Re: [TLS] Working group last call for draft-ietf-tls-subcerts-07
Russ Housley <housley@vigilsec.com> Wed, 20 May 2020 22:40 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F293A0873 for <tls@ietfa.amsl.com>; Wed, 20 May 2020 15:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1itbkpTu6ncw for <tls@ietfa.amsl.com>; Wed, 20 May 2020 15:40:17 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47A553A085A for <tls@ietf.org>; Wed, 20 May 2020 15:40:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id AE0DE300B05 for <tls@ietf.org>; Wed, 20 May 2020 18:40:14 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GU_fn9U_jbpp for <tls@ietf.org>; Wed, 20 May 2020 18:40:13 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 2B2DD300A51 for <tls@ietf.org>; Wed, 20 May 2020 18:40:13 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_404A63F5-7234-4B8F-BAE7-CA0DCFAA6C41"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Wed, 20 May 2020 18:40:14 -0400
References: <CAOgPGoDqtCmkBZYoGT5BaMJN8wgSBFKR00VSUXB9Qu8rDT3S_g@mail.gmail.com>
To: IETF TLS <tls@ietf.org>
In-Reply-To: <CAOgPGoDqtCmkBZYoGT5BaMJN8wgSBFKR00VSUXB9Qu8rDT3S_g@mail.gmail.com>
Message-Id: <47A87699-B13C-480B-9C51-2386F1C69D74@vigilsec.com>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OITRkf6psdZAeOn2BBedmJPDWPA>
Subject: Re: [TLS] Working group last call for draft-ietf-tls-subcerts-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 22:40:19 -0000
> This is the Working Group Last Call for "Delegated Credentials for TLS" available at https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ <https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/>. Please review the document and respond to the list with any comments by June 2, 2020. I just reread draft-ietf-tls-subcerts-07. I have a few comments. MAJOR In section 3, the document says: The secret key used to sign ... Please change "secret" to "private". Later in the sentence, [RFC5280] is referenced, and it talks about "private key" in this context. MINOR Section 1 says: This allows server operators to limit the exposure of keys in cases where they do not realize a compromise has occurred. I suggest an alternative: This allows server operators to limit the exposure of keys in cases where it might be difficult to determine whether a compromise has occurred. Section 1 also says: Because the above problems do not relate to the CA's inherent function of validating possession of names, ... The CA is responsible for confirming that the public key in the certificate corresponds to a private key that can be used by the certificate subject. This is usually done by a proof of possession mechanism. So, I think that the start of this sentence should be reworded to avoid the impression that the CA only validates the name. QUESTION While I have no objection to the DelegationUsage extension, I wonder is an extended key usage would provide the same confidence in the certificate. ASN.1 MODULE After assigning a place holder vale for "TBD", I compiled the module, and it works just fine.
- [TLS] Working group last call for draft-ietf-tls-… Joseph Salowey
- Re: [TLS] Working group last call for draft-ietf-… Russ Housley
- Re: [TLS] Working group last call for draft-ietf-… Ryan Sleevi
- Re: [TLS] Working group last call for draft-ietf-… Salz, Rich
- Re: [TLS] Working group last call for draft-ietf-… Russ Housley
- Re: [TLS] Working group last call for draft-ietf-… Ryan Sleevi
- Re: [TLS] Working group last call for draft-ietf-… Watson Ladd
- Re: [TLS] Working group last call for draft-ietf-… Salz, Rich
- Re: [TLS] Working group last call for draft-ietf-… Joseph Salowey
- Re: [TLS] Working group last call for draft-ietf-… Martin Thomson
- Re: [TLS] Working group last call for draft-ietf-… Salz, Rich
- Re: [TLS] Working group last call for draft-ietf-… Nick Sullivan
- Re: [TLS] Working group last call for draft-ietf-… Russ Housley
- Re: [TLS] Working group last call for draft-ietf-… Nick Sullivan