Re: [TLS] Fwd: New Version Notification for draft-lonc-tls-certieee1609-00.txt
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 February 2014 18:52 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B05A1A0368 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:52:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHdY7gjN5hPh for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:52:21 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5002E1A02EE for <tls@ietf.org>; Fri, 14 Feb 2014 10:52:21 -0800 (PST)
Received: from [192.168.23.229] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 3C787F984; Fri, 14 Feb 2014 13:52:17 -0500 (EST)
Message-ID: <52FE65E2.2020002@fifthhorseman.net>
Date: Fri, 14 Feb 2014 13:52:18 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: François Lonc <francois.lonc@telecom-paristech.fr>, tls@ietf.org
References: <20140214170030.8100.74818.idtracker@ietfa.amsl.com> <52FE562C.9080103@telecom-paristech.fr>
In-Reply-To: <52FE562C.9080103@telecom-paristech.fr>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="fG4s4MttCvskN3uG5u7C2g9sUo0q1U5qP"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G_YNsCOb9QIXL_Cj8bo6sNjiV5A
Subject: Re: [TLS] Fwd: New Version Notification for draft-lonc-tls-certieee1609-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 18:52:23 -0000
Hi François-- On 02/14/2014 12:45 PM, François Lonc wrote: > I just published this draft about using other certificates (namely ETSI > TS-103-097 and IEEE 1609.2) with TLS. As it defines a new TLS extension > I think it would fit in this group, but I'm brand new here so I might be > mistaken. > > The envisioned application is ITS (as in Intelligent Transportation > System) in Europe (therefore the ETSI). > > I am aware that draft-ietf-tls-oob-pubkey > <http://datatracker.ietf.org/doc/draft-ietf-tls-oob-pubkey/> proposes a > similar TLS mechanism, but since the goals and applications seem very > different, I thought it would still be worth submitting. A clear explanation of how the goals and applications differ from existing work would be useful in understanding why a new draft is needed. Also, this draft seems similar to RFC 6091, which already has a registry of certificate types. Have you considered adding another entry or two to that registry, rather than defining a new extension mechanism? Barring that, a few notes follow: The list of enumerated types for SupportedCertType and AcceptedCertType seems to be identical. is there any chance that they might differ? if not, why not collapse them into a single enum? your IANA considerations section seems to be missing any reference to the enumerated type list. is this a registry you'd expect IANA to maintain? if not, how would it be extended? The security considerations section seems too thin. what characteristics are relevant to these two different certificate formats? from a basic skim and search: the ETSI reference is 33 pages, and has security as one of its top-level keywords and several pages about security policy considerations. are none of these relevant to this draft? I couldn't find a freely-available copy of IEEE 1609.2, so i couldn't evaluate what kinds of security considerations might come into play for this. Are there trust anchors, pre-loaded lists, standard verification policies, TOFU approaches, or other regimes for validating these certificates? which approaches are the recommended ones? If the draft plans to punt on certificate validation, or to refer to some other document for "best practices" for certificate validation, it should probably do so explicitly. in what contexts would someone want to use one of these different certificate types instead of an X.509 certificate or an OpenPGP certificate or a raw public key? If there are multiple possible encodings, how are these new certificate formats packaged on the wire when they are included in the Server Certificate or Client Certificate message? the ETSI document suggests that ETSI keys can be either ecdsa_nistp256_with_sha256 or ecies_nistp256. how do those key types interact with the various key exchange mechanisms? For example, i would guess that an ecdsa_nistp256_with_sha256 key should only be used with a DHE ciphersuite, presumably ECDHE_ECDSA (https://tools.ietf.org/html/rfc4492#section-2.2) Will the signed_params object in the ServerKeyExchange algorithm use the same signature mechanism and structure as would have been produced by the same key packaged in an ECDSA X.509 certificate, or would it structure the signature as in ETSI's §4.2.10? Is there any interaction between the use of an ETSI cert and the ECC extensions listed in rfc 4492? What should happen in a TLS handshake where neither peer offers any of the extensions from 4492 but they want to negotiate this new extension? (i'm asking about ETSI here because the spec is available gratis, but i suspect similar questions are relevant to IEEE 1609.2) The extension_data explanation doesn't identify a top-level structure that explains how the data will be packed into the extension. in particular, it looks like the certificate_authorities object is dangling to me. how does the server indicate to the client which of the client's "supported" certificate types it is willing to accept? Can you clarify the difference between "supported" and "accepted"? I think "supported" means "i have a private key and a certificate that matches one of these certificate types" and "accepted" means "i am able to parse one of these certificate types from my peer", but it's probably better to be explicit about it. hth, --dkg
- [TLS] Fwd: New Version Notification for draft-lon… François Lonc
- Re: [TLS] Fwd: New Version Notification for draft… Daniel Kahn Gillmor