Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator
Nick Sullivan <nicholas.sullivan@gmail.com> Tue, 18 April 2017 22:18 UTC
Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC1631314A7 for <tls@ietfa.amsl.com>; Tue, 18 Apr 2017 15:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nbM8c67E9bm for <tls@ietfa.amsl.com>; Tue, 18 Apr 2017 15:18:15 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4E7E1314A1 for <tls@ietf.org>; Tue, 18 Apr 2017 15:18:14 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id h2so4163210uaa.1 for <tls@ietf.org>; Tue, 18 Apr 2017 15:18:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=CCIbS49hAj2H/bR8VlxlUF8VKeHcHa9LWtIGaVAXC/Q=; b=oNFXPuTiIZlQmT0nePQeR94aTyiVp8075xpRCO0wnIWVRPRLYdWOjFNNbMCoR8sYAN MIbDC1GOjtfJTLDxHHys8QO091Xz52VESBJwD6geeye6InnLtzBKOi+BXzDzIVnALs0u Z/tRxSmuwkJ8IpQK/8xaZ5XcLOjHvt4euNr2JX8+do60/wfNv0IoTdfJLzswtI5J2FLO P4eFuPjwrcKS4y47lHftQ/sQauYSXspJ98NRN1Hx+DVu8GidenljWNxLkcO6o9/+hcMe A0pvBrC2ic2KOFUAwTXp4gyu+AQ4j/26lIGDs++NwpA4cHsOBrqA1ZjekzXoK+qkgJbQ B3MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=CCIbS49hAj2H/bR8VlxlUF8VKeHcHa9LWtIGaVAXC/Q=; b=E1iIVHiPC0T4VsxFrHRjym8FucTv+CMryYkL10oRG69UiBq0Mo0mUgYHwRd/NNftKw YdbnSvoxblphIMdudtwAldXQGy65uZUQ+FMEKjFLnnsPXvjd1GiQ99/PIf00IqvSb228 6MRJ+AEMxTyu0ALwhNmMixQRZ63TM3oyy38MHqc3XExj2LfSHDVMVKV/CNaEp0b38NA7 wBD6OILqQKTiCLqlnVsitnqK0qHXMzzT81G6hs2RRchjxdhRC9rH39g+XCO5nc2E4Kwc Qv3l3bGKLLDTZslIOFimMTMjW6FGYa2C4/MtYGCLgI4pduTA/AwhJNv1veYYyfjzhbKk c07w==
X-Gm-Message-State: AN3rC/5mGcRovDBL/EdwOIYAIVpeDI7hCjnkGYkjzkn6+5u3fzvA9VOG dUmw2eW43Mv5qGZ+UwKykeTfuvrReQ==
X-Received: by 10.159.37.248 with SMTP id 111mr13163843uaf.146.1492553894049; Tue, 18 Apr 2017 15:18:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoCvpjoexe0u2bT+P5eO75L2UbAtmCOx_1x+WxWvv8ktPA@mail.gmail.com> <20170414114425.GA3649@LK-Perkele-V2.elisa-laajakaista.fi> <20170415134152.GA7893@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20170415134152.GA7893@LK-Perkele-V2.elisa-laajakaista.fi>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Tue, 18 Apr 2017 22:18:03 +0000
Message-ID: <CAOjisRx7rbhdWDgpbmv_sKebVBygqDfVJ4pQD7wsS6SF8Fws8g@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d1b98a9ba51054d7848b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OPMnLEKV8eXd4FZrjJ_pB8Zdh9Y>
Subject: Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 22:18:17 -0000
On Sat, Apr 15, 2017 at 6:42 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Fri, Apr 14, 2017 at 02:44:25PM +0300, Ilari Liusvaara wrote: > > On Thu, Apr 13, 2017 at 09:29:27PM -0700, Joseph Salowey wrote: > > > Hey Folks, > > > > > > At the IETF 98 meeting in Chicago there was support in the room to > adopt > > > draft-sullivan-tls-exported-authenticator [0]. We are looking for > feedback > > > on adopting this draft form the list. Please respond if you support the > > > draft and are willing to review it. If you object to its adoption, > please > > > let us know why. Please respond to the list by 20170501 > > > > > > > Looking at the draft and reviewing it: > > Another edge-case I figured: > > How do certificate type extensions (#9, #19 and #20) work with exported > authenticators? > > Where other extensions are either meaningless or are edditional info, > certificate types actually change the format of the first certificate, > which the library needs to understand in order to extract the SPKI for > validating the following CertificateVerify. > I think it would be fair to only support server-generated exported authenticators with the certificate_type negotiated by the TLS handshake. If the client sent a list of server_certificate_types in its client hello, then only authenticators of that type can be used (with the chosen type included an extension to the certificate message). Similarly, if the server's EE message contains a single client_certificate_type, that would be the only type supported by client-generated exported authenticators. I can add text to this effect ( https://github.com/grittygrease/tls-exported-authenticator/issues/12). > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Call for adoption of draft-sullivan-tls-exp… Joseph Salowey
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Patrick McManus
- Re: [TLS] Call for adoption of draft-sullivan-tls… Benjamin Kaduk
- Re: [TLS] Call for adoption of draft-sullivan-tls… Andrei Popov
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nico Williams
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Victor Vasiliev
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Joseph Salowey