Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)
Eric Rescorla <ekr@rtfm.com> Thu, 17 November 2011 07:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02DF1F0CB7 for <tls@ietfa.amsl.com>; Wed, 16 Nov 2011 23:48:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.943
X-Spam-Level:
X-Spam-Status: No, score=-102.943 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqsVKDFfCPDm for <tls@ietfa.amsl.com>; Wed, 16 Nov 2011 23:48:27 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id E5AD41F0C82 for <tls@ietf.org>; Wed, 16 Nov 2011 23:48:26 -0800 (PST)
Received: by ggnr5 with SMTP id r5so809218ggn.31 for <tls@ietf.org>; Wed, 16 Nov 2011 23:48:26 -0800 (PST)
Received: by 10.236.72.132 with SMTP id t4mr7032619yhd.58.1321516106467; Wed, 16 Nov 2011 23:48:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.146.88.36 with HTTP; Wed, 16 Nov 2011 23:47:45 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <alpine.DEB.2.00.1110311914480.17385@mail.xelerance.com>
References: <alpine.DEB.2.00.1110311914480.17385@mail.xelerance.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 16 Nov 2011 23:47:45 -0800
Message-ID: <CABcZeBOqziPWk5Je=Ld+Fa0i-vz+HXKaFTDyswptfKG6dXJkxw@mail.gmail.com>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 07:48:27 -0000
Extending TLS to support a raw public key seems like a good idea and I support taking it on. Extending it to suppress the public key and instead send a hash from server to the client seems less so; if the server sends the public key, it works if the client knows either (a) the server public key or (b) a digest of the public key. Sending a digest only works if the client already knows the public key, which seems far less likely. If you want to suppress the server sending the key, a better (and more general) solution is to resurrect cached-info. This would work with both raw keys and certificates. -Ekr On Mon, Oct 31, 2011 at 4:21 PM, Paul Wouters <paul@xelerance.com> wrote: > > This is the new version of the draft incorporating the feedback from Quebec > City > and the TLS list since then. It changes the draft from a new TLS extension > to a > new Certificate Type for raw keys. > > It also merges in the unpublished draft material from Hannes Tschofenig > and Tero Kivinen <kivinen@iki.fi> whom had also been working on raw RSA > TLS keys for use with CoAP (eg devices with no real time clock where > PKIX validation cannot work) > > I did not yet change the draft ofrom individual submission to working group > item, > as I was waiting for confirmation on the TLW WG list of the last Quebec City > meeting. > > http://tools.ietf.org/html/draft-wouters-tls-oob-pubkey-01 > > Paul > > ---------- Forwarded message ---------- > Date: Mon, 31 Oct 2011 17:44:35 > From: internet-drafts@ietf.org > Cc: weiler@tislabs.com, hannes.tschofenig@gmx.net, gnu@toad.com, > paul@xelerance.com, kivinen@iki.fi > To: paul@xelerance.com > Subject: New Version Notification for draft-wouters-tls-oob-pubkey-01.txt > X-Spam-Flag: NO > > A new version of I-D, draft-wouters-tls-oob-pubkey-01.txt has been > successfully submitted by Paul Wouters and posted to the IETF repository. > > Filename: draft-wouters-tls-oob-pubkey > Revision: 01 > Title: TLS out-of-band public key validation > Creation date: 2011-10-31 > WG ID: Individual Submission > Number of pages: 11 > > Abstract: > This document specifies a new TLS certificate type for exchanging raw > public keys or their fingerprints in Transport Layer Security (TLS) > and Datagram Transport Layer Security (DTLS) for use with out-of-band > authentication. Currently, TLS authentication can only occur via > PKIX or OpenPGP certificates. By specifying a minimum resource for > raw public key exchange, implementations can use alternative > authentication methods. > > One such method is using DANE Resource Records secured by DNSSEC, > Another use case is to provide authentication functionality when used > with devices in a constrained environment that use whitelists and > blacklists, as is the case with sensors and other embedded devices > that are constrained by memory, computational, and communication > limitations where the usage of PKIX is not feasible. > > The new certificate type specified can also be used to reduce the > latency of a TLS client that is already in possession of a validated > public key of the TLS server before it starts a (non-resumed) TLS > handshake. > > > > > The IETF Secretariat > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] New Version Notification for draft-wouters-… Paul Wouters
- Re: [TLS] New Version Notification for draft-wout… Eric Rescorla
- Re: [TLS] New Version Notification for draft-wout… Ondřej Surý
- Re: [TLS] New Version Notification for draft-wout… Paul Wouters
- Re: [TLS] New Version Notification for draft-wout… Ondřej Surý
- Re: [TLS] New Version Notification for draft-wout… Marsh Ray
- Re: [TLS] New Version Notification for draft-wout… Badra
- Re: [TLS] New Version Notification for draft-wout… Paul Wouters
- Re: [TLS] New Version Notification for Martin Rex
- Re: [TLS] New Version Notification for draft-wout… Badra
- Re: [TLS] New Version Notification for draft-wout… Paul Wouters