IETF Logo Mail Archive

Re: [TLS] draft-rescorla-tls-subcerts-01

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 24 April 2017 15:39 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F4D13173B for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 08:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level:
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOfIWHfzua8u for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 08:39:44 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E97F1316F9 for <tls@ietf.org>; Mon, 24 Apr 2017 08:39:43 -0700 (PDT)
Received: from [192.168.91.191] ([195.149.223.176]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LyWAQ-1bxFoR0j14-015s1s; Mon, 24 Apr 2017 17:39:41 +0200
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <bea3cb60-fdfc-950f-f628-90eb87ed42ef@gmx.net> <20170421104857.GA20822@LK-Perkele-V2.elisa-laajakaista.fi>
Cc: "<tls@ietf.org>" <tls@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <c2a45dce-4c58-295f-3e16-335a424bc4c5@gmx.net>
Date: Mon, 24 Apr 2017 17:39:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170421104857.GA20822@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="PVjpU3JKWiE4rafBxRLcSAbhdgN7uQ9Jm"
X-Provags-ID: V03:K0:dyhnJ8MlbOlmbG5l2KwCmvKx79J3XLe8bGcaGcjVh5CeIaoCKvp PNCYoqVyPmyDotQdRg+J++W6H6vX4uLWgkmdNxOcwNHLR7ycRswFM/GzydF7U2/WFxInsIF EiXwHJoBNVvcMfpdIScV/rooqDEKCtPKY5pISH+k1jGKFKUSUgH6uwIuKb7Xh4jg41bCC4o NxwGHtJGO1C9pwyRDepag==
X-UI-Out-Filterresults: notjunk:1;V01:K0:tNwBH4VnQVQ=:cH27cwUKt0ecadaEkSfTAk n9dCMeDng5SPlyUhxk0CSxV/nqEHmKKJswG9CAHjhV8fhFA52BKiCkRaI9sRvE2YMOQRpu2B9 YuLYDn4pxGG4I3TnzOmjoXePXXGOxcqMD96CNRHMxdwKNvRSa9uoQvOMfDyPKVK0LQ30ciD2U cC5p8k3T6nsex37kt1CpogOJijQfnbRm61XLTmVMX4BWWwHyQzPzzHZ1BRR59CZ9LhCZlwj/0 f+fgnLXxItlWipqLDsw824t6t65QNtfVLcDmpBqnpaCMh95iNXoyB63Xwkh9hR5u4XNjLRU8I Kppp4PrDqmFpr+1RKWvFEzOyKCuYM6qaheAQ8npQs3734hPiVCvWxegJszioc7W4dlcSThc3e fNFpu6nFoYL9T3HYuKgwnj7FMxqjQcSaOgUnR6rPASo3fogKYEN9zb/LMqk1uE9krZ9J2PfAA sjbWBX3yXR/fsg2yDd8G7cDsiBvBDWfxYnnkCuRZz/+oM+e0HEgHrKngwKnTiq65zFsiyGCYT sFzn/mnuja7jZXy31BCZCcC7d7Rutl5j9KCeFt/zisapNBSv8CElvB88REEtqRt9GPeBddnRb yLTmbOB+riejSul0xZjYkHsevdUWbZgS/onlUs6JlKd5m+dt/98NH09L9F3KtHsCVRk4q7acQ 1BGSDNKOxyQPNj7Zs971Zi5nFtBIOVa11zPnIxHVQdwmX+Ll6Tho2Ft/GHDj0+e8yWYMmnDMF +Rt/swyRT3Uz1nbNFjZFPd0/9e7VCvG+C5S30Pa1wl7zOCOWm9iFLMaTMLY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NyeksF-LVJ0Z4657vuXTmbURgCw>
Subject: Re: [TLS] draft-rescorla-tls-subcerts-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 15:39:46 -0000

Hi Ilari,

thanks for your response. A few remarks inline:

On 04/21/2017 12:48 PM, Ilari Liusvaara wrote:
> On Fri, Apr 21, 2017 at 10:37:21AM +0200, Hannes Tschofenig wrote:
>> I read through draft-rescorla-tls-subcerts-01 and I ran into some basic
>> questions.
>>
>> I have been wondering why the TLS server operator obtains an end-entity
>> certificate from a CA (which cannot be used to sign further
>> certificates) instead of running an intermediate CA him-/herself
>> instead. This would work without requiring any changes to the client
>> side. The proposed solution, although technically feasible, will
>> unfortunately take a long time to deploy since it requires cooperation
>> from clients, servers, and also from CAs.
> 
> There is enormous amount of red tape obtaining intermediates, even
> technically constrained ones. And as consequence, it is enormously
> expensive (through not nearly as expensive as public CA).

In essence you are doing this through the extension as well just using a
different format.

> 
> Defining new extensions is much more deployable, as slow as it is
> (AFAICT, no BR changes needed).

I hope that this is true since otherwise you have just traded one
problem against the other one.

> 
> Regarding clients, I think the draft specifies LURK as backup plan
> for clients that don't support subcerts (which causes some extra
> latency if triggered).
I didn't got that impression.

> 
>> What is also not clear to my why some of the certificate management
>> protocols, which provide the necessary level of automation, cannot be
>> used with CAs to request short-lived certificates.
> 
> AFAIK, that would cause issues with CT and OCSP signing.
> 
> The latter would be fixable by reintroducing CABForum ballot 153 and
> passing it (the reasons 153 failed were obviously political instead of
> technical).
Isn't this something ACME was trying to solve as well?

Ciao
Hannes

> 
> 
> -Ilari
>

v2.23.0 | Report a Bug | By Email