Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates

William Whyte <wwhyte@onboardsecurity.com> Mon, 27 August 2018 11:09 UTC

Return-Path: <wwhyte@onboardsecurity.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07BF5130E9F for <tls@ietfa.amsl.com>; Mon, 27 Aug 2018 04:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=onboardsecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prFqspJYS2Aq for <tls@ietfa.amsl.com>; Mon, 27 Aug 2018 04:09:51 -0700 (PDT)
Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9821112F1A6 for <tls@ietf.org>; Mon, 27 Aug 2018 04:09:51 -0700 (PDT)
Received: by mail-pf1-x441.google.com with SMTP id l9-v6so7587714pff.9 for <tls@ietf.org>; Mon, 27 Aug 2018 04:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onboardsecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mcinVb2YM/b3gdQLiharcWsmAli2FkeCQBuhOlz7qTQ=; b=dG0cy0taP67J5oGxJJc+WSHSUIUIaVH2psbeJ3KReMh7PK6kL4namdDrbOz6siYGPv g8inVQ5xxcFOh7RI0SSvTcGm6rJhKFVqgnoSofM4yxNw+IymGAP80PjWnAXj3vCDC/CZ my/KAISaqfsExazjMte4DWWsIsk05UYknkBw/un+wT0nOYnCKgYKHLuaK5pNhmhSsYCv glYfa/5Xh8ya1LTlisFAB58AqHPDp0/28iRm37lDssat9sAcVu+28sxgmdVEKK3yey3Z VP8Vp6C3M9+oS6iQ24qh7Mb0tp+AoCm3wMGhgKzjTdQBJGxD+b0I6bVy90zItp1NDIM8 98Dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mcinVb2YM/b3gdQLiharcWsmAli2FkeCQBuhOlz7qTQ=; b=s3+EnGyB9fQZhD9Kfm8ZJbzkE06llSMHvxtJPJpWkKP0QBSyty495/myMhTmad01xW 69trkjN5Ir8rNJF1QnjkbTaUTxkHNx2pN/5V1IfhjUdMtpOYJSPW+YvAgDrXih1zzsjF sFSYtPlTRO5HDTpiiCbOtkyQhDwFn2IBAL3jvX8KRBG600pDK0alSaZ38FPlM42FoDgZ aYVql/lk3LIBC9NGJGNYqA4ELH8vS2JaWSeiESa/HekUE8jnLSV4tHHEpb62hmy2ThK+ 4Q7wn1PYMd+4wBBB1tEucOdm8sC8ACuvqmZvd59N646BwYUyB0EBI3vZCeG31wnaMm/x 0Oyw==
X-Gm-Message-State: APzg51BlWhl5aIrEctO3yI4zxsUsuNPULhTgDK7ws9InsBhc2btFBbvT NtlJHcCCB5qt9iSgew5QTj9tcUZL5UD5fzbVZ6PaDQ==
X-Google-Smtp-Source: ANB0VdYD9Bh1NDAKWGWQCcJujf6pRwib6yCwjab5qR998tTtm6T7VkwtVi7+yd+aKn8DiTYiLUfPLmvDT4SNBF0yYRM=
X-Received: by 2002:a63:ec43:: with SMTP id r3-v6mr11992199pgj.295.1535368191037; Mon, 27 Aug 2018 04:09:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:db0f:0:0:0:0 with HTTP; Mon, 27 Aug 2018 04:09:30 -0700 (PDT)
In-Reply-To: <0AE05CBFB1A6A0468C8581DAE58A31309E0F6993@SINEML521-MBS.china.huawei.com>
References: <1231917830.3727154.1535119783361.JavaMail.zimbra@enst.fr> <20180824155038.GA2743@LK-Perkele-VII> <1417403886.3796035.1535132676840.JavaMail.zimbra@enst.fr> <0AE05CBFB1A6A0468C8581DAE58A31309E0F34A4@SINEML521-MBS.china.huawei.com> <1766398978.255182.1535358692070.JavaMail.zimbra@enst.fr> <0AE05CBFB1A6A0468C8581DAE58A31309E0F6993@SINEML521-MBS.china.huawei.com>
From: William Whyte <wwhyte@onboardsecurity.com>
Date: Mon, 27 Aug 2018 07:09:30 -0400
Message-ID: <CAND9ES11ZB_aFDFdqLAmEH5CGGpW9nb4YUiPMdRZ82FggcmmYw@mail.gmail.com>
To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>
Cc: tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a06586057468c332"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i__MPLh4n3FdnEW6vngiIO5e25E>
Subject: Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 11:09:55 -0000

Hi Wang,

The 1609.2 certificate format consists of both explicit and implicit
certificates. The explicit certificates are in 1609.2 format, not in X.509
format.

Cheers,

William

On Mon, Aug 27, 2018 at 4:43 AM, Wang Haiguang <
wang.haiguang.shieldlab@huawei.com> wrote:

> Hi, Mounira
>
> Thanks for the clarification. That means both explicit and implicit
> certificates will be supported.
>
> Regards.
>
> Haiguang
>
> -----Original Message-----
> From: Mounira Msahli [mailto:mounira.msahli@telecom-paristech.fr]
> Sent: Monday, August 27, 2018 4:32 PM
> To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>
> Cc: Ilari Liusvaara <ilariliusvaara@welho.com>; tls <tls@ietf.org>
> Subject: Re: TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2
> certificates
>
> Hi Wang,
>
> The purpose of the draft is to extend TLS 1.3 to support IEEE 1609.2/ETSI
> TS 103 097 certificates for authentication in addition to X.509 certificate
> and raw public keys.
>
> Kind Regards
> Mounira
>
>
>
> ----- Mail original -----
> De: "Wang Haiguang" <wang.haiguang.shieldlab@huawei.com>
> À: "Mounira Msahli" <mounira.msahli@telecom-paristech.fr>, "Ilari
> Liusvaara" <ilariliusvaara@welho.com>
> Cc: "tls" <tls@ietf.org>
> Envoyé: Lundi 27 Août 2018 03:44:28
> Objet: RE: TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2
> certificates
>
> Hi, Mounira
>
> Just for clarification.
>
> If I am not wrong, there are two types of certificates supported by
> 1609.2. One is the legacy X.509 certificate, the other is the implicit
> certificate.
>
> So for you draft submitted, you plan support both types of certificates or
> just one of them, i.e. the X.509 certificate.
>
> Best regards.
>
> Haiguang
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Mounira Msahli
> Sent: Saturday, August 25, 2018 1:45 AM
> To: Ilari Liusvaara <ilariliusvaara@welho.com>
> Cc: tls <tls@ietf.org>
> Subject: Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE
> 1609.2 certificates
>
>
> Thank you Ilari,
>
>
> In response to your comments below:
>
> - I did not see requirements where to place the end-entity certificate
> anywhere. I think most TLS code outright assumes that the end-entity
> certificate is the first one.
>
> >>> We will add it.
>
> - More generally, I did not see it specified how the certificate chain is
> laid out to the individual certficate fields (it is fairly obvious, but
> should still be specified).
> >>> We will specify it.
>
> - The examples could have multiple certificate types in ClientHello to
> more clearly show what is actually going on.
> >>> We will add examples with multiple certificate types in Client Hello
>
> - You should also specify use in TLS 1.2 in the same draft (or say that
> is prohibited). This is so one only needs one reference for the
> codepoint allocation.
>
> >>> It is not prohibited, for TLS 1.2 the extension is already specified:
> [ https://tools.ietf.org/html/draft-serhrouchni-tls-certieee1609-01 ]
> [ https://tools.ietf.org/html/draft-serhrouchni-tls-certieee1609-01 |
> https://tools.ietf.org/html/draft-serhrouchni-tls-certieee1609-01 ]
> We will update the draft
>
> - I found the document quite hard to read due to various editorial
> issues.
> >> We will update the draft
>
>
> Kind Regards
> Mounira
>
> ----- Mail original -----
> De: "Ilari Liusvaara" <ilariliusvaara@welho.com>
> À: "Mounira Msahli" <mounira.msahli@telecom-paristech.fr>
> Cc: "tls" <tls@ietf.org>
> Envoyé: Vendredi 24 Août 2018 17:50:38
> Objet: Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE
> 1609.2 certificates
>
> On Fri, Aug 24, 2018 at 04:09:43PM +0200, Mounira Msahli wrote:
> > Hi all,
> >
> >
> > The draft: TLS 1.3 Authentication using IEEE 1609.2/ETSI TS 103097
> certificates is updated in accordance with TLS 1.3:
> https://tools.ietf.org/html/draft-tls-certieee1609-01
> >
> > This document describes the use of certificates specified by the
> Institute of Electrical and Electronics Engineers IEEE1609.2 and the
> European Telecommunications Standards
> >
> > Institute ETSI TS 103097. These standards are defined in order to secure
> communications in vehicular environments.
> >
> > This extension is very useful and has become a pressing need for
> (Vehicle-To-Internet(V2Internet), Vehicle-To-Cloud(V2Cloud),...).
> >
> > We are soliciting feedback from the WG on the draft.
>
> Some quick comments:
>
> - I did not see requirements where to place the end-entity certificate
> anywhere. I think most TLS code outright assumes that the end-entity
> certificate is the first one.
> - More generally, I did not see it specified how the certificate chain
> is laid out to the individual certficate fields (it is fairly
> obvious, but should still be specified).
> - The examples could have multiple certificate types in ClientHello to
> more clearly show what is actually going on.
> - You should also specify use in TLS 1.2 in the same draft (or say that
> is prohibited). This is so one only needs one reference for the
> codepoint allocation.
> - I found the document quite hard to read due to various editorial
> issues.
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 


PLEASE UPDATE YOUR ADDRESS BOOKS WITH MY NEW ADDRESS:
wwhyte@onboardsecurity.com