Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt

Eric Rescorla <ekr@rtfm.com> Thu, 28 July 2011 13:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37F421F8B74 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 06:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQseckKAZB5O for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 06:20:51 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id EF29A21F8AF8 for <tls@ietf.org>; Thu, 28 Jul 2011 06:20:39 -0700 (PDT)
Received: by wwe5 with SMTP id 5so1634365wwe.13 for <tls@ietf.org>; Thu, 28 Jul 2011 06:20:39 -0700 (PDT)
Received: by 10.227.60.201 with SMTP id q9mr11641wbh.52.1311859239056; Thu, 28 Jul 2011 06:20:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.145.209 with HTTP; Thu, 28 Jul 2011 06:20:17 -0700 (PDT)
In-Reply-To: <alpine.LFD.1.10.1107271935380.28391@newtla.xelerance.com>
References: <CABcZeBOVWtTgRcCQ_C8jq_E=LW5nKtUYFrTYyaDcb6-WtdtLWQ@mail.gmail.com> <alpine.LFD.1.10.1107271532220.26845@newtla.xelerance.com> <CABcZeBMbA9nzs-e_sdZ0V7hADJexoDQwvAvQ0LbHACQZAhkk=Q@mail.gmail.com> <alpine.LFD.1.10.1107271706230.27352@newtla.xelerance.com> <CABcZeBMerdSOU7bqGRB2D=cB4CquYW3qxsn781xcpb4AwcSy=A@mail.gmail.com> <alpine.LFD.1.10.1107271935380.28391@newtla.xelerance.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Jul 2011 09:20:17 -0400
Message-ID: <CABcZeBNggXm443GD9JEO3RU5vTPUyKdMET1x1kaKHk0DbsaGFg@mail.gmail.com>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 13:20:52 -0000

On Wed, Jul 27, 2011 at 8:18 PM, Paul Wouters <paul@xelerance.com> wrote:
> On Wed, 27 Jul 2011, Eric Rescorla wrote:
>> Regardless, as I said in my review, this seems like it's largely
>> duplicative of cached info (and in fact, rather clumsier).
>
> I'm interested in knowing why you consider it "clumsy". Especially because
> it closely follows the RFC 6066 section 6 extension for supressing of
> sending CA bundles with "trusted_ca_keys".  That apparent clumsiness
> passed WGLC and IESG.

What's clumsy is:

(1) It's not generic, even though generic caching is useful.
(2) It doesn't support bare keys when the client doesn't know the key, which
is also useful, if you want to use bare keys at all. In fact, it
doesn't even appear
to support cases where the client knows only the key hash, which is common.

Whether it follows 6066 doesn't seem particularly relevant here, since we have a
worked example of something better.


-Ekr