Re: [TLS] Last Call: <draft-ietf-tls-oob-pubkey-09.txt> (Out-of-Band Public Key Validation for Transport Layer Security (TLS)) to Proposed Standard

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 18 October 2013 09:06 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B2C21F9A50 for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 02:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHoRPhkW06nk for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 02:06:21 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 14FF821F9D5D for <tls@ietf.org>; Fri, 18 Oct 2013 02:06:04 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.116.76]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lm2lZ-1W6Qgt1M93-00ZeFB for <tls@ietf.org>; Fri, 18 Oct 2013 11:06:02 +0200
Message-ID: <5260FA18.4030504@gmx.net>
Date: Fri, 18 Oct 2013 11:06:32 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>, ietf@ietf.org
References: <20130802072350.14846.84073.idtracker@ietfa.amsl.com> <5203B8BC.9080108@isode.com>
In-Reply-To: <5203B8BC.9080108@isode.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:zlqU1QMwfDH5sQ4L0MkElKMEbFXzBjEhVTwb9iZMrYdn4eDyYDK bJDf6h9b/81Mus5IW+4CHBKh8QVHhKe1ouv3k2KONwUG6X0JyN0AHXMXVuyOU/y68RW0xfh EitGBQwDW8kdsAxM6f+gHn9FHXFq4P1yk8zoaPbkEA74LzAnx1nYEke2D8bk4A5b/vcVJ5k 0oueSA1psyv2YfygPaAsw==
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-ietf-tls-oob-pubkey-09.txt> (Out-of-Band Public Key Validation for Transport Layer Security (TLS)) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 09:06:27 -0000

Hi Alexey,

the first example indeed has a copy-and-paste error. I fixed it.

Ciao
Hannes

On 08/08/2013 05:26 PM, Alexey Melnikov wrote:
> On 02/08/2013 08:23, The IESG wrote:
>> The IESG has received a request from the Transport Layer Security WG
>> (tls) to consider the following document:
>> - 'Out-of-Band Public Key Validation for Transport Layer Security (TLS)'
>>    <draft-ietf-tls-oob-pubkey-09.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits
>> final comments on this action. Please send substantive comments to the
>> ietf@ietf.org mailing lists by 2013-08-16. Exceptionally, comments may be
>> sent to iesg@ietf.org instead. In either case, please retain the
>> beginning of the Subject line to allow automated sorting.
>>
>> Abstract
>>
>>
>>     This document specifies a new certificate type and two TLS
>>     extensions, one for the client and one for the server, for exchanging
>>     raw public keys in Transport Layer Security (TLS) and Datagram
>>     Transport Layer Security (DTLS) for use with out-of-band public key
>>     validation.
> Hi,
> I just read the document and support its publication.
>
> I think I found one minor issue:
>
> Section 4.1 says:
>
>     In order to indicate the support of out-of-band raw public keys,
>     clients MUST include the 'client_certificate_type' and
>     'server_certificate_type' extensions in an extended client hello
>     message.  The hello extension mechanism is described in TLS 1.2
>     [RFC5246].
>
> In Section 5 (the first example):
>
> client_hello,
>     server_certificate_type=(RawPublicKey) -> // [1]
>
> So it looks like the example doesn't comply with the MUST requirement in
> the Section 4.1 ("client_certificate_type" is missing) or the
> requirement stated in Section 4.1 is incorrect. I suspect you meant
> "'client_certificate_type' and/or 'server_certificate_type'" in Section
> 4.1.
>
> Best Regards,
> Alexey
>
>
>
>