IETF Logo Mail Archive

[TLS] OpenPGP Certs for TLS [was: Re: Summarizing identity change discussion so far]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 December 2009 23:47 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24C0B3A68A9 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 15:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.19
X-Spam-Level:
X-Spam-Status: No, score=-1.19 tagged_above=-999 required=5 tests=[AWL=2.409, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6noXEfarDVZ1 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 15:47:08 -0800 (PST)
Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by core3.amsl.com (Postfix) with SMTP id 1E6813A69E6 for <tls@ietf.org>; Thu, 17 Dec 2009 15:47:07 -0800 (PST)
Received: (qmail 33058 invoked from network); 17 Dec 2009 23:46:52 -0000
Received: from 216.254.116.241 (HELO ?192.168.13.75?) (216.254.116.241) by relay01.pair.com with SMTP; 17 Dec 2009 23:46:52 -0000
X-pair-Authenticated: 216.254.116.241
Message-ID: <4B2AC2E3.6020507@fifthhorseman.net>
Date: Thu, 17 Dec 2009 18:46:43 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109)
MIME-Version: 1.0
To: tls@ietf.org
References: <808FD6E27AD4884E94820BC333B2DB774F31A4FD08@NOK-EUMSG-01.mgdnok.nokia.com> <6b9359640912171337j7ed5be63gf431e0fb12070944@mail.gmail.com> <808FD6E27AD4884E94820BC333B2DB774F31F77BDC@NOK-EUMSG-01.mgdnok.nokia.com> <6b9359640912171515t1ef6f336id71c2ee3baec5c83@mail.gmail.com>
In-Reply-To: <6b9359640912171515t1ef6f336id71c2ee3baec5c83@mail.gmail.com>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D21739E9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig10473A4838969CC66CFF7F70"
Subject: [TLS] OpenPGP Certs for TLS [was: Re: Summarizing identity change discussion so far]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 23:47:09 -0000

On 12/17/2009 06:15 PM, Kyle Hamilton wrote:
> (Certificate type 0 is X.509/PKIX.  Certificate type 1 is OpenPGP --
> oh, but wait, we don't have anyone here to advocate the matching rules
> for its particular IANA assignment... Each type, 0 and 1, has
> different matching rules.  The rule for verifying the token that is
> presented MUST be defined, in TLS, as the rule defined by the document
> that defines the format of the token, or else the TLS WG is once again
> putting a policy decision into a technical specification, restricting
> the kinds of authentication which can be used.)

Actually, i'm interested in proposing some concrete matching rules for
certificate type 1 (OpenPGP) at some point, though i haven't seen any
attempts to formalize them yet in the context of TLS.

I don't think that this particular draft (covering TLS renegotiation) is
the place to do it, though.

But if folks want to talk about OpenPGP certs for TLS as part of another
conversation, i'm interested.  I might be taking over 5081bis from Nikos
Mavrogiannopoulos as well, and i'd really like feedback from the
knowledgeable and experienced people here here on it.  But i thought i'd
let the current situation get sorted out first (and do a bit more of the
background work i need to do) before moving that project up in visibility.

Just wanted to register that there actually *are* folks who are invested
in OpenPGP certs for TLS.

Btw, thanks to everyone for the thoughtful discussion here.  I don't
intend my sudden de-lurking as an interruption of the work at hand.

Regards,

	--dkg

v2.23.0 | Report a Bug | By Email