Re: [TLS] AD review of draft-ietf-tls-oob-pubkey
Sean Turner <turners@ieca.com> Fri, 24 May 2013 17:14 UTC
Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099EA21F967F for <tls@ietfa.amsl.com>; Fri, 24 May 2013 10:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.264
X-Spam-Level:
X-Spam-Status: No, score=-102.264 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9IrzVFJ2Z5u for <tls@ietfa.amsl.com>; Fri, 24 May 2013 10:14:07 -0700 (PDT)
Received: from gateway16.websitewelcome.com (gateway16.websitewelcome.com [69.56.207.4]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE6F21F9682 for <tls@ietf.org>; Fri, 24 May 2013 10:14:05 -0700 (PDT)
Received: by gateway16.websitewelcome.com (Postfix, from userid 5007) id 5BBE925B152C8; Fri, 24 May 2013 12:13:41 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway16.websitewelcome.com (Postfix) with ESMTP id 4B99A25B15296 for <tls@ietf.org>; Fri, 24 May 2013 12:13:41 -0500 (CDT)
Received: from [173.73.135.101] (port=62923 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UfvZ5-0006nB-MB; Fri, 24 May 2013 12:14:03 -0500
Message-ID: <519F9FDA.7080103@ieca.com>
Date: Fri, 24 May 2013 13:14:02 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <516D5ADE.3050506@ieca.com> <A95B4818FD85874D8F16607F1AC7C628BCDCF4@xmb-rcd-x09.cisco.com>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628BCDCF4@xmb-rcd-x09.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [173.73.135.101]:62923
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 3
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: "<tls@ietf.org>" <tls@ietf.org>, "<draft-ietf-tls-oob-pubkey@tools.ietf.org>" <draft-ietf-tls-oob-pubkey@tools.ietf.org>
Subject: Re: [TLS] AD review of draft-ietf-tls-oob-pubkey
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2013 17:14:14 -0000
I think I didn't yet respond to some of these. On 5/7/13 11:11 PM, Joseph Salowey (jsalowey) wrote: > Most of these look reasonable to me, a few comments inline at the end. > > Thanks, > > Joe > On Apr 16, 2013, at 7:06 AM, Sean Turner <turners@ieca.com> wrote: >> 10) s4.2: Maybe reword this slightly: >> >> OLD: >> >> If the client indicated the support of raw public keys in the >> 'client_certificate_type' extension in the client hello and the >> server is able to provide such raw public key then the TLS server >> MUST place the SubjectPublicKeyInfo structure into the Certificate >> payload. >> >> NEW: >> >> If the client hello indicates support of raw public keys in the >> 'client_certificate_type' extension and the >> server also supports raw public keys then the TLS server >> MUST place the SubjectPublicKeyInfo structure into the Certificate >> payload. >> >> But, a more important question is the meaning of that paragraph above. Doesn't that override the "sorted by client preference" from s3? >> > > [Joe] I think this should probably say something like: > > "If the client hello indicates support of raw public keys in the > 'client_certificate_type' extension and the > server chooses to use raw public keys then the TLS server > MUST place the SubjectPublicKeyInfo structure into the Certificate > payload. Yep that's what I was thinking. >> 11) s6: Got some questions about the following: >> >> This information will be needed to make >> authorization decisions. Without a secure binding, >> man-in-the-middle attacks may be the consequence. >> >> 1st isn't that authentication. 2nd isn't it masquerade attacks? 3rd it's not really a may it's more an is likely to be? >> > > [Joe] I'm not sure binding a key to a name is exactly authentication. I'd probably reword it something like: > > "Without a secure binding between identity and key the protocol will be vulnerable to masquerade and man-in-the-middle attacks." I could live with that. >> 13) How are we supposed to check whether key is still considered "good"? If you can't that might be okay, but you need to mention that there's no mechanism to support this yet or that that also needs to be done out-of-band. >> > > [Joe] I think we need to state this is done out of band as well. Yeah all I'm looking for here is a warning that there's currently no mechanism to support this. I was going to go and say that the application needs to define who this might be done, but after talking it over with a couple of folks what it's going to come down to is asking those applications when we see them calling out use of this document if they really want status checking. spt
- [TLS] AD review of draft-ietf-tls-oob-pubkey Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Bert Greevenbosch
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Salz, Rich
- [TLS] Revocation and authentication of raw public… Bert Greevenbosch
- Re: [TLS] Revocation and authentication of raw pu… Paul Wouters
- Re: [TLS] Revocation and authentication of raw pu… Salz, Rich
- Re: [TLS] Revocation and authentication of raw pu… Bert Greevenbosch
- Re: [TLS] Revocation and authentication of raw pu… Trevor Perrin
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Joseph Salowey (jsalowey)
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Daniel Kahn Gillmor
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Joseph Salowey (jsalowey)
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Bert Greevenbosch
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-oob-pubkey Sean Turner