[TLS] Fwd: New Version Notification for draft-hoyland-tls-layered-exported-authenticator-00.txt

Jonathan Hoyland <jonathan.hoyland@gmail.com> Tue, 26 June 2018 13:13 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE3B130DEA for <tls@ietfa.amsl.com>; Tue, 26 Jun 2018 06:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPIxBKV40d8z for <tls@ietfa.amsl.com>; Tue, 26 Jun 2018 06:13:04 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6286130DDC for <tls@ietf.org>; Tue, 26 Jun 2018 06:13:03 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id r18-v6so4880646ual.13 for <tls@ietf.org>; Tue, 26 Jun 2018 06:13:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=oIX/3p4kpmS//K+pIRAaAHQLhGOpnOP3VSNbYTErW4s=; b=RkUe3Rv+dSJLk9fiEHxLZmYH8KUzrIde8/FcJazUobxohZZtdXhwHpSbfG5N5rZbTz 0k9hrdEWhiraYr/vO6qXdu7dtrBqoMPx7sPY2qNHg8auF9JmWLkKh+BZkryyf+tcyO76 zfMb+ve3CVh1sNM8hhCYF+75WoP4docd56gl3tB4HOnI6XcgpVJJefgF4jI+mvmYbjHd C7eNFxmDs9N3OiQkivNB5ETMkvXq/P2V3MiKM1ARA0gXFgmv2BTc0ccZ2WQcsm+y274o +RXISBuVE41zB3DKqgb1RRnt1ZZPhCgnatIef4XFHYbJCP/dDtkNED4zz0VJ/42ynnDR NomA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=oIX/3p4kpmS//K+pIRAaAHQLhGOpnOP3VSNbYTErW4s=; b=YwbxXw9FblUGj7UaaxbXmRuZZJW/AWTIQRtbfKUxrjwTk2dHY3qsYGvkvmVcOnu9pJ c/oxuoYkx42vQNh84mkT014uX+g7fpUek/DNDnWTM0qw53anw8iUoxs3peIAVCpN9AFk vY8raX+ZUtjFYd7Id+26lkTKufO/wYELhdFjJDgj7sv39AHdN836dl0PBWRbq0g4GVM6 45hXxjI3WDAZerlyH6zSQKGkBsrTjcWJhvv/XvjZWgYmgRQ3txToHADekWU8UVHIfUO5 xsxMIxdafCuSrN7kPNNoTxDU8DYEJ3X/1sR7JQW51tKCaZsVg7olyllA8rmo5GF0dgIz iA1w==
X-Gm-Message-State: APt69E0n5QPxlkiKAPHm8BHuucNbigOmlhdz1adjz4+2ubGq7enuEIzx BCmRAbYK8NHGMAtzGevDZZgo1+UmLej/Pf0tvDBylg==
X-Google-Smtp-Source: AAOMgpcoffCzwOHCvaXcfTX+PgOqHgIZjUlCh96pfrV6By5wG8t3K3839p2bQP5LgN60Q/M4TGyEzhPZSr0s8SPUgCM=
X-Received: by 2002:ab0:7024:: with SMTP id u4-v6mr914782ual.133.1530018782516; Tue, 26 Jun 2018 06:13:02 -0700 (PDT)
MIME-Version: 1.0
References: <152993630059.6328.10244287867966594513.idtracker@ietfa.amsl.com>
In-Reply-To: <152993630059.6328.10244287867966594513.idtracker@ietfa.amsl.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Tue, 26 Jun 2018 14:12:50 +0100
Message-ID: <CACykbs0EY_xsO7w9c=i7r9fxz2MzRGrSEu7gNS0xQT0Gy4CNAQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000081bce056f8b429d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/flC-wzlxwK9zlglrVlDI_51Kr1U>
Subject: [TLS] Fwd: New Version Notification for draft-hoyland-tls-layered-exported-authenticator-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2018 13:13:11 -0000

Hi everyone,

The draft below details an extension for Exported Authenticators (EAs) that
allows multiple EAs sent in the same TLS session to be linked into an
authentication chain using backward references.
This gives a form of joint authentication between EAs.

This means that not only does an EA provide authentication of the
certificate it contains, an EA using this extension also authenticates all
previous EAs in its chain.
In short, if the last EA in the chain is authentic then all the EAs in that
chain are authentic. (Or alternatively, if any EA in a chain is authentic,
then all prior EAs are authentic.)

This could be used for things like securely updating pinned keys.
If this mechanism were in use it would require an attacker who was trying
to maliciously update the pinned key to compromise both the pinned
certificate's LTK and acquire an improperly issued certificate from the
PKI.
This would require compromising two separate administrative domains.

Other use cases and a description of the mechanism appear in the draft.

I'd really appreciate any feedback on the design, use cases, and the draft
in general.

Thanks,

Jonathan Hoyland

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>;
Date: Mon, 25 Jun 2018 at 15:18
Subject: New Version Notification for
draft-hoyland-tls-layered-exported-authenticator-00.txt
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>;



A new version of I-D,
draft-hoyland-tls-layered-exported-authenticator-00.txt
has been successfully submitted by Jonathan Hoyland and posted to the
IETF repository.

Name:           draft-hoyland-tls-layered-exported-authenticator
Revision:       00
Title:          Layered Exported Authenticators in TLS
Document date:  2018-06-25
Group:          Individual Submission
Pages:          5
URL:
https://www.ietf.org/internet-drafts/draft-hoyland-tls-layered-exported-authenticator-00.txt
Status:
https://datatracker.ietf.org/doc/draft-hoyland-tls-layered-exported-authenticator/
Htmlized:
https://tools.ietf.org/html/draft-hoyland-tls-layered-exported-authenticator-00
Htmlized:
https://datatracker.ietf.org/doc/html/draft-hoyland-tls-layered-exported-authenticator


Abstract:
   This document describes an extension that allows for Exported
   Authenticators (EAs) to authenticate each other.  The extension
   includes a reference to a previous EA.  An EA containing this
   extension constitues an attestation of the authenticity of the
   referenced EA.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat