vy2SjDA549aIzBvY2t$>

Thank you for your consideration.

Jeff Stapleton
Wells Fargo
Enterprise Post Quantum Cryptography (PQC) Strategy
Senior Lead Cyber Security Research Consultant
Mobile 817-682-1318

v2.23.0 | Report a Bug | By Email