IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

Andy Lutomirski <luto@amacapital.net> Fri, 08 November 2013 17:33 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B7611E819E for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7ybkCWLwEbZ for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:33:26 -0800 (PST)
Received: from mail-vb0-f50.google.com (mail-vb0-f50.google.com [209.85.212.50]) by ietfa.amsl.com (Postfix) with ESMTP id C259811E80EC for <tls@ietf.org>; Fri, 8 Nov 2013 09:33:25 -0800 (PST)
Received: by mail-vb0-f50.google.com with SMTP id x16so1585415vbf.23 for <tls@ietf.org>; Fri, 08 Nov 2013 09:33:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=IolbQjCU4KQWlreKozvzIqEsIiw8+9VGuiYarcFbeK0=; b=DeCZbWihcC2LW+vUguhGZxkeeA5wLp2pJU0dvSQlUFLpksmISuN6w0tCeYvgoeOiH3 rLyiQ2xIrq10YiduwOApVim0Nbdy4ePXPcf1EyLzJIz/XVJaKnRklycYHbgD6BF/sNMQ t8H5xliQDckQTQRvEv+YERuYGxDCMZuIRzzhNkEAG2ew2Tv/3tU/IhRGOEpa9IpKwyOK ENAIdBSJpCGOo0B5aGzDa7lPpXaM4Ujbrm0a7xFL6AKk2Q+pLbQ6lkLTjTiqH8xsmQqR QkwnvjfT5+sruXyXaXVgR32VMgjuelch392iUjYq5rP9IhuVHN1y3T9Y6bY6OdbfuZR0 0VdQ==
X-Gm-Message-State: ALoCoQlXHgblutF4n7dhMqfeaOq0EBns8EYKZEeysR96Jh1CSKRReyYiuqmI/6671BCYhWzXYQsa
X-Received: by 10.52.103.35 with SMTP id ft3mr10940292vdb.5.1383932005207; Fri, 08 Nov 2013 09:33:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.8.18 with HTTP; Fri, 8 Nov 2013 09:33:02 -0800 (PST)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF57F@USMBX1.msg.corp.akamai.com>
References: <527CF707.2070000@secunet.com> <r422Ps-1075i-7D1B8241D4174A8BAEFBF63DCD3FADA9@Williams-MacBook-Pro.local> <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF541@USMBX1.msg.corp.akamai.com> <CALCETrUBc+2urjCEGvpXQczu920X7knzYUW+dGd6vTAU1MQaGg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF57F@USMBX1.msg.corp.akamai.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Nov 2013 09:33:02 -0800
Message-ID: <CALCETrUtFqKZ9krQTdmL-rfdcAAS0fik5seJdMGG1GD7VU0rNA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 17:33:31 -0000

On Fri, Nov 8, 2013 at 8:45 AM, Salz, Rich <rsalz@akamai.com> wrote:
>> Rather than presenting a proxy certificate, the server could present a standard (valid according to PKIX / TLS 1.2 rules) certificate and *separately* present a chain of public keys, ... None of this needs to be in X.509 format.
>
> I'm curious what this new and different but similar structure would be like.   And whether the intended use of this stuff justifies the complexity and creation of all this new stuff, or breaking PKIX compatibility.

A little like the server config mechanism here:

https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit

v2.23.0 | Report a Bug | By Email