Re: [TLS] TLS 1.3 certificate delegation?
Andy Lutomirski <luto@amacapital.net> Fri, 08 November 2013 16:37 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68FF721E81AC for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:37:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.907
X-Spam-Level:
X-Spam-Status: No, score=-2.907 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIjU81Skuwv3 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:37:39 -0800 (PST)
Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177]) by ietfa.amsl.com (Postfix) with ESMTP id 8328221E8183 for <tls@ietf.org>; Fri, 8 Nov 2013 08:37:27 -0800 (PST)
Received: by mail-ve0-f177.google.com with SMTP id jz11so413477veb.36 for <tls@ietf.org>; Fri, 08 Nov 2013 08:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=chMpFuSlmzuPq/5ad0KK/RyrApC3C959MAt4Xnwcaic=; b=VYE5A9aiVvpE0MGA6JK0iOXsGi99XDe8IkbqfzHYpuhh4DkxQTjF/2huEs63rOwWCh I2/0ECbceKKa13V2sA2xha/cTwBDbn4C9fsh2oPfTirMp0p6dJI2ZDFPwfLhYUzitaAI EkPwz+lQwMLQ/nN9P1vplq+71hEW7Ovj98VmxrBt6YBds23cz5AMqZilMC/ZQdf/B/Zu wV+SRjTNxKsk0KMDqmfgqdXXQsuH3638utRNZDOmtQYecjrbK7eP3rkdeG12bUW3MJyG r0DnmIT17+ScWkE8fV3kXqxuxrm4oyeBjazr2Ty/Qc/+VhRiUwFK2/HF9foF78ctHy5I GvzQ==
X-Gm-Message-State: ALoCoQmqPUrH6IHR9whP4CE5j2U2GMnICAG1n+Qfnrh9/DC2aV2Yvh/U2jBvcHZEFQfP8t9HTfmX
X-Received: by 10.220.10.70 with SMTP id o6mr102570vco.45.1383928646139; Fri, 08 Nov 2013 08:37:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.8.18 with HTTP; Fri, 8 Nov 2013 08:37:06 -0800 (PST)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF541@USMBX1.msg.corp.akamai.com>
References: <527CF707.2070000@secunet.com> <r422Ps-1075i-7D1B8241D4174A8BAEFBF63DCD3FADA9@Williams-MacBook-Pro.local> <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF541@USMBX1.msg.corp.akamai.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Nov 2013 08:37:06 -0800
Message-ID: <CALCETrUBc+2urjCEGvpXQczu920X7knzYUW+dGd6vTAU1MQaGg@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 16:37:55 -0000
On Fri, Nov 8, 2013 at 8:16 AM, Salz, Rich <rsalz@akamai.com> wrote: >> > It is a bad idea to introduce violations of PKIX standards (RFC 5280) in TLS 1.3. > >> Please explain why. > > TLS uses certificates. Certificates use the CA structure. The CA structure has a particular trust model. PKIX [dr]efines an instance of that trust model. PKIX is used throughout the Internet when X.509 certificates are used, almost exclusively. It is hard to write trust-path code and get it right. Adding a new complexity for this one special case (even if it is a major user) makes library re-use harder, and is could well make all certificate-using software on the same computer open to buggy and/or confusing behavior. > This doesn't necessarily need to change the PKIX validation algorithm at all [1]. Rather than presenting a proxy certificate, the server could present a standard (valid according to PKIX / TLS 1.2 rules) certificate and *separately* present a chain of public keys, each signed by the previous one and marked with validity times, where the first public key is signed by the server certificate and the last public key is compatible with the key exchange algorithm. (To keep it simple, the allowable final key types could be limited to fixed DH parameters and RSA/ECDSA signing keys -- there's no reason to support traditional RSA key exchange here.) None of this needs to be in X.509 format. An advantage of *not* using X.509 is that libraries can't make the mistake of asking clients to validate these keypairs -- clients should validate the actual PKIX certificate instead. There's no need for revocation, OSCP stapling, or related mechanisms -- the validity periods can be kept short enough that a validly signed key is equivalent to a valid, fresh OCSP response. This is a lot like how QUIC works. I think Google got that part of the protocol right. Of course, the downside of this approach is that it's a much more intrusive change in the TLS protocol (proxy certificates don't require any protocol change except some indication from the client that it accepts proxy certificates). --Andy
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Bill Frantz
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Michael D'Errico
- Re: [TLS] TLS 1.3 certificate delegation? Rob Stradling
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester