IETF Logo Mail Archive

Re: [TLS] Origin Bound Certificates extension?

Jeffrey Walton <noloader@gmail.com> Thu, 25 June 2015 23:46 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4CF41B2D12 for <tls@ietfa.amsl.com>; Thu, 25 Jun 2015 16:46:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grFd1flTs0hS for <tls@ietfa.amsl.com>; Thu, 25 Jun 2015 16:46:31 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B0031A89B9 for <tls@ietf.org>; Thu, 25 Jun 2015 16:46:31 -0700 (PDT)
Received: by igin14 with SMTP id n14so3012621igi.1 for <tls@ietf.org>; Thu, 25 Jun 2015 16:46:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=mb4D7M8+81hgM/HrnRa0moxKuSKCQIAJJOQ+OynRT2E=; b=kRoTVGGrSZb34xgZqTsF6KOWEZQtsuJt2Nayn8BIFqrEXgxzyUGF1t22BPKMNxvQIg yaiBpK5Ltqkxz2lDY7By6syoh1Y83JSc7TXz7a39yF4k5zx7s4fYpqWRBDucvGUKwVw8 4P2kfjBqj0Ei03NBm7gV1RcOOUuLQn+IBk7jXLT+0wJ0iORVTn/kIvH2nXywOZMgIVDU 5oNWgxQW9PFy0SAmxJwveulFf6He00MnYgCkZ/TSyrvrG0mxESJRVKbso3641RYXig8T b2YC8nm3y4gdTKBMS3ptW5yaKGVANYjGcoEfg7NlTOQs8IPct5bvaHr6tvdxd3yJ+oLy zQSA==
MIME-Version: 1.0
X-Received: by 10.42.176.8 with SMTP id bc8mr196467icb.22.1435275990823; Thu, 25 Jun 2015 16:46:30 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Thu, 25 Jun 2015 16:46:30 -0700 (PDT)
In-Reply-To: <CAL9PXLweB25vAbaPV-mSoOgCPcMZ-+Ly1+ZOa_iJtUELDB8yEw@mail.gmail.com>
References: <CAH8yC8moyR6Ai865eKRmVEyp7X15OupxiFaFZJBKC74XVE_PEg@mail.gmail.com> <CAL9PXLweB25vAbaPV-mSoOgCPcMZ-+Ly1+ZOa_iJtUELDB8yEw@mail.gmail.com>
Date: Thu, 25 Jun 2015 19:46:30 -0400
Message-ID: <CAH8yC8m8c+aaZzR0-rCzHr_n=B_2fO7nq4f1=Ju_PO+7oMY-Jw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Sh8rImy-e7Dd7Prq503QVzoxmrM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Origin Bound Certificates extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2015 23:46:32 -0000

On Thu, Jun 25, 2015 at 5:05 PM, Adam Langley <agl@google.com> wrote:
> On Thu, Jun 25, 2015 at 2:04 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>> Forgive my ignorance... What happened with the Origin Bound
>> Certificates extension
>> (https://tools.ietf.org/html/draft-balfanz-tls-obc-01)?
>
> It evolved into https://tools.ietf.org/html/draft-ietf-tokbind-protocol-01
>
Perfect, thanks.

Any plans to support Bernstein's gear:

    ...

    enum {
        rsa(1), ecdsap256(3), (255)
    } SignatureAlgorithm;
    ...

    enum {
        secp256r1 (23), (0xFFFF)
    } NamedCurve;

Should there be a ed25519 or similar?

To be clear, I'm interested in using it to stop MitM due to gaps in
existing controls in some security models, and not stop the triple
handshake threat.

Jeff

v2.23.0 | Report a Bug | By Email