IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt

Daniel Migault <mglt.ietf@gmail.com> Mon, 01 February 2021 13:42 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4976E3A117B for <tls@ietfa.amsl.com>; Mon, 1 Feb 2021 05:42:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHhI71IFrs82 for <tls@ietfa.amsl.com>; Mon, 1 Feb 2021 05:42:02 -0800 (PST)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37F7F3A117C for <tls@ietf.org>; Mon, 1 Feb 2021 05:42:02 -0800 (PST)
Received: by mail-ua1-x92c.google.com with SMTP id u27so5883753uaa.13 for <tls@ietf.org>; Mon, 01 Feb 2021 05:42:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=19AsugZL94WQkOfDYt1CAICOWITk7zD+8iUo2wuG4WA=; b=c2xC9acUlDDL+9F3HKbigl2BLCmtkOSy1mT6df0yeBHFsb3WhsS1GMjTUgTKB0G1CO MDR/IqZzlUXViT2+2hqBpdsZKmPhEczVkjVSt8EIOgSC19hzxhlJrdamye/iJNfD4s4R Vo/SWVvAWFkTr483pOfNEbGEdRsreMir4cwyxnafFploYI8fj8aK9q1CQ4iKjkcn2E3X iofgom2U7QBWqsxFpD0KVgsXSZuJRtgeqX0y7TIkE1zsTTOrUs4EHZGiNAX+PJK20O1A 28DGUaXbQUN0Sa+q20JYBJFbRVUobp6sBLdXhFDG+5e1PSXb5qDc1cLT1gQuvmLdXd8i RWuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=19AsugZL94WQkOfDYt1CAICOWITk7zD+8iUo2wuG4WA=; b=Ifj/Mby0iIWy3LvOGjKY4DwQgyG0kTANR7fFMHTpxklg4Ha6ntB40rGqc2C1D0nb4I tC80NaGvripY1f+M5mpc1phbv5oIybKY8NJxSYDd6sddrnpS0Mr7D3dw9G1HjZ0AH7NH a3030HRuDrTQIn74Nt34bQEyyeKKXf/BH1oGipyjR+Wa7T9Yk1IMSKaVt5gtCj6ugIQb qCckL66SkBbDtf8krM5xz4FC4p1AqE7VungIRYvTFBP6I5g8uYBxjIwfVfgccEWxnEoG af/Y4K5anDZcMTlXDqm4LcDAw+ETgSje2uniVWaGcM9sak7K7oFdD7ayEyMm6KXWV6cE HTQw==
X-Gm-Message-State: AOAM530Q5qNIbxbRhNmFQvVLpSniFPn7xdt3hz2hsmLomPozCXgonP1N QoTX9643vOz1RZTTWyH7+QwOTS4LhMOf4QMJh8ZgY4hPwLg=
X-Google-Smtp-Source: ABdhPJxyWpnDa0CvEp/a5HtysnEgeUsAzSUrmWaFKFGpMmFxvB8fcr/jktsDH0P9sSPgT0yimGR+lSPoxEBimusY8Vw=
X-Received: by 2002:ab0:40c3:: with SMTP id i61mr8691285uad.80.1612186921093; Mon, 01 Feb 2021 05:42:01 -0800 (PST)
MIME-Version: 1.0
References: <161152940146.13632.832237048620145771@ietfa.amsl.com> <DCAE7E47-90AF-4729-B5D1-949ADBBF2B39@vigilsec.com> <B812F7AC-8E59-406E-9A54-A3EACFCD4F8D@sn3rd.com>
In-Reply-To: <B812F7AC-8E59-406E-9A54-A3EACFCD4F8D@sn3rd.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 01 Feb 2021 08:41:49 -0500
Message-ID: <CADZyTknAFTiKdqft9EBtHxm=i28B_gdwRWdxb-oR82nqMu64MA@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: Russ Housley <housley@vigilsec.com>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be53ec05ba468408"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WXCm8kA3cPeLs2e4WHSwVIXanrk>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 13:42:04 -0000

Hi,

It is unclear to me if the current version is expected to address the
comments received during the WGLCs or if further versions are expected.
Just to clarify the current version does not address my comments concerning
the related work section [1].

Yours,
Daniel

[1] https://mailarchive.ietf.org/arch/msg/tls/B7qc2sPH_d9Tfr-W7vnf24jiGds/

On Sun, Jan 31, 2021 at 11:59 PM Sean Turner <sean@sn3rd.com> wrote:

> Do you think this would be clearer:
>
>   The maximum validity period is set to 7 days unless
>   an application profile standard specifies a shorter
>   period.
>
> spt
>
> > On Jan 25, 2021, at 11:14, Russ Housley <housley@vigilsec.com> wrote:
> >
> > I have reviewed the recent update, and I notice one inconsistency.
> >
> > Section 2 says:
> >
> >   In the absence of an application profile standard
> >   specifying otherwise, the maximum validity period is set to 7 days.
> >
> > Section 4.1.3 says:
> >
> >   1.  Validate that DelegatedCredential.cred.valid_time is no more than
> >       7 days.
> >
> > I think that Section 2 is trying to say that an application profile can
> make it even shorter than 7 days, but on my first reading I got the
> opposite.
> >
> > Russ
> >
> >
> >> On Jan 24, 2021, at 6:03 PM, internet-drafts@ietf.org wrote:
> >>
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >> This draft is a work item of the Transport Layer Security WG of the
> IETF.
> >>
> >>       Title           : Delegated Credentials for TLS
> >>       Authors         : Richard Barnes
> >>                         Subodh Iyengar
> >>                         Nick Sullivan
> >>                         Eric Rescorla
> >>      Filename        : draft-ietf-tls-subcerts-10.txt
> >>      Pages           : 19
> >>      Date            : 2021-01-24
> >>
> >> Abstract:
> >>  The organizational separation between the operator of a TLS endpoint
> >>  and the certification authority can create limitations.  For example,
> >>  the lifetime of certificates, how they may be used, and the
> >>  algorithms they support are ultimately determined by the
> >>  certification authority.  This document describes a mechanism by
> >>  which operators may delegate their own credentials for use in TLS,
> >>  without breaking compatibility with peers that do not support this
> >>  specification.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-tls-subcerts-10
> >> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email