Re: [TLS] draft-rescorla-tls-subcerts

Russ Housley <> Fri, 08 July 2016 04:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B1A812D1D8 for <>; Thu, 7 Jul 2016 21:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.899
X-Spam-Status: No, score=-101.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FbPfkNGr6NG5 for <>; Thu, 7 Jul 2016 21:54:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFD9612B053 for <>; Thu, 7 Jul 2016 21:54:47 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8248C300540 for <>; Fri, 8 Jul 2016 00:54:45 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id zkOtIQ8PU49A for <>; Fri, 8 Jul 2016 00:54:44 -0400 (EDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id E944C3002C4; Fri, 8 Jul 2016 00:54:43 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_CF71C3BA-8B6B-4F92-8B46-335A219F9BDD"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <>
In-Reply-To: <>
Date: Fri, 08 Jul 2016 00:53:54 -0400
Message-Id: <>
References: <>
To: Eric Rescorla <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Subject: Re: [TLS] draft-rescorla-tls-subcerts
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jul 2016 04:54:52 -0000


I have not had a chance to look at the draft yet, but based on your cover note you seem to have several requirements in common with RFC 3820.


On Jul 7, 2016, at 3:28 PM, Eric Rescorla <> wrote:

> We've talked several times about designing some sort of TLS delegation
> mechanism. A few of us got together and put together some initial thoughts
> about the options at:
> The general idea here is to have some mechanism for allowing what
> are effectively end-entities to issue short-lived credentials that allow other
> entities to act on their behalf (e.g., for CDN use cases).
> Comments welcome.
> In terms of the security analysis, it's obviously very important that this mechanism
> not present a risk to existing TLS servers. The mechanism designed here is
> intended to be future safe in that sense, though perhaps we've missed something.
> I also wanted to clarify a couple points about attacks where the certificate that signs the delegated credential is also used for ordinary TLS operation (which generally is a practice that's pretty scary). As noted above it's important that existing certs not be usable this way, but maybe future certs would be.
> 1. It's important to construct the delegated credential in such a way that you can't use a TLS server as a signing oracle. If you choose "option 2" where you define a new structure, then it's probably sufficient to use the TLS 1.3 "context-including" digitally-signed production proposed by AGL. If you you choose "option 1" where the delegated credential is an X.509 cert, then you'd need to make some rules about fixing portions of the cert that the TLS client can't control.
> 2. If you're concerned about attacks like those of Jager et al. which exploit RSA decryption, what's important is that the attacker not be able to get the server to do TLS 1.2-style static RSA with the key. Playing with the usage bits definitely makes it harder to configure the server this way (because it's likely to cause bustage) but may not be enough, because sufficiently busted clients and server might be willing to use them that way anyway.
> In the next rev, we'll update the draft to make these points more clearly.
> -Ekr
> _______________________________________________
> TLS mailing list