Re: [TLS] New version of delegated credentials draft
Ryan Sleevi <ryan-ietftls@sleevi.com> Thu, 09 March 2017 19:45 UTC
Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8247D129471 for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 11:45:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7Ct6EwFA3O0 for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 11:45:13 -0800 (PST)
Received: from homiemail-a88.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B299012944E for <tls@ietf.org>; Thu, 9 Mar 2017 11:45:13 -0800 (PST)
Received: from homiemail-a88.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTP id 3D26AA003A0E for <tls@ietf.org>; Thu, 9 Mar 2017 11:45:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=UBA/NoicBiwm9qlV96jPfebuoIA=; b= fHtceqXAd4cr0Rlk6Wky/g9o9NYLRg9XFIU/gWS4s2XzTkShHyjF8EA8KRKdUcyo CogXoogpvd/tJdlJvpZt1kt8YqztM+MwylIjTD6ysrhOrhJ+IE4VYsfE7mkpG5K9 ooA6uRAkTndP/91cPyUI9mQe92WxfI8b4orX79m5wnI=
Received: from mail-lf0-f49.google.com (mail-lf0-f49.google.com [209.85.215.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTPSA id 05579A00012B for <tls@ietf.org>; Thu, 9 Mar 2017 11:45:13 -0800 (PST)
Received: by mail-lf0-f49.google.com with SMTP id z15so10595364lfd.1 for <tls@ietf.org>; Thu, 09 Mar 2017 11:45:12 -0800 (PST)
X-Gm-Message-State: AMke39nxaBByi8JjjqmLmvGoJN5AYsZEp5SCcGX342B0x2dNhhRipZvgF6e1SCnq7qBDygwTexmwPOAKo6U4RQ==
X-Received: by 10.25.56.72 with SMTP id d8mr3719016lfj.2.1489088711070; Thu, 09 Mar 2017 11:45:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Thu, 9 Mar 2017 11:45:10 -0800 (PST)
In-Reply-To: <20170309190828.GA31816@LK-Perkele-V2.elisa-laajakaista.fi>
References: <MWHPR15MB1455DAA6FD1AD0FE7D002F00B6210@MWHPR15MB1455.namprd15.prod.outlook.com> <20170309190828.GA31816@LK-Perkele-V2.elisa-laajakaista.fi>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Thu, 09 Mar 2017 14:45:10 -0500
X-Gmail-Original-Message-ID: <CAErg=HExRqW8Lc5hGiJs7k2FZM8BZDcY-z1bwn=3SVK_JCp2gw@mail.gmail.com>
Message-ID: <CAErg=HExRqW8Lc5hGiJs7k2FZM8BZDcY-z1bwn=3SVK_JCp2gw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="f403045ea32ea99c20054a517b8c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jJo5hCqMfhprwdSQDFn79JCHV3o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New version of delegated credentials draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 19:45:14 -0000
On Thu, Mar 9, 2017 at 2:08 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On name constraints, name-constraining a wildcard certificate (e.g. > to "redact" data from CT) could be useful to avoid default-vhost > attacks against HTTP servers (there are lots of servers that > are misconfigured). Especially in HTTP/2. > Of course, no CT supporting clients support that method, and it's been migrated to a (currently non-WG adopted) document in 6962-bis while things are sorted. So if the argument is name-constraining is expected to prevalent for case X (where X == redaction), I don't think that's the case. > > * Required the presence of an extension in the EE certificate > > to allow the use of delegated credentials. > > I think this is going to be a major deployment problem. Basically, > CAs move pretty much glacially. > I'm going to push back on this assertion, because it came up during previous discussions. The CA/Browser Forum's Baseline Requirements already permit CAs to include additional X.509v3 extensions - specifically, Section 7.1.2.4 of the Baseline Requirements - provided that the semantics that, if included, will not mislead a relying party about the certificate information verified by the CA. As proposed, this (and the previous discussion) meet this definition, and so without any change to policies, CAs can adopt this. As a site operator with a business relationship with a given CA, you can use that business relationship to request these extensions. Plenty of CAs can and do respond to their customers' needs in a timely fashion, and/or actively work to standardize them prior to immediately implementing. I could name off examples for you, but I don't know if they need the free advertising. The point being is that this doesn't require _all_ CAs to change, it just requires "your" CA to change, and "your" CA is not going to be constrained by any policies that prevent them from doing this. If this were adopted, it might take time for the CA/Browser Forum to normalize the policies around saying "Yes, this is OK" - and on that, I agree, it's glacially slow (but about as quick as the full IETF process, from chartering to publication, all things considered) - but again, you don't need that. > It is going to be much easier getting ECDSA certs (which are infamous > for being difficult to get[1]). > It's not actually true anymore and hasn't been for some time, but I also appreciate this is a subjective statement, so I understand that in the absence of concrete data, your impressions may differ from my impressions.
- [TLS] New version of delegated credentials draft Subodh Iyengar
- Re: [TLS] New version of delegated credentials dr… Ilari Liusvaara
- Re: [TLS] New version of delegated credentials dr… Ryan Sleevi