IETF Logo Mail Archive

Re: [TLS] draft-rescorla-tls-subcerts

"Salz, Rich" <rsalz@akamai.com> Fri, 15 July 2016 02:53 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD11512B02A for <tls@ietfa.amsl.com>; Thu, 14 Jul 2016 19:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.988
X-Spam-Level:
X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCQupKzop-7o for <tls@ietfa.amsl.com>; Thu, 14 Jul 2016 19:53:07 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id E352512B011 for <tls@ietf.org>; Thu, 14 Jul 2016 19:53:06 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id ECB4242374D; Fri, 15 Jul 2016 02:53:05 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id B25E942372F; Fri, 15 Jul 2016 02:53:05 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468551185; bh=KvnhI2WphfG833QIZgr6OZas5+Hbul6qwwd2HUIxZw0=; l=670; h=From:To:Date:References:In-Reply-To:From; b=tFxcLPPWax6w3oSJVJ2y1wdnejTFkt1yLofWsfsOY6KtrGPSOcqXhngZg+S1cP5qv C+lkgr1n+cMKvRURMGsFqDEX6AVh6rISxEGcb07ytogI1ftW5Dgsx8hYtIi0Ye77yD /j6eAkAoJhOViZtRetrXCoOoDBWMvu8WZJ1MlDHc=
Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id A9C021FC98; Fri, 15 Jul 2016 02:53:05 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 14 Jul 2016 22:53:05 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Thu, 14 Jul 2016 22:53:05 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-rescorla-tls-subcerts
Thread-Index: AQHR2IXcVquhYzeOPUa1QtaSPyWJv6AY8ZMA///k6OA=
Date: Fri, 15 Jul 2016 02:53:04 +0000
Message-ID: <77982989336748a5847ef4cb9999cdc8@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CABcZeBP+6AP50L06knsnOmyMqbv3fFw6TrcSrqs0x9FgoxyKcw@mail.gmail.com> <CY1PR03MB21551F88A99C2CEF07548A2D8C330@CY1PR03MB2155.namprd03.prod.outlook.com>
In-Reply-To: <CY1PR03MB21551F88A99C2CEF07548A2D8C330@CY1PR03MB2155.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.226]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jdfo7z_u4uZzPc-bHP1RpYb6g8g>
Subject: Re: [TLS] draft-rescorla-tls-subcerts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2016 02:53:09 -0000

> Naïve question: why not simply get a constrained CA certificate and issue short-validity end entity certs?

Wouldn't you need one for every potential user? And the nameConstraints then becomes a union of all SAN fields?

> Short-lived credential approach seems more viable than draft-mglt-lurk-tls-requirements-00 (which requires an additional round-trip between the Edge Server and Content Provider).

Except that the RSALG and/or "keyless SSL" approach are already deployed.

v2.23.0 | Report a Bug | By Email