IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

Andy Lutomirski <luto@amacapital.net> Fri, 08 November 2013 16:37 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68FF721E81AC for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:37:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.907
X-Spam-Level:
X-Spam-Status: No, score=-2.907 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIjU81Skuwv3 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:37:39 -0800 (PST)
Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177]) by ietfa.amsl.com (Postfix) with ESMTP id 8328221E8183 for <tls@ietf.org>; Fri, 8 Nov 2013 08:37:27 -0800 (PST)
Received: by mail-ve0-f177.google.com with SMTP id jz11so413477veb.36 for <tls@ietf.org>; Fri, 08 Nov 2013 08:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=chMpFuSlmzuPq/5ad0KK/RyrApC3C959MAt4Xnwcaic=; b=VYE5A9aiVvpE0MGA6JK0iOXsGi99XDe8IkbqfzHYpuhh4DkxQTjF/2huEs63rOwWCh I2/0ECbceKKa13V2sA2xha/cTwBDbn4C9fsh2oPfTirMp0p6dJI2ZDFPwfLhYUzitaAI EkPwz+lQwMLQ/nN9P1vplq+71hEW7Ovj98VmxrBt6YBds23cz5AMqZilMC/ZQdf/B/Zu wV+SRjTNxKsk0KMDqmfgqdXXQsuH3638utRNZDOmtQYecjrbK7eP3rkdeG12bUW3MJyG r0DnmIT17+ScWkE8fV3kXqxuxrm4oyeBjazr2Ty/Qc/+VhRiUwFK2/HF9foF78ctHy5I GvzQ==
X-Gm-Message-State: ALoCoQmqPUrH6IHR9whP4CE5j2U2GMnICAG1n+Qfnrh9/DC2aV2Yvh/U2jBvcHZEFQfP8t9HTfmX
X-Received: by 10.220.10.70 with SMTP id o6mr102570vco.45.1383928646139; Fri, 08 Nov 2013 08:37:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.8.18 with HTTP; Fri, 8 Nov 2013 08:37:06 -0800 (PST)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF541@USMBX1.msg.corp.akamai.com>
References: <527CF707.2070000@secunet.com> <r422Ps-1075i-7D1B8241D4174A8BAEFBF63DCD3FADA9@Williams-MacBook-Pro.local> <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF541@USMBX1.msg.corp.akamai.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Nov 2013 08:37:06 -0800
Message-ID: <CALCETrUBc+2urjCEGvpXQczu920X7knzYUW+dGd6vTAU1MQaGg@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 16:37:55 -0000

On Fri, Nov 8, 2013 at 8:16 AM, Salz, Rich <rsalz@akamai.com> wrote:
>> > It is a bad idea to introduce violations of PKIX standards (RFC 5280) in TLS  1.3.
>
>> Please explain why.
>
> TLS uses certificates.  Certificates use the CA structure.  The CA structure has a particular trust model.  PKIX [dr]efines an instance of that trust model. PKIX is used throughout the Internet when X.509 certificates are used, almost exclusively.  It is hard to write trust-path code and get it right. Adding a new complexity for this one special case (even if it is a major user) makes library re-use harder, and is could well make all certificate-using software on the same computer open to buggy and/or confusing behavior.
>

This doesn't necessarily need to change the PKIX validation algorithm
at all [1].  Rather than presenting a proxy certificate, the server
could present a standard (valid according to PKIX / TLS 1.2 rules)
certificate and *separately* present a chain of public keys, each
signed by the previous one and marked with validity times, where the
first public key is signed by the server certificate and the last
public key is compatible with the key exchange algorithm.  (To keep it
simple, the allowable final key types could be limited to fixed DH
parameters and RSA/ECDSA signing keys -- there's no reason to support
traditional RSA key exchange here.)

None of this needs to be in X.509 format.  An advantage of *not* using
X.509 is that libraries can't make the mistake of asking clients to
validate these keypairs -- clients should validate the actual PKIX
certificate instead.

There's no need for revocation, OSCP stapling, or related mechanisms
-- the validity periods can be kept short enough that a validly signed
key is equivalent to a valid, fresh OCSP response.

This is a lot like how QUIC works.  I think Google got that part of
the protocol right.

Of course, the downside of this approach is that it's a much more
intrusive change in the TLS protocol (proxy certificates don't require
any protocol change except some indication from the client that it
accepts proxy certificates).

--Andy

v2.23.0 | Report a Bug | By Email