IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)

Ondřej Surý <ondrej.sury@nic.cz> Thu, 17 November 2011 10:40 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E9521F9BE2 for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 02:40:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmnTYUcE9u2w for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 02:40:48 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2FD21F9BE1 for <tls@ietf.org>; Thu, 17 Nov 2011 02:40:48 -0800 (PST)
Received: from [IPv6:2001:df8::96:6414:bef:6bde:9d08] (unknown [IPv6:2001:df8:0:96:6414:bef:6bde:9d08]) by mail.nic.cz (Postfix) with ESMTPSA id CE3082A2E19; Thu, 17 Nov 2011 11:40:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1321526447; bh=8W+ojxop5JqVQlul94nWSkiZIxaR8JVdr6ZSDjZ3mvs=; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=TjI1xUffjtWaZwXQuLiejLlHmfrWN6gvlDv+KLTtpZrUEEwqtLvbvsyvN3MMvPZ/V WLd455ishk86uu/RYn2+LdYfeHVOLlOlFYWk7T0yjIXfFwL1uvmUreO/aDORA7ptMu qX72buxaGusRRC7b0gRfIoImpmWwftN3jSKRQM2w=
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="utf-8"
From: Ondřej Surý <ondrej.sury@nic.cz>
In-Reply-To: <alpine.DEB.2.00.1110311914480.17385@mail.xelerance.com>
Date: Thu, 17 Nov 2011 18:40:43 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <8766068B-882E-41F9-B908-49088E451F03@nic.cz>
References: <alpine.DEB.2.00.1110311914480.17385@mail.xelerance.com>
To: Paul Wouters <paul@xelerance.com>
X-Mailer: Apple Mail (2.1251.1)
X-Virus-Scanned: clamav-milter 0.96.5 at mail
X-Virus-Status: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 10:40:49 -0000

Hi Paul,

could you please drop this sentence from your draft?

  For example, if public keys were obtained using [DANE] it
  is appropriate to use DNSSEC to authenticate the public keys.

I know that it's just an example, but I can see that this could
lead to chaos and mayhem if the DANE protocol makes different
assertion in the future.  So unless DANE protocol blooms into the
RFC before your draft, please don't make any assumptions, thanks.

And one minor nit, change

   Some small embedded devices use the UDP based [CoAP], a specialized
   constrained networks and nodes for machine-to-machine applications.

to

   Some small embedded devices use the UDP based Constrained Application
   Protocol [CoAP], a specialized web transfer protocol for use with
   constrained networks and nodes for machine-to-machine applications.

or simpler

   Some small embedded devices use the UDP based Constrained Application
   Protocol [CoAP] for use with constrained networks and nodes for
   machine-to-machine applications.

for better readability.

On 1. 11. 2011, at 7:21, Paul Wouters wrote:

> 
> This is the new version of the draft incorporating the feedback from Quebec City
> and the TLS list since then. It changes the draft from a new TLS extension to a
> new Certificate Type for raw keys.
> 
> It also merges in the unpublished draft material from Hannes Tschofenig
> and Tero Kivinen <kivinen@iki.fi> whom had also been working on raw RSA
> TLS keys for use with CoAP (eg devices with no real time clock where
> PKIX validation cannot work)
> 
> I did not yet change the draft ofrom individual submission to working group item,
> as I was waiting for confirmation on the TLW WG list of the last Quebec City
> meeting.
> 
> http://tools.ietf.org/html/draft-wouters-tls-oob-pubkey-01
> 
> Paul
> 
> ---------- Forwarded message ----------
> Date: Mon, 31 Oct 2011 17:44:35
> From: internet-drafts@ietf.org
> Cc: weiler@tislabs.com, hannes.tschofenig@gmx.net, gnu@toad.com,
>    paul@xelerance.com, kivinen@iki.fi
> To: paul@xelerance.com
> Subject: New Version Notification for draft-wouters-tls-oob-pubkey-01.txt
> X-Spam-Flag: NO
> 
> A new version of I-D, draft-wouters-tls-oob-pubkey-01.txt has been successfully submitted by Paul Wouters and posted to the IETF repository.
> 
> Filename:	 draft-wouters-tls-oob-pubkey
> Revision:	 01
> Title:		 TLS out-of-band public key validation
> Creation date:	 2011-10-31
> WG ID:		 Individual Submission
> Number of pages: 11
> 
> Abstract:
>   This document specifies a new TLS certificate type for exchanging raw
>   public keys or their fingerprints in Transport Layer Security (TLS)
>   and Datagram Transport Layer Security (DTLS) for use with out-of-band
>   authentication.  Currently, TLS authentication can only occur via
>   PKIX or OpenPGP certificates.  By specifying a minimum resource for
>   raw public key exchange, implementations can use alternative
>   authentication methods.
> 
>   One such method is using DANE Resource Records secured by DNSSEC,
>   Another use case is to provide authentication functionality when used
>   with devices in a constrained environment that use whitelists and
>   blacklists, as is the case with sensors and other embedded devices
>   that are constrained by memory, computational, and communication
>   limitations where the usage of PKIX is not feasible.
> 
>   The new certificate type specified can also be used to reduce the
>   latency of a TLS client that is already in possession of a validated
>   public key of the TLS server before it starts a (non-resumed) TLS
>   handshake.
> 
> 
> 
> 
> The IETF Secretariat
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury@nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

v2.23.0 | Report a Bug | By Email