Re: [TLS] Delegated Credentials in Client certificates

Subodh Iyengar <subodh@fb.com> Mon, 08 July 2019 20:43 UTC

Return-Path: <prvs=20928e2dfd=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE4C1202BD for <tls@ietfa.amsl.com>; Mon, 8 Jul 2019 13:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=Sz1eDzUd; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=jkpvTaZF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk1S41PN3mBN for <tls@ietfa.amsl.com>; Mon, 8 Jul 2019 13:43:58 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33BFB1202D5 for <tls@ietf.org>; Mon, 8 Jul 2019 13:43:56 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x68Ke14h010015; Mon, 8 Jul 2019 13:43:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=PmljSxFDkdaGzc0s7ql4QbQwcm+jK+c14ykSe4LsoNA=; b=Sz1eDzUdJtaROrbsppPxdjblmUZhRpgQpVJkpL9pIEG5X4E4sgagnC6QrcYTJOAg5Rxo TfiEnYKbaypPzgaqvKPV2uJ8hjkkdfo2chHvFDVZLVXWMuptK4VMSA8Dz1dIio5uXgrQ //wZu3rIKVQeavHuZK0OvD+VoNUYBWPc2s4=
Received: from mail.thefacebook.com (mailout.thefacebook.com [199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 2tmb6ngf0h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 08 Jul 2019 13:43:53 -0700
Received: from prn-hub05.TheFacebook.com (2620:10d:c081:35::129) by prn-hub05.TheFacebook.com (2620:10d:c081:35::129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5; Mon, 8 Jul 2019 13:43:52 -0700
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5 via Frontend Transport; Mon, 8 Jul 2019 13:43:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PmljSxFDkdaGzc0s7ql4QbQwcm+jK+c14ykSe4LsoNA=; b=jkpvTaZFRmqZ0Jvy6A9oMwqkoBnql4cn8nZDwTjaU9Sa0iF5+hr72lbpzZuXuFW7r4f0iySdLZ0TlseFZGYxU8b9TgDmiQYpTsmW4MjK6m/XoQI96w2FAhO23TJPqu0fcX9/Lz802kIByCOkqqtt6bQHFfsXcn/TMRjf1IAWO1w=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1677.namprd15.prod.outlook.com (10.175.135.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.20; Mon, 8 Jul 2019 20:43:51 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::6529:3f82:1bc3:7e68]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::6529:3f82:1bc3:7e68%5]) with mapi id 15.20.2052.020; Mon, 8 Jul 2019 20:43:51 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Delegated Credentials in Client certificates
Thread-Index: AQHVNcnTwh8NH4CWLk6hDOnEPqmdZqbBLwnq
Date: Mon, 8 Jul 2019 20:43:50 +0000
Message-ID: <MWHPR15MB1821D118DF017EA5776231DBB6F60@MWHPR15MB1821.namprd15.prod.outlook.com>
References: <CAFDDyk-+HVz21TdSEkxo0igHVFgXU9iQT6_wm6GOJ_ZF2n9SqA@mail.gmail.com>
In-Reply-To: <CAFDDyk-+HVz21TdSEkxo0igHVFgXU9iQT6_wm6GOJ_ZF2n9SqA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c090:180::1:bb3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f6358210-df74-4f60-3618-08d703e4fc04
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MWHPR15MB1677;
x-ms-traffictypediagnostic: MWHPR15MB1677:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MWHPR15MB1677920125F8DC26D09E076CB6F60@MWHPR15MB1677.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(136003)(396003)(366004)(376002)(189003)(199004)(14454004)(19627405001)(110136005)(54896002)(6306002)(33656002)(76176011)(102836004)(476003)(446003)(5660300002)(11346002)(6506007)(71190400001)(486006)(9686003)(68736007)(81156014)(81166006)(236005)(8676002)(53546011)(46003)(52536014)(8936002)(186003)(256004)(71200400001)(6436002)(66446008)(66556008)(76116006)(66946007)(73956011)(66476007)(64756008)(7736002)(478600001)(966005)(74316002)(55016002)(606006)(53936002)(6606003)(2906002)(99286004)(316002)(6246003)(86362001)(25786009)(7696005)(229853002)(6116002)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1677; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1XFxo3PenOuSwoD29EWRzFregbJJdllZPxxiawJyYQ3UNPNKJh1kFKlEvZG97hCWDCHSi8zxG8RzrproPG09rourZHlr7FaG/bVej/XddErh5XtybtGxuMCJuSP3C+0UJ5C9RMBCS+2PPIpms2+JN8XH4Og+iHJdiS8pJCSjkuraOZIsXmMzY1O1QDhnjmEMzYVf19rEM1EgRst8TP7h1BsRHEv1Aim8jQrURgVBpNue/aIz8qBIZyDhbdHyCxaVgFPkARL9LODnZ8Klkx7Fd8YV338lZYygzLOUjqXBiTF1m6ulKiGXJZYCwyyXtnsBGepifJM2QHEYPTwYIXbKcE9OrWjLRlxl2tWM1dkHJC4z0pIVZNaMDIPKZgr5KGwpOdPAII2cdfoXSq0OHqev9Mht0jj66rN1udjWo/ZNjTs=
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1821D118DF017EA5776231DBB6F60MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f6358210-df74-4f60-3618-08d703e4fc04
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2019 20:43:51.0014 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: subodh@fb.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1677
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-08_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1907080258
X-FB-Internal: deliver
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fuIopIuXglqn1Xt0_6MNHfIwuX4>
Subject: Re: [TLS] Delegated Credentials in Client certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 20:44:08 -0000

Thanks for writing this up Nick. I support this change.


I think one interesting addition to this PR might be a discussion of what could happen if you use the same DC as both a client and server. I suspect this is what a lot of people might do in a datacenter environment and that this is safe (because of the signature context), but it might push people to think a little more about this topic.


Subodh

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Sent: Monday, July 8, 2019 1:12:00 PM
To: <tls@ietf.org>
Subject: [TLS] Delegated Credentials in Client certificates

Hello TLSWG,

At previous meetings (and I think on the list?) there were requests to extend the Delegated Credentials in TLS (https://tools.ietf.org/html/draft-ietf-tls-subcerts<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtls-2Dsubcerts&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=2En5MlxcuSVkUcdv-V3gl1tBRBHEnwnmqugYvcNHhXA&s=6pCxlMzaZH8kPJEO6f8Q7ejHHoO96zi621e_qbVvigo&e=>) draft to support client certificates. This turns out to be a pretty minor change to the document. I've put up a PR:

https://github.com/tlswg/tls-subcerts/pull/26/files/a502f3055c3eefe59a4b36642cd062267ac0fff7

Let me know if there is opposition to this change. I'm planning on submitting -04 later today.

Nick