IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt

Russ Housley <housley@vigilsec.com> Mon, 01 February 2021 15:36 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD1D3A123D for <tls@ietfa.amsl.com>; Mon, 1 Feb 2021 07:36:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cD1gjNMx1cyL for <tls@ietfa.amsl.com>; Mon, 1 Feb 2021 07:36:55 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350823A123C for <tls@ietf.org>; Mon, 1 Feb 2021 07:36:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 9E994300B5D for <tls@ietf.org>; Mon, 1 Feb 2021 10:36:52 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MB2D9WoPOp18 for <tls@ietf.org>; Mon, 1 Feb 2021 10:36:50 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id AE6D2300B03; Mon, 1 Feb 2021 10:36:50 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <B812F7AC-8E59-406E-9A54-A3EACFCD4F8D@sn3rd.com>
Date: Mon, 01 Feb 2021 10:36:51 -0500
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B1F0F901-8761-4C4E-BBC4-A6242A689E8F@vigilsec.com>
References: <161152940146.13632.832237048620145771@ietfa.amsl.com> <DCAE7E47-90AF-4729-B5D1-949ADBBF2B39@vigilsec.com> <B812F7AC-8E59-406E-9A54-A3EACFCD4F8D@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HwYWifaMjyhS1d_Bw854C_8Omlk>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 15:36:59 -0000

Works for me.

> On Jan 31, 2021, at 11:58 PM, Sean Turner <sean@sn3rd.com> wrote:
> 
> Do you think this would be clearer:
> 
>  The maximum validity period is set to 7 days unless
>  an application profile standard specifies a shorter
>  period.
> 
> spt
> 
>> On Jan 25, 2021, at 11:14, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> I have reviewed the recent update, and I notice one inconsistency.
>> 
>> Section 2 says:
>> 
>>  In the absence of an application profile standard
>>  specifying otherwise, the maximum validity period is set to 7 days.
>> 
>> Section 4.1.3 says:
>> 
>>  1.  Validate that DelegatedCredential.cred.valid_time is no more than
>>      7 days.
>> 
>> I think that Section 2 is trying to say that an application profile can make it even shorter than 7 days, but on my first reading I got the opposite.
>> 
>> Russ
>> 
>> 
>>> On Jan 24, 2021, at 6:03 PM, internet-drafts@ietf.org wrote:
>>> 
>>> 
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Transport Layer Security WG of the IETF.
>>> 
>>>      Title           : Delegated Credentials for TLS
>>>      Authors         : Richard Barnes
>>>                        Subodh Iyengar
>>>                        Nick Sullivan
>>>                        Eric Rescorla
>>> 	Filename        : draft-ietf-tls-subcerts-10.txt
>>> 	Pages           : 19
>>> 	Date            : 2021-01-24
>>> 
>>> Abstract:
>>> The organizational separation between the operator of a TLS endpoint
>>> and the certification authority can create limitations.  For example,
>>> the lifetime of certificates, how they may be used, and the
>>> algorithms they support are ultimately determined by the
>>> certification authority.  This document describes a mechanism by
>>> which operators may delegate their own credentials for use in TLS,
>>> without breaking compatibility with peers that do not support this
>>> specification.
>>> 
>>> 
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/
>>> 
>>> There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-ietf-tls-subcerts-10
>>> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10
>>> 
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email