IETF Logo Mail Archive

Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Tony Putman <Tony.Putman@dyson.com> Mon, 12 November 2018 09:45 UTC

Return-Path: <prvs=847ca1bc7=Tony.Putman@dyson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800831277BB for <tls@ietfa.amsl.com>; Mon, 12 Nov 2018 01:45:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXu2K0frluad for <tls@ietfa.amsl.com>; Mon, 12 Nov 2018 01:45:24 -0800 (PST)
Received: from esa4.dyson.c3s2.iphmx.com (esa4.dyson.c3s2.iphmx.com [68.232.139.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A845C12D4EE for <tls@ietf.org>; Mon, 12 Nov 2018 01:45:23 -0800 (PST)
X-IronPort-SPF: SKIP
X-IronPort-AV: E=McAfee;i="5900,7806,9074"; a="40689014"
X-IronPort-AV: E=Sophos;i="5.54,494,1534806000"; d="scan'208";a="40689014"
Received: from unknown (HELO uk-dlp-smtp-02.dyson.global.corp) ([62.189.202.16]) by esa4.dyson.c3s2.iphmx.com with ESMTP; 12 Nov 2018 09:45:10 +0000
Received: from uk-dlp-smtp-02.dyson.global.corp (uk-dlp-smtp-02.dyson.global.corp [127.0.0.1]) by uk-dlp-smtp-02.dyson.global.corp (Service) with ESMTP id E048C94711; Mon, 12 Nov 2018 08:07:55 +0000 (GMT)
Received: from UK-MAL-CAS-01.dyson.global.corp (unknown [10.1.108.2]) by uk-dlp-smtp-02.dyson.global.corp (Service) with ESMTP id D22B194702; Mon, 12 Nov 2018 08:07:55 +0000 (GMT)
Received: from UK-MAL-MBOX-01.dyson.global.corp ([fe80::3975:cbc9:490b:523a]) by UK-MAL-CAS-01.dyson.global.corp ([fe80::e820:2e99:cbf:405b%16]) with mapi id 14.03.0319.002; Mon, 12 Nov 2018 09:45:10 +0000
From: Tony Putman <Tony.Putman@dyson.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
Thread-Index: AQHUdXgAHjbzACW1Sk+20bmJZSHlO6VCIpEAgAHFAQCAAQrqgIAAWREAgACqn4CAAINVAIAAEe+AgABx+wCAAAXQgIAE56AA
Date: Mon, 12 Nov 2018 09:45:09 +0000
Message-ID: <140080C241BAA1419B58F093108F9EDC58549B47@UK-MAL-MBOX-01.dyson.global.corp>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org> <m236seg80v.fsf@localhost.localdomain> <DE213706-285A-4FF4-BA25-3DFC69966BE6@dukhovni.org> <m2y3a4ebau.fsf@localhost.localdomain> <FF305E4A-B304-4C72-9D70-0D65116DD8B9@dukhovni.org> <F04642CF-132E-48EF-B17F-36CC57F245FC@ll.mit.edu> <1541716036588.29769@cs.auckland.ac.nz> <62FC16EB-9567-408E-B3A1-62B868F5A2BB@dukhovni.org> <1541744362984.15559@cs.auckland.ac.nz> <82B55ED0-06D5-416F-8EBE-CCA4808CC32D@dukhovni.org>
In-Reply-To: <82B55ED0-06D5-416F-8EBE-CCA4808CC32D@dukhovni.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.108.27]
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PMIritju4bJ_PqrB1lt1NX4zEf4>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 09:45:26 -0000

Victor,

> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
> TLS was a mistake, and glad to see them gone in TLS 1.3.

Can you please explain to me the problem with (EC)DH ciphers? If it's the
lack of forward secrecy, then I understand. If there are other problems, 
then I would be keen to understand them.

Thanks,
Tony


Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.

v2.23.0 | Report a Bug | By Email