Re: [TLS] OPTLS: Signature-less TLS 1.3

Daniel Kahn Gillmor <> Sun, 09 November 2014 07:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2ED51A19FB for <>; Sat, 8 Nov 2014 23:01:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sA9dty9TCqyN for <>; Sat, 8 Nov 2014 23:01:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 403831A19EB for <>; Sat, 8 Nov 2014 23:01:06 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTPSA id B3706F991 for <>; Sun, 9 Nov 2014 02:01:03 -0500 (EST)
Received: by (Postfix, from userid 1000) id 6017120087; Sat, 8 Nov 2014 10:20:42 -0500 (EST)
From: Daniel Kahn Gillmor <>
In-Reply-To: <>
References: <> <> <> <>
User-Agent: Notmuch/0.18.2 ( Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Sat, 08 Nov 2014 10:20:38 -0500
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 09 Nov 2014 07:01:09 -0000

On Fri 2014-11-07 01:21:26 -0500, Andy Lutomirski wrote:

> If I buy a cert for *.my.domain, I want to be able to provision
> with some secret that lets it act as but
> not  Since the PKIX people seem to be completely unable
> to address this, pinning DH shares to a domain would solve the problem
> without involving any PKIX changes.

If we could provide this, it could be a very interesting operational win
in the context of expensive/cumbersome CAs and medium-sized
organizations with many services (internal and external).

It would effectively allow a wildcard cert for a given domain to act as
a domain-constained sub-CA, without getting into the X.509 weeds about
domain constraints.  The secret key material corresponding to the
wildcard cert could be kept offline, and used to issue medium-term DH
shares that are distributed to each service.

Unfortunately, i don't see a way to deploy this effectively without
putting the secret key material associated with the wildcard cert online
for each service that needs to support legacy clients, which would make
the security advantage moot.