[TLS] oob-pubkey and cached-info
Paul Wouters <paul@xelerance.com> Thu, 17 November 2011 16:37 UTC
Return-Path: <paul@xelerance.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47A3511E8184 for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 08:37:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.399
X-Spam-Level:
X-Spam-Status: No, score=-6.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdLwvnI7VXtU for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 08:37:46 -0800 (PST)
Received: from mx.xelerance.com (mx.xelerance.com [193.110.157.188]) by ietfa.amsl.com (Postfix) with ESMTP id 6E97F11E8127 for <tls@ietf.org>; Thu, 17 Nov 2011 08:37:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx.xelerance.com (Postfix) with ESMTP id E158251F; Thu, 17 Nov 2011 11:37:44 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xelerance.com; h= content-type:content-type:mime-version:user-agent:references :message-id:in-reply-to:subject:subject:from:from:date:date :received:received:received:received; s=smtp; t=1321547863; x= 1322152663; bh=puxiGrqfTbvaWpT/ls1NBXnu+QDKsclTmx9TTvSTKeE=; b=O uVLL4u02zjE2ull0wb0BDmVVnrfFW9yVTyeZNK2jqvFsWIaJT6YdMyZob6INcZ9x rL3JsbcUXskbLbwImDvMYiHbPiaeTb6IDEmtRdOyrtGTjXQKxRo2+uui760g6vUb ufBPiNVSyKxarEkoMmN5SEcwhQawC21HqDM1BGO0aE=
Received: from mx.xelerance.com ([127.0.0.1]) by localhost (mx.xelerance.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id FzNrMCn1Mhfo; Thu, 17 Nov 2011 11:37:43 -0500 (EST)
Received: from mail.xelerance.com (mail.xelerance.com [193.110.157.189]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.xelerance.com (Postfix) with ESMTPS id E7D7484; Thu, 17 Nov 2011 11:37:41 -0500 (EST)
Received: by mail.xelerance.com (Postfix, from userid 1001) id A666A3ED; Thu, 17 Nov 2011 11:37:41 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by mail.xelerance.com (Postfix) with ESMTP id A53C53D1; Thu, 17 Nov 2011 11:37:41 -0500 (EST)
Date: Thu, 17 Nov 2011 11:37:41 -0500
From: Paul Wouters <paul@xelerance.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4EC4F080.7080100@KingsMountain.com>
Message-ID: <alpine.DEB.2.00.1111171123350.19177@mail.xelerance.com>
References: <4EC4F080.7080100@KingsMountain.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: IETF TLS WG <tls@ietf.org>
Subject: [TLS] oob-pubkey and cached-info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 16:37:47 -0000
On Thu, 17 Nov 2011, =JeffH wrote: > Subject: [TLS] raw unofficial minutes: TLS WG: IETF-82 Taipei Thanks Jeff! > -------------------------------------------------- > Hannes T. : tls out-of-band public key validation > -------------------------------------------------- > > draft-wouters-tls-oob-pubkey-01 > > Tero and Hannes are on the author team now since ietf-81 quebec > > "RawPublicKey" -- new cert type in client_hello > > leverages the TLS Cert types registry that RFC 6091 defined > > convey pub key in subjectPublicKeyInfo structure from X.509 cert structures (see also rfc5280) > > don't need to define new ciphersuites -- but need to use approp ciphersuite with type of pubkey that's being exchanged > > dan harkins (dh): why not just send the raw pub key rather than sending a hash of it? > > tero: send hash to keep bytes on wire smaller > > js: it might be an idea to ressurect the ? work -- that might address the hash thing That was refering to: http://tools.ietf.org/html/draft-ietf-tls-cached-info A new extension type (cached_information(TBD)) is defined and used in both the client hello and server hello messages. The extension type is specified as follows. enum { cached_information(TBD), (65535) } ExtensionType; The extension_data field of this extension, when included in the client hello, SHALL contain CachedInformation according to the following structure: enum { certificate_chain(1), trusted_cas(2), (255) } CachedInformationType; Note that the cached-info draft has text that it can only use the hashes computed from previous TLS sessions, and does currently not allow calculatng the cached information based on information from other sources, such as DANE/DNSSEC. I think there might be an interest on these small devices to also avoid sending this information unhashed on their first connection. Perhaps the cached-info draft could allow that? (apologies if I missed previous discussion on this topic) Note also that if within DANE a sha256 hash is used, it might be more convenient for the client to use the same hashing algorithm here to allow for easier strncmp(). However, that does reduce the strength of the public key to the strength of the hashing algorithm, since in that case, no full copy of the public key is going over the wire either in DANE or TLS. Paul
- [TLS] raw unofficial minutes: TLS WG: IETF-82 Tai… =JeffH
- [TLS] oob-pubkey and cached-info Paul Wouters
- Re: [TLS] raw unofficial minutes: TLS WG: IETF-82… Badra
- Re: [TLS] raw unofficial minutes: TLS WG: IETF-82… Nikos Mavrogiannopoulos
- Re: [TLS] raw unofficial minutes: TLS WG: IETF-82… Yoav Nir