IETF Logo Mail Archive

Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10

Wang Haiguang <wang.haiguang.shieldlab@huawei.com> Sun, 24 March 2019 12:16 UTC

Return-Path: <wang.haiguang.shieldlab@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E511275F3 for <tls@ietfa.amsl.com>; Sun, 24 Mar 2019 05:16:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoOdwU9ltgm5 for <tls@ietfa.amsl.com>; Sun, 24 Mar 2019 05:16:47 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F478126C01 for <tls@ietf.org>; Sun, 24 Mar 2019 05:16:47 -0700 (PDT)
Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 755269EBDBFB47EFCDB7 for <tls@ietf.org>; Sun, 24 Mar 2019 12:16:45 +0000 (GMT)
Received: from SINEML705-CAH.china.huawei.com (10.223.161.55) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sun, 24 Mar 2019 12:16:44 +0000
Received: from SINEML521-MBX.china.huawei.com ([169.254.1.119]) by SINEML705-CAH.china.huawei.com ([10.223.161.55]) with mapi id 14.03.0415.000; Sun, 24 Mar 2019 20:16:41 +0800
From: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
Thread-Index: AdTftNFrvlhWFP56RKG/V+cna1b4df//6R+AgAIwy8WAAKdgAIACSSzv
Date: Sun, 24 Mar 2019 12:16:41 +0000
Message-ID: <0AE05CBFB1A6A0468C8581DAE58A31309E3325C5@SINEML521-MBX.china.huawei.com>
References: <0AE05CBFB1A6A0468C8581DAE58A31309E321135@SINEML521-MBX.china.huawei.com> <CABcZeBMfY38Ps4fVk+Y6xuJB9=WjCJVNgyL+aOKp6TVy=s8ZKw@mail.gmail.com> <0AE05CBFB1A6A0468C8581DAE58A31309E323661@SINEML521-MBX.china.huawei.com>, <e766492c-07b0-b45f-d6ae-e636422fcd4b@nomountain.net>
In-Reply-To: <e766492c-07b0-b45f-d6ae-e636422fcd4b@nomountain.net>
Accept-Language: en-SG, en-US
Content-Language: en-SG
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.220.66.246]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0Iuxy9bzmcsDg92EoX4yxGGggQE>
Subject: Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 12:16:50 -0000

Hi, Melinda

We do plan to include an expire date in the identity design. The valid period is a decision that should be decide either by the user or the PKG manager. 

When we use the existing raw public as specified in the TLS 1.3, somebody has to decide the lifetime of a raw public key also.   

Wtih IBC, re-keying is needed when a private key is expired. Similarly, when a raw public (as in TLS 1.3) expires, the binding list has to be updated by re-keying the raw public key at server side.  

Haiguang 
________________________________________
From: TLS [tls-bounces@ietf.org] on behalf of Melinda Shore [melinda.shore@nomountain.net]
Sent: Saturday, 23 March, 2019 5:12:20 PM
To: tls@ietf.org
Subject: Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10

On 3/22/19 7:28 AM, Wang Haiguang wrote:
> [HG] Regarding the revocation, we did not mention it in the draft, but
> we have
>
> considered it in the design. In practice, an
>
> expiring time can be included in the identity for the IBC system.
>
> In fact, in RFC 6507 page 7-8, authors have mentioned that expiration
> time may be included
>
> in the identity. That’s the reason we have not discussed the revocation
> issue in our draft.  If experts in this
>
> group think we should address this issue, we can provide more
> information and details in the next draft.
>

I generally agree with EKR's comments but I do think this is a
particular problem that needs to be addressed.  The security of a
mechanism like this depends on the ability to revoke compromised keys.
Your draft does not, in fact, include a key lifetime in the identifier
(and note that the timestamp is a MAY in RFC 6507).  If you decide to
include one it will probably need to be notably short in order to
provide any robustness against key compromises, which means that
rekeying and provisioning are going to be a practical problem that
may not be in scope for the draft but which will need to be addressed
in implementation and deployment.

I'm unenthusiastic about this draft but to the extent that there's a
hope to progress it, revocation really must be dealt with.

Melinda


--
Software longa, hardware brevis

PGP key fingerprint  4F68 2D93 2A17 96F8 20F2
                     34C0 DFB8 9172 9A76 DB8F

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email