Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
Hanno Böck <hanno@hboeck.de> Sun, 08 February 2015 09:44 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187D41A8903 for <tls@ietfa.amsl.com>; Sun, 8 Feb 2015 01:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.699
X-Spam-Level: **
X-Spam-Status: No, score=2.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oC5tqMoMy8L for <tls@ietfa.amsl.com>; Sun, 8 Feb 2015 01:44:01 -0800 (PST)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E5681A1A75 for <tls@ietf.org>; Sun, 8 Feb 2015 01:44:01 -0800 (PST)
Received: from pc (ip25053127.dynamic.kabel-deutschland.de [::ffff:37.5.49.39]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Sun, 08 Feb 2015 10:43:58 +0100 id 0000000000000072.0000000054D72FDE.00006283
Date: Sun, 08 Feb 2015 10:43:57 +0100
From: Hanno Böck <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20150208104357.405debbd@pc>
In-Reply-To: <CADrAmL4mKQOZfZ1-D47s4ciC6H_9hwv6YCQKNP1FCbdF8S_ODg@mail.gmail.com>
References: <CADrAmL6xOMOauSHuTR8BUK7i4NG2Zx3H90dA6k36YMu81pVW0A@mail.gmail.com> <3FE6EA13-AF0F-4838-9F1F-CB0DEC158225@gmail.com> <CA6569EF-931B-4787-85DC-8A39EA7EB8F0@gmail.com> <CADrAmL4mKQOZfZ1-D47s4ciC6H_9hwv6YCQKNP1FCbdF8S_ODg@mail.gmail.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-25219-1423388638-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1WiwESe8ggPbznUORWdNeOjrQhE>
Subject: Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2015 09:44:03 -0000
On Sat, 7 Feb 2015 11:59:20 +0330 Shahin Noursalehi <mixoftix@gmail.com> wrote: > Anyway, this would be an optional process - so abides by the policies > of QoS too. After 2014, enterprises may look for a method that reduces > the risk of being victim of "fake SSL certificate issuers" or those > who "put a backdoor in RSA key-pairs". When we have sensitive data, > the cost among benefits is nothing. Sometimes a simple email in > internet among a patient and a physician that contains some critical > health information may jeopardize his/her life style and can not > roll-back. I don't understand how your proposal makes "fake ssl certificate issuers" less likely. You propose to use two keys signed from different CAs. However, in what way does this make it less likely that a completely different CA may issue a rogue cert for the same domain? The attacked user will never see your two keys. If you want to make fake ssl certificates less likely you should use key pinning (right now only available for https, unfortunately not for other protocols) and certificate transparency. I don't see what your proposal adds to that. Also I don't understand your threat scenario "put a backdoor in RSA key-pairs". What do you mean by that? I know that there are some CAs that provide to create the key for you. If you are worried about that just don't do that. Use CSRs and create the key yourself. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
- [TLS] the idea of using multiple keys with multip… Shahin Noursalehi
- Re: [TLS] the idea of using multiple keys with mu… Karthikeyan Bhargavan
- Re: [TLS] the idea of using multiple keys with mu… Ilari Liusvaara
- Re: [TLS] the idea of using multiple keys with mu… Russ Housley
- Re: [TLS] the idea of using multiple keys with mu… Karthikeyan Bhargavan
- Re: [TLS] the idea of using multiple keys with mu… Hanno Böck
- Re: [TLS] the idea of using multiple keys with mu… Shahin Noursalehi