[TLS] Maximum lifetime for Delegated Credentials
Nick Sullivan <nick@cloudflare.com> Thu, 21 November 2019 03:17 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39EA7120929 for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:17:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ajya5IT5iX8j for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:17:51 -0800 (PST)
Received: from mail-vk1-xa2c.google.com (mail-vk1-xa2c.google.com [IPv6:2607:f8b0:4864:20::a2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CD8C12022D for <tls@ietf.org>; Wed, 20 Nov 2019 19:17:51 -0800 (PST)
Received: by mail-vk1-xa2c.google.com with SMTP id t184so390307vka.1 for <tls@ietf.org>; Wed, 20 Nov 2019 19:17:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=6mxGfSabBegaVY8iPZ1oq/M5W/uRRRlMwB9eiW8ruqM=; b=VrMdReydm4KJ5mbAyJ7Wp8C/figKGcSi1OL53xuPIh3Pn+T3FQiVXQKmIyi3C7/+SK elIZSscktcrCw4YDe0TIK87wL3fPHyl5L7+S1kIY5gM6n4JR2byCJdVKBt0UHPGqSHVk /KEUb4TX+H9s3VjP8RL71rAVH2gDQTLrKEz0o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6mxGfSabBegaVY8iPZ1oq/M5W/uRRRlMwB9eiW8ruqM=; b=Y5DFLI/wcpJPr9JhUnuWNeFhqHI8YlqMDDOoL/udJxPltWCRY/aDMcM1UO7CtLwGRJ cmT99imC/xWbk9hHRqioxgsCZ0nu7ZDuGLUIXsAkdH+Wa8eqgtTIvQ7ZIEa7PWA/kVde tncLSEzickEKqcjQmfNO15HD8kalLkTNcf2fHkgjq5oYtNWT6xGrOVY8k80TaIUyrUZb aBHqOl0gR+2fWeeEmvQx5B8hNL95KhPecfSQbpQYqe2V6ngiQZr2MtQtQzZ9E+kKKimQ yCNkw2kFXKOnuIB3JXQ8SRNELSSBpK1B99BjwUD0yflo2pJ1hc8V0rowCdgIV6F0p31D UKEQ==
X-Gm-Message-State: APjAAAXLGmckKxGLh3hRhB0m2EheliPHIhEfoHq7+1Vm5laurYpbA7Ni Q0FRWTEb/2ca5Ysj7cohe3cYTzRfm9EbRII4poeNblc20vBsC6f9
X-Google-Smtp-Source: APXvYqx5FmSlRWIhJMpCyQicscPpxcvvAC8yJFVr3CWPAEUap4wsLDjAuowscTY8x8BkUAVfEeH5EuO0UcbHsRy+Log=
X-Received: by 2002:a1f:a357:: with SMTP id m84mr4032221vke.55.1574306269900; Wed, 20 Nov 2019 19:17:49 -0800 (PST)
MIME-Version: 1.0
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 21 Nov 2019 11:17:33 +0800
Message-ID: <CAFDDyk9CuvqSK68dABZi0asuRZVYyZvfyM1te2-GFNWF-WwB8w@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fc65f50597d2bdca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TvFQa7bphzUhG1XvqnXcHorepwE>
Subject: [TLS] Maximum lifetime for Delegated Credentials
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 03:17:54 -0000
tlswg, At IETF 106, Hannes Tschofenig suggested that there are use cases in which longer-lived delegated credentials are useful. The idea is to allows the 7-day default to be overridden in the presence of an application profile. This is similar to what is allowed in TLS for MTI cipher suites. Here's the PR: https://github.com/tlswg/tls-subcerts/pull/45 Comments welcome, Nick
- [TLS] Maximum lifetime for Delegated Credentials Nick Sullivan
- Re: [TLS] Maximum lifetime for Delegated Credenti… Martin Thomson