Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt

Martin Rex <mrex@sap.com> Wed, 03 August 2011 18:59 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A71B211E808D for <tls@ietfa.amsl.com>; Wed, 3 Aug 2011 11:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.953
X-Spam-Level:
X-Spam-Status: No, score=-9.953 tagged_above=-999 required=5 tests=[AWL=0.296, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnZywdZT5Q7X for <tls@ietfa.amsl.com>; Wed, 3 Aug 2011 11:59:48 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id E0E3E11E807E for <tls@ietf.org>; Wed, 3 Aug 2011 11:59:47 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p73Ixli7002075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 3 Aug 2011 20:59:47 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201108031859.p73Ixlin017760@fs4113.wdf.sap.corp>
To: paul@xelerance.com (Paul Wouters)
Date: Wed, 3 Aug 2011 20:59:47 +0200 (MEST)
In-Reply-To: <alpine.LFD.1.10.1108031111330.15701@newtla.xelerance.com> from "Paul Wouters" at Aug 3, 11 11:14:45 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 18:59:48 -0000

Paul Wouters wrote:
> 
> Nikos Mavrogiannopoulos wrote:
> >
> > Paul Wouters wrote:
> > >
> > > Martin Rex wrote:
> > >
> > > > I find the idea of extending rfc6091 with a new certificate type
> > > > for raw keys more appealing that a completely new TLS extension.
> > >
> > > The TLS client still needs a way to convey this to the server, so that
> > > there is a migration path from full CA bundle to public key. That is,
> > > the client needs to be able to ask for "public key only" certificate type.
> > > So I believe we would still need a new TLS extension, but not a new TLS
> > > message type.
> >
> > And doesn't RFC6091 define the extension?
> 
> Ah yes, it does.
> 
> I would hope that the TLS WG would see enough of an interest to make
> a standard track extension though.  6091 is an Informational.  Could
> the draft be rerwitten to use the 6091 cert type extension and still
> become a standards track document?

Huh?  Why is that?  "Informational" or "Experimental" is just fine!

Weren't you complaining that your primary motiviator for this
extension is to enable a TLS implementation without X.509?

Personally, I would not consider a TLS implementation "generally useful"
that has zero support for X.509 (not even X.509v1) (this is about
implementations, not consumers!), but I'm pretty confident that
TLS implementations without your extension likely continue
to be "generally useful".  So personally, I consider Informational
or Experimental adequate for this proposal at the current time.


It will always remain possible to submit a revised document for
standards track in case that this technology attracts widespread
adoption among implementors and consumers of the technology.


PGP is a well-established alternative to X.509 and has been in active
use for EMail and for signing software archives in Linux Distributions,
and I don't see a problem with 6091 being Informational, either.


-Martin