IETF Logo Mail Archive

Re: [TLS] [Lurk] WG Call for adoption of draft-rescorla-tls-subcerts

Subodh Iyengar <subodh@fb.com> Thu, 13 April 2017 00:22 UTC

Return-Path: <prvs=527677a313=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1038612871F; Wed, 12 Apr 2017 17:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.51
X-Spam-Level:
X-Spam-Status: No, score=-3.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=q/rE21IS; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=VY+Syxc1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jChsyFZynkOR; Wed, 12 Apr 2017 17:22:20 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AA92126C7B; Wed, 12 Apr 2017 17:22:20 -0700 (PDT)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v3D0EYKH028236; Wed, 12 Apr 2017 17:22:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=lOvrvnTKGyvepKnEWFMn6TjSepF+HjitEYPf9kO/8KE=; b=q/rE21ISTLJr+MmPHMN5goh+mElNGrIiFgaiNnEeKeWfTyfHhFuZffzTl2qYjyfWXoGQ p2lAwPysspTzJ+mBat454hAOQrxqw3cC6sqFHPO50c4jxCcMRMPj6A3Nv1SrXbc9aLAw cYT1dz0eEi11KgphYG3bUOBXK6RBReLCENk=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 29sv7krgv6-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 12 Apr 2017 17:22:17 -0700
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.12) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 12 Apr 2017 17:22:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lOvrvnTKGyvepKnEWFMn6TjSepF+HjitEYPf9kO/8KE=; b=VY+Syxc1YliOTF4sLh30+8VwZAaKHXghG0PgLRYGtyWGjFKsuJEbcmIGpDlJtun4Dai9YA1m9yeCA6+HkUU7aWumdZ08iBSzfM8dILbPXsdQyYbhbna0gSCUwixpty4KH48JxLecoq26mX/xFsZaH0S658vkOxn57WsUfjr0t98=
Received: from MWHPR15MB1455.namprd15.prod.outlook.com (10.173.234.145) by MWHPR15MB1453.namprd15.prod.outlook.com (10.173.234.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.17; Thu, 13 Apr 2017 00:22:13 +0000
Received: from MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) by MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) with mapi id 15.01.1019.026; Thu, 13 Apr 2017 00:22:13 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>, IETF LURK <lurk@ietf.org>
Thread-Topic: [TLS] [Lurk] WG Call for adoption of draft-rescorla-tls-subcerts
Thread-Index: AQHSs8PkSB9pjvbMn0SPx3iNAt61ZqHCPw6AgAADYQCAACoCNw==
Date: Thu, 13 Apr 2017 00:22:13 +0000
Message-ID: <MWHPR15MB14551FA3148E159F49CD6ECCB6020@MWHPR15MB1455.namprd15.prod.outlook.com>
References: <601C7C89-F149-4E97-A474-C128041925EA@sn3rd.com> <CABcZeBPs-gbkMg4BDU7+AY9y7GPfNUiVPRPHPqF-CSuYn4m2EA@mail.gmail.com> <CAL02cgQzK4vMKSUax+=DO=mXWwFXt9xyWiXW2wmnJq30U7unrg@mail.gmail.com>, <EBBA47F7-F521-429B-903A-CDF4F1111FDA@vigilsec.com>
In-Reply-To: <EBBA47F7-F521-429B-903A-CDF4F1111FDA@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=fb.com;
x-originating-ip: [25.173.47.4]
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1453; 7:STzBVCR2/NflJhHtZ3BMfzi3pETX19vIk6PQBChBm3IYe4EI6UVIlaJookldf4RKISwdBACYMwWitKBzWbWnAXe8YAUK3SnWk0qVF4TGXRp/amESxq0hvJIzG0dnnuq01ZKUaZb+wobDIV3Hch5PhqLnQPdFYBNfsLUpooNh+XEoBwQXBzlMIKmOm6auC1hYl7YH4BTp9NflEy0/vxHJhskB8xMK3qEw+H6YVnThzopH7uWecQRDAMo7fxmSqicZeyk4q1Rlo5d2oURja0EDINwnlIYtOdQWJdO//95aPd8nyvhby6OUP5pMlQzd9ZRSVXNDge17ukE7QCB6xN9YGw==; 20:CTq60aiazXzqN2yqaFimhHbDHsHoqfBAk43QcxdoM6NdqjlzuUTzsUpvEvdDQCBLRbzgV3gStFdGZoxwHBmAIh5/VZrucmrdfsY3b/XZdUSKPVHQu/49ln1/6MYCwYle55ZVQNxMb0b/vGribysJ22/8moSGYCjJP4O8CnZbw4k=
x-ms-office365-filtering-correlation-id: 1cd5a7ef-cd3b-4495-afac-08d482032232
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:MWHPR15MB1453;
x-microsoft-antispam-prvs: <MWHPR15MB1453966716607D22164BC5B5B6020@MWHPR15MB1453.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(120809045254105);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(6041248)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:MWHPR15MB1453; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1453;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39840400002)(39850400002)(39410400002)(39400400002)(24454002)(377454003)(76176999)(50986999)(2950100002)(38730400002)(54356999)(3846002)(6436002)(229853002)(6116002)(7696004)(102836003)(606005)(77096006)(2900100001)(6506006)(2906002)(19627405001)(122556002)(99286003)(93886004)(6246003)(189998001)(8676002)(5660300001)(230783001)(8936002)(53546009)(7906003)(7736002)(66066001)(74316002)(33656002)(3660700001)(9686003)(3280700002)(6306002)(236005)(54896002)(55016002)(53936002)(25786009)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1453; H:MWHPR15MB1455.namprd15.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB14551FA3148E159F49CD6ECCB6020MWHPR15MB1455namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Apr 2017 00:22:13.4240 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1453
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-04-12_18:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YCbXDBORbYQtgmGEOqoX50qlJH8>
Subject: Re: [TLS] [Lurk] WG Call for adoption of draft-rescorla-tls-subcerts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 00:22:22 -0000

+1 for adoption

@Russ there's some discussion about comparison with proxy certs in the current draft.

Subodh

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com>
Sent: Wednesday, April 12, 2017 2:37:28 PM
To: IETF TLS; IETF LURK
Subject: Re: [TLS] [Lurk] WG Call for adoption of draft-rescorla-tls-subcerts

On Wed, Apr 12, 2017 at 12:31 PM, Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> wrote:
All,

At our IETF 98 session, there was support in the room to adopt draft-rescorla-tls-subcerts [0].  We need to confirm this support on the list so please let the list know whether you support adoption of the draft and are willing to review/comment on the draft before 20170429.  If you object to its adoption, please let us know why.

Clearly, the WG is going to need to work through the trade-offs between short-lived certificates and sub-certs because both seem, to some, to be addressing the same problem.

Cheers,

J&S

[0] https://datatracker.ietf.org/doc/html/draft-rescorla-tls-subcerts<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Drescorla-2Dtls-2Dsubcerts&d=DwMCAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=osJAxjy_1uCu6fnGyX7xCq81BrisoC5B5ydK5vt3LCQ&s=GjhbUQ8zTz6yOY8b4PbBzUBVpAIbzU9Gi-fqPLvnPUc&e=>

I want to see a solution to this problem, but I think we should look at RFC 3820, X.509 Proxy Certificate Profile.  I know that this was implemented, but I do not know if it is still in use.

Russ

v2.23.0 | Report a Bug | By Email