Re: [TLS] Encoding of delegated credential distribution

Nick Sullivan <nick@cloudflare.com> Thu, 23 April 2020 04:06 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49EA93A12F6 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 21:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBt9pzXckspH for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 21:06:47 -0700 (PDT)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8438C3A12F5 for <tls@ietf.org>; Wed, 22 Apr 2020 21:06:47 -0700 (PDT)
Received: by mail-ua1-x92c.google.com with SMTP id v24so4358721uak.0 for <tls@ietf.org>; Wed, 22 Apr 2020 21:06:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=53NqxMut/4DH/R+rMrp2gd5mVTvtcrtgHsiw6stnk9c=; b=Yuwd7Nr2IBEZRkEvNXh3jhg1pFd8DDkEhm/9BPiTaXQj062GRQ6YHYo2yM3jbMmE1/ 9padQacPJynU8reVO+66cupanBlQxjzgEXXSV4HhV9TM14b9je5NyBx1veaOmn2DndXI EVT6wjd20JKpIFbZk/QllyztG4IuSiPrMp5bY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=53NqxMut/4DH/R+rMrp2gd5mVTvtcrtgHsiw6stnk9c=; b=M6GsiqS0eQQubNwqPG1PKhxP3Sh80yiO80h5aJkmJhdj4jjR7BVtM9gHslEQvaxSlg ruPGgm60OJFL0v4qgGUEyZljALmgp3B31k2w0jDQaVLFQ3EFoc6+OCd9KkTdb/pJY35Y auzaYJxdf5g5nGmvRJuvrON0ZRxXEP4o1ZETCf3Vhlc+t3refbrJsPS29gFjDjymPx2C k3oeR36cnm5hhBSWWMlwLWQBhf6GrZw54nTnQgbbVsFSJJebohq7TLBrnPPGJcvSmLkX 4ParMYUXGzSvqIUq/+ZxOFgNNK08/1P9HFkpWcYwTa25i8JkhoSZdwtRvQUBVWI2x41P pE+Q==
X-Gm-Message-State: AGi0PubgMCNHuM55Vuc+WBcjgAgM/g73r2fY/NViBNnaJkyvKQZfo5yt 1SnPVKM8TK6DFM5MYyW3IyR3m6A0X1EBnfPkzjFZ8tHD
X-Google-Smtp-Source: APiQypJv3k4Fg1YISG05eXjVChlq7NiK/Qjx5u3pZZi8VqTJxGWH0O/Rp5n4qWjIFP19jNm/Afn8oAljwYNHfv9Au68=
X-Received: by 2002:a67:f9d0:: with SMTP id c16mr1662959vsq.53.1587614806431; Wed, 22 Apr 2020 21:06:46 -0700 (PDT)
MIME-Version: 1.0
References: <3BFEDA02-D5AD-4616-9BA6-7556A6A6049B@alipay.com>
In-Reply-To: <3BFEDA02-D5AD-4616-9BA6-7556A6A6049B@alipay.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Wed, 22 Apr 2020 21:06:30 -0700
Message-ID: <CAFDDyk90mz+nThOdtG+nsmtid0L5g=hBVhaEixYdU2_ABPMWyA@mail.gmail.com>
To: Paul Yang <kaishen.yy=40alipay.com@dmarc.ietf.org>
Cc: TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009405b805a3ed6060"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/T8i0cN4jbDID2-eMvrEQVbUmvNQ>
Subject: Re: [TLS] Encoding of delegated credential distribution
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 04:06:50 -0000

Hi Paul,

Thank you for your comment. I would consider the distribution of key
material out of scope for this protocol. Since this is can be an
asynchronous distribution channel between mutually trusting parties,
implementations may vary. As mentioned below, ACME may be suitable
here, but I don't think we should be prescriptive. I'll clarify this in the
next draft.

Nick

On Wed, Apr 1, 2020 at 11:13 PM Paul Yang <kaishen.yy=
40alipay.com@dmarc.ietf.org> wrote:

> Hi all,
>
> When reading the latest draft of delegated credentials, I didn’t any
> description about how to distribute a credential from the backend to
> frontend. As described in the draft:
>
>    Delegated credentials:
>
>    Client            Front-End                 Back-End
>      |                            |<--DC distribution->|
>      |----ClientHello--->|                               |
>      |<---ServerHello----|                             |
>      |<---Certificate----|                                |
>      |<---CertVerify-----|                               |
>      |        ...                 |                               |
>
> Do we need to define some sorts of encoding schemes for the <DC
> distribution> part?
>
> Regards,
>
> Paul Yang
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>