Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
Eric Rescorla <ekr@rtfm.com> Sat, 23 March 2019 11:31 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072C8130EB1 for <tls@ietfa.amsl.com>; Sat, 23 Mar 2019 04:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vj3szZ9VQ_nL for <tls@ietfa.amsl.com>; Sat, 23 Mar 2019 04:31:32 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E65A130EA8 for <tls@ietf.org>; Sat, 23 Mar 2019 04:31:31 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id z26so4036530lja.13 for <tls@ietf.org>; Sat, 23 Mar 2019 04:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sGUFcF6K1l+9v23A/KNiLY3KSxPDKhgTbfLdi0VUYCY=; b=WIFR3gPGo/7U/x+a7O3iV1B31hj3oLSV8sGkCxxrocW/9GFPjoggGKeSVot99qZ3Ay zelO3Ai8o3DpvxdlXa9CteR15cBPr9TeJjGKP4Si8vCMIRCsDxB5jih1abp9TKCCZemS HGkYQhrZMqOPcbYeACVkBq7x+7i1hAH/OjVOb52FMGZ8cOEXip/wfJqHhpFsx3PtXvKI SOQfCH+ygi61K2OqWeX374/bno2UF8xES8AA3cuizxanpX8AyZ9N0ebZazA8garX0uCj OT9ks8gytHn7f9fy29S/bsSui0jfB+65yqNitgLPsvAqy9pJDmoDzluTcjCeJCGoFM0O rtrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sGUFcF6K1l+9v23A/KNiLY3KSxPDKhgTbfLdi0VUYCY=; b=bpMf5ddQZnjg+spl8IIjBWjzV8Nt2bi5gx4SccXMMHduennDu1SC8deaYuVVyHPDD6 SzB75/xz7cyV2G8nk8ck2dWeXAskehWHE3kAsqj1nducrUHgRo1X+cbo2jViyVLlZ/k9 t2YcHBT+Itd7L/5/pNfcgDyMUNvT35VaLhnGShfiWIACSITSr0sIZjycyqcKvYUPg3op DJOIXfMdAUgB0ZlMZdqur+OIaLrkYvMNWD/C2dPmxKDcSYTu1lFHTr6Nun3tAALXIU58 KaQ8QWU+tsCwbVkep0RLgjwFpd9cosXyjPgZTVAeKr79HDwlHDgmz1RXEepa0Jzvt/tP bzPg==
X-Gm-Message-State: APjAAAXJAN465Pm/MqCoSvNm3C5ccaCTYKHIC3Dc+n982XgviPDjcrWD +95eZed3Ta6SPgYoIzKkSZ0GXVBaydKhMe85rt5POg==
X-Google-Smtp-Source: APXvYqwlj+R+v10JkUdVCBgEvI+Z0zGa59F9hGzwgGPBeX6DlTFO+EaHxxMTlTIZCrJNr+NppDNxIpfC+zvshb0InK8=
X-Received: by 2002:a2e:8e8e:: with SMTP id z14mr7667935ljk.86.1553340689449; Sat, 23 Mar 2019 04:31:29 -0700 (PDT)
MIME-Version: 1.0
References: <0AE05CBFB1A6A0468C8581DAE58A31309E321135@SINEML521-MBX.china.huawei.com> <CABcZeBMfY38Ps4fVk+Y6xuJB9=WjCJVNgyL+aOKp6TVy=s8ZKw@mail.gmail.com> <0AE05CBFB1A6A0468C8581DAE58A31309E323661@SINEML521-MBX.china.huawei.com> <CABcZeBNq4cjOia_mLViqw=fMKY3HMHJ0vdvwEkRVftGiFo=xug@mail.gmail.com> <0AE05CBFB1A6A0468C8581DAE58A31309E329867@SINEML521-MBS.china.huawei.com>
In-Reply-To: <0AE05CBFB1A6A0468C8581DAE58A31309E329867@SINEML521-MBS.china.huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 23 Mar 2019 04:30:50 -0700
Message-ID: <CABcZeBP4+cF7tx2ZHj3Ax7jCf+XvR2f-xdZnOdUDQr5k_9HXjg@mail.gmail.com>
To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000299300584c150db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K0nt39ZpiYLxL6TxnjYZoA_Lri0>
Subject: Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 11:31:36 -0000
On Sat, Mar 23, 2019 at 3:08 AM Wang Haiguang < wang.haiguang.shieldlab@huawei.com> wrote: > Hi, Eric > > Thanks very much for the clarification. > > Regarding the raw public key, could you please elaborate a little bit more > on the actual definition on the raw public key? > I don't understand this question. -Ekr > Regards. > > Haiguang > > ------------------------------ > *From:* Eric Rescorla [ekr@rtfm.com] > *Sent:* Saturday, 23 March, 2019 1:13:03 AM > *To:* Wang Haiguang > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10 > > > > On Fri, Mar 22, 2019 at 8:28 AM Wang Haiguang < > wang.haiguang.shieldlab@huawei.com> wrote: > >> Hi, Eric >> >> Thanks very much for your comments. >> >> Please see my reply inline. Our draft is still under development, we will >> improve >> >> it continuously based on the comments from experts in this area. >> >> ------------------------------ >> *From:* Eric Rescorla [ekr@rtfm.com] >> *Sent:* Thursday, 21 March, 2019 9:46:07 PM >> *To:* Wang Haiguang >> *Cc:* tls@ietf.org >> *Subject:* Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10 >> >> I have taken an initial look at this draft [0]. Comments follow. >> >> First the motivation for this technique appears rather >> weak. Primarily, you argue that a PKI is complicated to implement and >> this is simpler. However, there are a number of factors to consider. >> >> [HG] The statement "PKI is more complicated than raw public key" is from >> >> RFC 7250 (1st paragraph in the introduction section), and the raw public >> >> key has been supported in TLS 1.3. We share a similar point of view with >> >> the authors of RFC 7250. >> > > Yes, but IBC is not raw public key. It is effectively a > differently-construted PKI. > > > > Moreover, the advantage of using IBC is beyond succint key management. >> >> As analysed in [1] using of certificates has serious impact on the >> performance >> >> of resource contrained devices (see section 7) including RAM usage , >> bandwith cost, etc. >> > > Yes, but its not clear that IBC will be any better. > > > > Quote from [2] "MIKEY-SAKKE sped up the setup of HTTPS sessions by 7 times >> over standard TLS, >> >> meaning websites loaded over 200ms faster". >> > What algorithms is this comparing? If it's (say) BB versus RSA, that's not > really apples to apples. > > [1] H. Shafagh. Leveraging Public-key-based Authentication for the >> Internet of Things. >> >> Master thesis, >> https://people.inf.ethz.ch/mshafagh/master_thesis_Hossein_Shafagh_PKC_in_the_IoT.pdf >> ", >> >> [2] CESG. Using MIKEY-SAKKE Building secure multimedia services >> >> >> >> First, I believe the design you have selected is too simple to work >> outside of toy scenarios. Specifically, it doesn't seem to account for >> any form of revocation. How do you handle the case where someone's >> keys are compromised? There are a number of ways to handle this inside >> the context of an IBC system (time-based PKG parameters, have the >> identities have a timestamp built into them, etc.), >> but you don't specify these, and they add complexity. >> >> [HG] Regarding the revocation, we did not mention it in the draft, but we >> have >> >> considered it in the design. In practice, an >> >> expiring time can be included in the identity for the IBC system. >> > > In fact, in RFC 6507 page 7-8, authors have mentioned that expiration time >> may be included >> >> in the identity. That’s the reason we have not discussed the revocation >> issue in our draft. If experts in this >> >> group think we should address this issue, we can provide more information >> and details in the next draft. >> >> Besides, in ITU-T SG-17, we have specified a framework (x.ibc-iot) for >> using IBC over telecom >> > > This draft needs to provide a complete description. > > > > >> In a similar vein, another thing that adds complexity is having a >> certificate >> hierarchy rather than a single CA. If you are willing to have a >> single-level >> hierarchy then life is much simpler. With an IBC system, one typically >> either >> foregoes this or uses HIBC. Are these systems HIBC capable? >> >> [HG] At the moment, our target is to support a single-level IBC system. >> In the future, >> >> if there are needs from industry, we can add in the support of HIBC. >> > But again, this is an additional source of complexity. If you only want a > one-level CA system, you can have something much simpler than PKIX. > See, for instance: > https://datatracker.ietf.org/doc/draft-tschofenig-tls-cwt/ > > >> >> In addition, the innherent escrow capability that you describe in Section >> 7 >> is a way in which IBC systems are materially worse than PKI systems in a >> way we don't know how to ameliorate (as opposed to CT). >> >> [HG] For telecom operator networks, symmetric keys are used for >> authentication, the >> >> home operators always know the root key of a user device have in their >> SIM card. >> >> Therefore, the key escrow is not issue in telecom networks. Thus, >> whether key escrow >> >> being a severe issue depends on the application scenario. >> > > I don't think this is a demonstration that this is not severe. It's merely > a demonstration that the current situation is bad. > > > For these reasons, I don't think this WG should adopt this work, though >> the process allows you to have a code point without adoption. >> >> Thank you for your comments. It is better we do not make a decision at >> >> this moment. In fact, IBC sees an increasing acceptance in the industry: >> >> 3GPP has adopted the RFC 6507, RFC 6508 and RFC 6509 for mission critical >> >> communications, and UK government has already started to use it. >> >> Considering this, we would like to suggest that the group do consider our >> draft. >> > > You're of course free to request this, but you have not persuaded me. > > >> >> TECHNICAL COMMENTS >> I don't understand why you are sending the PKG parameters over the wire. >> Either the parameters are already known to the relying party, in which >> case they are unnecessary or they are not in which case they cannot >> be trusted. It seems like a hash of them would be sufficient. And of >> course this doesn't mesh well with multiple generations of PKG parameters >> (see above) unless you have signed parameters, but now you have a mini >> PKI. >> >> [HG] We agree with your comments, and for the single PKG case, we can >> >> use hash values. For multiple PKGs, it is reasonable to assume PKGs to >> trust >> >> each other, just like "root" CAs to trust each other. >> > > I don't understand what this means. First, in a PKI-based system trust > anchors don't > need to trust each other. It's true that in some cases a trust anchor will > sign another > trust anchor, but that's a delegation of trust. Are you assuming something > like that > here? If so, how would it work? > >> >> You need to specify the format of "ServerID". Is it a domain name? >> Something else? >> >> [HG] ServerID is simply the identity of the server, and the format of >> the identity >> >> is application-specific. >> > That is not going to promote interoperability. > > -Ekr > > > >> -Ekr >> >> >> [0] Note that it's much harder to review documents in PDF. Please send >> text in future. >> >> >> On Thu, Mar 21, 2019 at 12:33 AM Wang Haiguang < >> wang.haiguang.shieldlab@huawei.com> wrote: >> >>> Hello, everyone. >>> >>> Attached is an updated version to our personal draft on >>> draft-wang-tls-raw-public-key-with-ibc-10. >>> >>> The target of the draft is to use identity as raw public key over TLS. >>> Idenitty-based signature (IBS) algorithms are used for peer/server >>> authentication. >>> >>> The draft has been updated from time to time and this is the 10th >>> version. >>> >>> The main change in this version is we have extended the draft to support >>> three other IBS algorithms, i.e. the ISO-IBS1, ISO-IBS2 and >>> ISO-Chinese-IBS. >>> Data structures for these three algorithms are has been defined. >>> >>> This version has not been submitted to the IETF data trackers yet. We >>> will submit it once it is reopen. >>> >>> It is appreciate if expert in this mailing list can provide comments and >>> help us to improve the draft. >>> >>> Best regards. >>> >>> Haiguang >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>
- [TLS] draft-wang-tls-raw-public-key-with-ibc-10 Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Eric Rescorla
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Eric Rescorla
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Stephen Farrell
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Melinda Shore
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Eric Rescorla
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Eric Rescorla
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Melinda Shore
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Wang Haiguang
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… michael cheng
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… Benjamin Kaduk
- Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-… michael cheng