IETF Logo Mail Archive

Re: [TLS] Update on Origin-Bound Certificates: Now called "Channel ID"

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 08 November 2012 22:04 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A72E21F88B4 for <tls@ietfa.amsl.com>; Thu, 8 Nov 2012 14:04:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZPdNCxLsdPH for <tls@ietfa.amsl.com>; Thu, 8 Nov 2012 14:04:42 -0800 (PST)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id C4CBF21F8883 for <tls@ietf.org>; Thu, 8 Nov 2012 14:04:41 -0800 (PST)
Received: by mail-wg0-f44.google.com with SMTP id dr13so1493162wgb.13 for <tls@ietf.org>; Thu, 08 Nov 2012 14:04:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; bh=uW3AiOGiYLF3GucsQHvmQ6oUKUjj5TynrZAaDuVvMJo=; b=E/abpOTwvdywUqAg9nbSl6qG0p2pbQz1UUFob7kgKEWO7II0mD+Bzr6m8omoHDqj9O cXFu55mm+H6SCrEkpKDcYoZev2H8ftDepS4WRv8zbOsGugXn3WDezIW08yq97Y/Ciyd3 beP8SEc609QNbgicwWFqJRekUWTZtn4dThJpbNcVxN3a2z8jGzVWk/6HnpTqciOsmrYy Xoy71EBaFoXckiQnGqmh7Lcsl8Yin3jcEW2HS8t6muQvvLbpdnbiqCadCNJi8w4bOR6k WDqI8mqW0LJ0NCLmnh8g4dda8rRy2ysd3UpwA94oDl/0d59yyhniZWYiEHeG0Y6KfuW4 /m5w==
Received: by 10.180.77.38 with SMTP id p6mr15847298wiw.1.1352412280970; Thu, 08 Nov 2012 14:04:40 -0800 (PST)
Received: from [10.100.2.17] (94-224-100-5.access.telenet.be. [94.224.100.5]) by mx.google.com with ESMTPS id i6sm288932wix.5.2012.11.08.14.04.39 (version=SSLv3 cipher=OTHER); Thu, 08 Nov 2012 14:04:40 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <509C2C71.8070100@gnutls.org>
Date: Thu, 08 Nov 2012 23:04:33 +0100
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6
MIME-Version: 1.0
To: Dirk Balfanz <balfanz@google.com>
References: <CADHfa2BHTfpWQ5ZdWrTppv2iPg0EfUtaRj7Btr9uGdAuvk2Hbw@mail.gmail.com>
In-Reply-To: <CADHfa2BHTfpWQ5ZdWrTppv2iPg0EfUtaRj7Btr9uGdAuvk2Hbw@mail.gmail.com>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Update on Origin-Bound Certificates: Now called "Channel ID"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 22:04:42 -0000

On 11/08/2012 10:22 PM, Dirk Balfanz wrote:

> Hello everybody,


Hello,
 Some comments/questions inline.

> (TLS-OBC: http://tools.ietf.org/id/draft-balfanz-tls-obc-01.txt) draft

> expire. The reason for this is that we (i.e., Google) had implemented
> TLS-OBC as described in the draft (in Chrome and server-side), and we
> weren't too happy with it. There were a few of problems:
> 
> (1) Client certificates are part of the session state. Not only does that
> mean that the session state is now considerably bigger than it used to be,
> it also means that anyone that can steal session secrets (malware on the
> client) can make it look to the server as if they were in possession of the
> client's private key, even if that private key sits in a TPM on the client.


How is that? Do you mean by session resumption? Isn't it the same on the
current draft?

> This spec is silent on the scope of the keys (but in practice we expect
> browsers to use eTLD+1 now instead of more fine-grained origins), and
> addresses all the other issues explicitly: the Channel IDs are not part of
> the TLS session state, and are exchanged after encryption is turned on.
> 
> A comment on the new name: One of the ways the new spec is simpler than the
> old one is that there are no more X.509 certs involved in proving
> possession of the client key - so there goes the "C(ert)" in the "OBC"
> acronym. Because of the agnosticism of the new spec toward the scope of the
> client keys, there is also no "O(rigin)" anymore. Hence, we needed a new
> name.


The approach actually looks like a prime user of the
draft-ietf-tls-oob-pubkey extension that allows to send the
SubjectPublicKeyInfo. Why not use send a SubjectPublicKeyInfo which
allows any type of client public key, instead of sticking to a fixed
ECDSA curve? No additional extension would be required.

regards,
Nikos

v2.23.0 | Report a Bug | By Email