[TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
Eric Rescorla <ekr@rtfm.com> Mon, 25 July 2011 17:19 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D100721F8BC5 for <tls@ietfa.amsl.com>; Mon, 25 Jul 2011 10:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRv13KGN07lD for <tls@ietfa.amsl.com>; Mon, 25 Jul 2011 10:19:02 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id E498721F8BC3 for <tls@ietf.org>; Mon, 25 Jul 2011 10:19:01 -0700 (PDT)
Received: by wwe5 with SMTP id 5so2896720wwe.13 for <tls@ietf.org>; Mon, 25 Jul 2011 10:19:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.32.136 with SMTP id c8mr4102341wbd.7.1311614340969; Mon, 25 Jul 2011 10:19:00 -0700 (PDT)
Received: by 10.227.145.209 with HTTP; Mon, 25 Jul 2011 10:19:00 -0700 (PDT)
Date: Mon, 25 Jul 2011 13:19:00 -0400
Message-ID: <CABcZeBOVWtTgRcCQ_C8jq_E=LW5nKtUYFrTYyaDcb6-WtdtLWQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 17:19:02 -0000
This document describes a mechanism for allowing the client to indicate to the server that he has cached the server's TLS public key. The server then omits the key from the handshake and the client relies on the cached value. OVERALL Section 1.1 appears to describe two primary motivations for this extension: - It saves the cost of transmitting the certificate over the network to the client. - It potentially conflicts with other validation mechanisms which the client may have for checking the server cert. In support of these motivations it lists the following use cases (numbered by me): 1. The TLS server public key is obtained from a [PKIX] certificate chain from an [LDAP] server 2. The TLS server public key is obtained from a DNSSEC secured RRset using [DANE] 3. The TLS server public key is provisioned by the operating system and updated via software updates 4. A TLS client has connected to the TLS server before and has cached the TLS server certificate chain or TLS server public key for re- use The second motivation does not apply to use cases (1) and (4): The server's credentials are already phrased as PKIX credentials and client can validatte them however it wishes, the only need is for the server and client to assure themselves that they have the same set of validated credentials. Thus, the only issue here is bandwidth; the TLS WG already has a (dormant) work item on caching certificate messages, draft-ietf-tls-cached-info. That item is dormant due primarily to lack of energy. To the extent to which we are dealing with certs phrased as PKIX credentials, then energy should be applied to that document. The second motivation is more convincing for cases (2) and (3) [though in truth it is IMO still more likely that in case 3 the credential will be phrased as a cert.] However, it's not really that convincing to me: TLS stacks already have X.509 parsing, and pulling the public key out is a fairly straightforward task. I don't see any reason why it's troublesome to ignore the rest of the certificate; indeed this is a quite common practice when self-signed certs are in use. So, I don't see this as that troublesome. As above, the bandwidth issue can be dealt with by draft-ietf-tls-cached-info. In summary, I don't see a lot of use for this extension. However, if there is real demand for it, the right approach would be to resurrect draft-ietf-tls-cached-info and add a new cache type for the EE public key. OTHER COMMENTS What's the reason why you would want to send the server the SPKI instead of the hash? opaque SHA256Hash<32>; You probably want [32] here.
- [TLS] Review of draft-wouters-tls-oob-pubkey-00.t… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Nikos Mavrogiannopoulos
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Nikos Mavrogiannopoulos
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex