IETF Logo Mail Archive

[Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates

"Stapleton, Jeff" <Jeff.Stapleton@wellsfargo.com> Mon, 09 October 2023 14:25 UTC

Return-Path: <Jeff.Stapleton@wellsfargo.com>
X-Original-To: tls-reg-review@ietfa.amsl.com
Delivered-To: tls-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9ABC15199D for <tls-reg-review@ietfa.amsl.com>; Mon, 9 Oct 2023 07:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.606
X-Spam-Level:
X-Spam-Status: No, score=-22.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wellsfargo.com header.b="CWhDy4z8"; dkim=pass (1024-bit key) header.d=wellsfargo.onmicrosoft.com header.b="ZGvIbD15"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4Yb9jB6l6Mr for <tls-reg-review@ietfa.amsl.com>; Mon, 9 Oct 2023 07:24:59 -0700 (PDT)
Received: from mxdcmv06.wellsfargo.com (mxdcmv06.wellsfargo.com [159.45.16.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33238C15199C for <tls-reg-review@ietf.org>; Mon, 9 Oct 2023 07:24:59 -0700 (PDT)
Received: from mxicmsi01.wellsfargo.com (mxicmsi01.wellsfargo.com [162.103.23.200]) by mxdcmv06.wellsfargo.com (Sentrion-MTA-4.5.7/Sentrion-MTA-4.5.7) with ESMTP id 399EOvkl029156; Mon, 9 Oct 2023 14:24:57 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wellsfargo.com; s=2011-05-wfb; t=1696861498; bh=AFEHPME/m5CjJq7J/SJeXTmwYdehVbFka6Kofeoy/0o=; h=From:To:CC:Subject:Date; b=CWhDy4z8X0iT6c80VHFexBBn8+JyAjZe05REX5tscMGUP4KYuHIB2rWeiuIGd+dck wxwr6bx3VLHHy0E1cxRrRybeqang++vFmLmgTDvMQu6Ax7NU+n8AyJwfN65veimDGx koZwabUeDnxftKXnXFtZsQWDkGffeszhaXnm71ro=
Received: from mxeppi02.wellsfargo.com (mxeppi02.wellsfargo.com [162.103.20.255]) by mxicmsi01.wellsfargo.com (Sentrion-MTA-4.5.7/Sentrion-MTA-4.5.7) with ESMTP id 399EOuin031473; Mon, 9 Oct 2023 14:24:56 GMT
Received: from pps.filterd (mxeppi02.wellsfargo.com [127.0.0.1]) by mxeppi02.wellsfargo.com (8.17.1.19/8.17.1.19) with ESMTP id 3997Q3uw179630; Mon, 9 Oct 2023 14:24:56 GMT
Received: from mxicmsi01.wellsfargo.com (dlp-epvia3567.wellsfargo.com [10.119.20.61]) by mxeppi02.wellsfargo.com (PPS) with ESMTP id 3tjvuebrtk-1; Mon, 09 Oct 2023 14:24:55 +0000
Received: from MSGEXSILD4701.ent.wfb.bank.corp (msgexsild4701.wellsfargo.com [162.103.173.187]) by mxicmsi01.wellsfargo.com (Sentrion-MTA-4.5.7/Sentrion-MTA-4.5.7) with ESMTP id 399EOsZK031458; Mon, 9 Oct 2023 14:24:55 GMT
Received: from MSGEXSILD4105.ent.wfb.bank.corp (162.103.173.240) by MSGEXSILD4701.ent.wfb.bank.corp (162.103.173.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.2507.32; Mon, 9 Oct 2023 10:24:53 -0400
Received: from cpvwe00a0028.xnet.trzn.wachovia.net (159.45.156.39) by MSGEXSILD4105.ent.wfb.bank.corp (162.103.173.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.32 via Frontend Transport; Mon, 9 Oct 2023 10:24:54 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.168) by edgeex.wellsfargo.com (159.45.156.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.25; Mon, 9 Oct 2023 10:24:53 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CbOAbgCcHVTu9gYfuP+G4N4xCjNLvq00SWg9iq4j2BIxZtQxVQD0n1XgkvaXzg8HF+/ExoUaIvgTroXQDvYqPm+8TGwIZd4xp+VJ2ElXga2AMUkB3SGi8uWA29U0lrEpI/3Dylft+H0VKAiFMdlx+BubHuCSdEc4R4TS7tNVB7v49oA7WCe5xBE+x5QgtfJbDeYRI+tzW9rGP7ygjxqFEzSuQx8BvpCg0pzzOA6uarHzXv2jrMIeRCLSQucN4jTQk4Ljn/rwqvj/TXw3YwfqQ5BzqgbMq7Dbg2w/RHgpQ/iVGSP/S96j48hXQEB88NwyGFmzxRdnB89oo4zVGQL/2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l25GmLmU71qQgXnKR503L2JvrjzAKirFnbJKznJqO8o=; b=TXLK8G2b8W/13ks//+w/9mX1qhPCcUg+2mZD7t+sb1xgJrLxh/Ayh0zZ2ZWZUsDCFbCT2226nvBD4tziKrII/AU6QPf3GGGIdud8XD36W+aMq6+sR/SNDlOlXQU55rM4LaVV2mb/gKpK4Km9EuWHEgx8+FiliQfUvOIZTaLJHXrMvJ0D25aMS6ARjKy+PTxZzS8hjNeAWzP5631eSeE1XkzxPzAe9JxMS6Z4jFP9QzEWPImg9sGWj9jiLslyGSaIkt5tNbbMfHtwa7xzVXsEFV0nm07m/a79MyIHPPSl1NLtesSp0nbHgvnHWQok4nU8RQUEPnzkQi47R8jsLGffWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wellsfargo.com; dmarc=pass action=none header.from=wellsfargo.com; dkim=pass header.d=wellsfargo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=WellsFargo.onmicrosoft.com; s=selector2-WellsFargo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l25GmLmU71qQgXnKR503L2JvrjzAKirFnbJKznJqO8o=; b=ZGvIbD15JbJDnvVxrI9WxEaJ7f9/Sld8IZ8i0Z1RjibEWC1woEXE0YZPNwnDUqGBieNB44fkXPRJCFALNlGTPTKlLmnZM2cgfjVVKzaJtz3za5nHSKsPle0BQnHrhyvYZBwgMlNe1F4EJIdCIooo9abTqREe0RoIUiB+NVZspqg=
Received: from IA0PR11MB7955.namprd11.prod.outlook.com (2603:10b6:208:3dd::6) by MW6PR11MB8390.namprd11.prod.outlook.com (2603:10b6:303:240::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.42; Mon, 9 Oct 2023 14:24:48 +0000
Received: from IA0PR11MB7955.namprd11.prod.outlook.com ([fe80::6f86:7fd1:af53:ee2]) by IA0PR11MB7955.namprd11.prod.outlook.com ([fe80::6f86:7fd1:af53:ee2%7]) with mapi id 15.20.6838.040; Mon, 9 Oct 2023 14:24:47 +0000
From: "Stapleton, Jeff" <Jeff.Stapleton@wellsfargo.com>
To: "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>
CC: "Bordow, Peter" <Peter.Bordow@wellsfargo.com>, "Rao, Abhijit" <Abhijit.Rao@wellsfargo.com>, "Anthony Hu (anthony@wolfssl.com)" <anthony@wolfssl.com>, David Hook <David.Hook@keyfactor.com>, "Steve Stevens - X9 Executve Director (steve.stevens@x9.org)" <steve.stevens@x9.org>
Thread-Topic: TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates
Thread-Index: Adn6up/IoNEk4IaBReeEqKVAO8Aa9A==
Date: Mon, 09 Oct 2023 14:24:47 +0000
Message-ID: <IA0PR11MB7955CE2B79E94926B6F2D029E2CEA@IA0PR11MB7955.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: IA0PR11MB7955:EE_|MW6PR11MB8390:EE_
x-ms-office365-filtering-correlation-id: 66c7b915-038b-4806-9248-08dbc8d37de9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XCTXNnV6IFWeuHPf3a23YoEcmgy1MAaPqAdMDk/1vqD4yVNP3+nkXGCtSM6GXhVcqACvOHKtG1S9dKWFlaOPAwm8BcGVglo1kf8cIpX0pvfYkeUDktjQ+3HPuRA3g8/A/uORLcte1TdGkNWh/r3e9TRUNoDYL7fbkrAL8yQ0VJoHFFmgb1eIggYIA6jjGQOPY07B0aZquAmndtL5IAjYSKHsfga8goEEurexnHLJqyYm4GRbmB8aS2Wexi1+fNLHcx7YoNdjKg9dp1yoznKMrhomWBlVjfLO7kztUK5bNoEPU/cpfB4biRFmHGEMeSsBs1cspUoWSaSYodTw2b1x3/ijgS39ArjKmVzVGWO4AO4aN0zyepWP75PuRJFhR3cw+1SYlD2R0va+Ipm7Ri5pt+5o+k5DwB45M06NbcTSkGX6NA75s11b9L15spKN+7LnaQI0Vnjv0w/I/n2zot4hDefb55UvqPf0vsN+dz+Lq4+xqjuxvLsgFZ3b6Lmd1+oGhcKLNtiI7XTEUI+r4XlLRRF72n5ogxnHXLfTSoLD62M=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:IA0PR11MB7955.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(376002)(39850400004)(136003)(366004)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(9686003)(6506007)(10290500003)(8676002)(478600001)(7696005)(8936002)(2906002)(966005)(83380400001)(4326008)(54906003)(10130500003)(66446008)(5660300002)(66556008)(66946007)(21615005)(10300500001)(64756008)(76116006)(41300700001)(316002)(66476007)(6916009)(52536014)(38070700005)(38100700002)(33656002)(99936003)(166002)(26005)(122000001)(55016003)(40140700001)(86362001)(71200400001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lJXrZBCF7yqxrAfE+yTY+VCK8pCG3ILybrLhjKHdSb3dEW59uR6WmvceimQQJJL5yDRu5+2jRurfndE6VVHHwNkzMOldxUKSI2iupHLcSqkFOUgOB4Wr+LGtEFDYOLtem8IJBaG6cZtTvFGiqAo4eqdSG+P7yLvKyghhqmrDpl5PNDDhTPw/mTMJvQ/26Bwq0BZy3Xkxn8n16SquM1oU8fHC+yRRBD6NGQOWdA7dsz5qeiZABppru7ICGYTP2fTb6flgoJGN3qnfaVn9NonCa27ztbXIQlB5+h53OnKd6eW4Sq1/0QBHBFlUK7JkI3+mno0RdHG1axDjeZ9jw9sofOaGmIPsHVgxbRmAJh2D3+gQqbVq9BgjNyqLd749leEghOCOiay57ijtdtT80ITNPtBxzfzPlUHJyckUDEFM4dTRaYFdnlFHKzBzxqypRACmCF59jeu8GcXUHKyG9dh9b0blQxpNIWdRtH0L0cYXrImD+ZGQh6bt9hQ6U/dgWxuEvARUfC3gnD25pVQXwwUjRL83bDLVmc9iQQaF2weusiBHYUbebGJnka6JZS3w7VfLkLJ5iVK6ysgtPIcJIIUKn8xOgFxTgnk8aGQmmIVdOxPwIPrsbMWPNUjkrjDUI+7ZGf8eLpBCF/ux8tfWnHmxoDzMt0bl1OXvO5o1tJbRQYZaR4Bexg6gd6Pi9ICO1Ctvf2yTx8aV5TilIa247TF8Vj9lA77Gk9UiZA07ALkKjLqwlCbmhUt5cezrRRJFBQ62ZUp2Ty3I8ZmGf++QeYL3iesVIvRsYty7rqlMhyK1gqCBpXvtE98aKelg5McjmrvdjxJR6OWpFl+mYWjHaI21dOEa01PJ2M9jSkQ8WGB2H+LQaKxYcGSshAsRqZSdpnYpBqA/SSUvYPpW5ibVEqUoWoWMzsGWIyW2BPbxceVBHgw5+sKwObxiHHARSBurFjda+NDS22CSF93IccnROITDi+SO7UPPcqxCoKFECsVigk/OZ+3sdZp4dwOKEghviv67XgnSNXcc5KVEyADR9YGm/LyDF6+6DehgXWJlvVEx7qEwV63bJcxF4uqDQErpeD/K0tQ/02cPkAI8DzI8Y4RJXDjYbnFea9diWkVDUtyQ7y+Fv3q4AryZ8gSzaM91KdslkmO+PVWnwwVRT8sOvtm9ezuDWrt7b/Bh8BdxHL2QJO4JzbTgS5c08E2WB4wiJ+PrQRp1mxHcmMvvlOpKMIG/mJ/wRFBL2SE0nZ/PNPL7py5jXjEyyCra4jLoOWMN3feM+BPPIojhZQ2duVRIkY642sRmAnIvpiks7pYknKhG/QKAZCPINyHiOnOQikgvDkI/4iQ//g3XdBsvVyi4KXorDAzL0C3LBbTGMuk9qChb9pqIMOkAPTAfd+bviJ6lhuuePPN9ATm/m6Kjn8dUqsmHsBt1WyfWIgPnnbbihgaIGISThZdrqZ8BJu5xAs061/SB9+sQLnPqv6Uqk/d+vuc4pcpMLWtVLRcP7t2Pz8iWIEJrf0BDS/fMilhHKm+hwij5eYhV/QIS6Hpyd1kS7OFWTq6D9RP0TXzNxLTUl7aaQLu2aQkoRCyejHtbrsTHGTQ+Fb3nfJAIF0MwoBq074WiTQ==
Content-Type: multipart/mixed; boundary="_004_IA0PR11MB7955CE2B79E94926B6F2D029E2CEAIA0PR11MB7955namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB7955.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66c7b915-038b-4806-9248-08dbc8d37de9
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2023 14:24:47.8958 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e122af3c-4c68-4e49-9c52-4ae1e25e91ae
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sswgm2/wUoyCkDAVPDdevRnm/AnkqSLBJh497iyjUN3w3uVizmwl3eJprrH5A1ELtb4UAyZfZ8pUabTBsprc/muRxhwaBoiL/+xyJ74wpDM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR11MB8390
X-OrganizationHeadersPreserved: MW6PR11MB8390.namprd11.prod.outlook.com
X-CrossPremisesHeadersPromoted: cpvwe00a0028.xnet.trzn.wachovia.net
X-CrossPremisesHeadersFiltered: cpvwe00a0028.xnet.trzn.wachovia.net
X-OriginatorOrg: wellsfargo.com
X-CFilter-Loop: Forwarded
X-Proofpoint-ORIG-GUID: Ko0dg4gIWk3VDvMFrR6iu9Q2T9iuaGjr
X-Proofpoint-GUID: Ko0dg4gIWk3VDvMFrR6iu9Q2T9iuaGjr
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-09_12,2023-10-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2310090118
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls-reg-review/YleguOWXpJ8FaDisGHAHggNCr1U>
Subject: [Tls-reg-review] TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates
X-BeenThere: tls-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TLS REVIEW <tls-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls-reg-review/>
List-Post: <mailto:tls-reg-review@ietf.org>
List-Help: <mailto:tls-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 14:25:03 -0000

Attached for consideration is draft-stapleton-hybrid-x509-cks-tls-01.docx TLS Certificate Key Selection (CKS) Extension Using X.509 Hybrid Certificates. This document describes a Transport Layer Security (TLS) extension Certificate Key Selection (CKS) using hybrid X.509 certificates. The CKS allows TLS servers to negotiate with TLS clients for selecting the usage order of the native public key and certificate signature, the alternate public key and certificate signature, or both. The CKS options enable forwards or backwards interoperability when migrating services for large organizations during one or more cryptographic transitions.

The goal of this document is to introduce CKS based on the draft X9.146 standard and register the TLS extension "9146" for further development.

ANSI X9.146-20231002  DRAFT Public Key Infrastructure (PKI) - Certificate Key Selection (CKS)  for Transport Layer Security (TLS). This standard specifies a Transport Layer Security (TLS) protocol extension for certificate public key selection in certificates that possess more than one public key. The extension schema and its processing requirements are defined for both client and server participants in a TLS handshake. The current work focuses on hybrid (dual-key) certificates but its scope will include composite and chameleon certificates.

Note that X9.146 is copyrighted by ASC X9 per ANSI rules. If successful, this ANSI standard will be submitted to TC68 for ISO standardization, which per ISO rules will also be copyrighted. See links.

  *   ASC X9 https://x9.org/
  *   ANSI https://www.ansi.org/
  *   ISO https://www.iso.org/home.html
  *   ISO TC68 https://www.iso.org/committee/49650.html

Thank you for your consideration.

Jeff Stapleton
Wells Fargo
Enterprise Post Quantum Cryptography (PQC) Strategy
Senior Lead Cyber Security Research Consultant
Mobile 817-682-1318

v2.23.0 | Report a Bug | By Email