IETF Logo Mail Archive

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

"Patton,Christopher J" <cjpatton@ufl.edu> Tue, 24 July 2018 18:04 UTC

Return-Path: <cjpatton@ufl.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73DD1130E2F for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 11:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-G_dGZ0829w for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 11:04:33 -0700 (PDT)
Received: from smtp.ufl.edu (smtp-prod06.osg.ufl.edu [128.227.74.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26A9E130E22 for <tls@ietf.org>; Tue, 24 Jul 2018 11:04:32 -0700 (PDT)
X-UFL-GatorLink-Authenticated: authenticated as (<>) with from 10.36.133.38
Received: from exmbxprd12.ad.ufl.edu ([10.36.133.38]) by smtp.ufl.edu (8.14.4/8.14.4/3.0.0) with ESMTP id w6OI4TiV003714 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 24 Jul 2018 14:04:30 -0400
Received: from exmbxprd21.ad.ufl.edu (128.227.145.166) by exmbxprd12.ad.ufl.edu (10.36.133.38) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 24 Jul 2018 14:04:29 -0400
Received: from exmbxprd23.ad.ufl.edu (128.227.145.167) by exmbxprd21.ad.ufl.edu (128.227.145.166) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 24 Jul 2018 14:04:29 -0400
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (216.32.180.87) by exmbxprd23.ad.ufl.edu (128.227.145.167) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Frontend Transport; Tue, 24 Jul 2018 14:04:29 -0400
Received: from MWHPR22MB0461.namprd22.prod.outlook.com (10.173.55.7) by MWHPR22MB0079.namprd22.prod.outlook.com (10.168.249.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.21; Tue, 24 Jul 2018 18:04:28 +0000
Received: from MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f]) by MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f%2]) with mapi id 15.20.0973.022; Tue, 24 Jul 2018 18:04:27 +0000
From: "Patton,Christopher J" <cjpatton@ufl.edu>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Proposed changes to draft-ietf-tls-subcerts
Thread-Index: AQHUHjQqsE1M6CF49EGVkJJk0Fkh4aSUjG8AgACw7A+AAEu7AIABYHq/gAAKfACAAAOdc4AAB1IAgAABKuKAAUZ7gIAAJjiBgAY63oCAAAqVOA==
Date: Tue, 24 Jul 2018 18:04:27 +0000
Message-ID: <MWHPR22MB0461C41A5D7D67FDBE2427BAC6550@MWHPR22MB0461.namprd22.prod.outlook.com>
References: <20180718065616.GA18428@LK-Perkele-VII> <MWHPR22MB0461118EB7800D5163537091C6530@MWHPR22MB0461.namprd22.prod.outlook.com> <18b301d41ee2$bff8e8f0$3feabad0$@gmail.com> <MWHPR22MB0461AF67BCD113C16385021AC6520@MWHPR22MB0461.namprd22.prod.outlook.com> <20180719193938.GA24141@LK-Perkele-VII> <MWHPR22MB046123EF1C0E7B7F9B1C6CB0C6520@MWHPR22MB0461.namprd22.prod.outlook.com> <20180719201846.GA24678@LK-Perkele-VII> <MWHPR22MB046158E91E8C329DD62C9A43C6520@MWHPR22MB0461.namprd22.prod.outlook.com> <20180720155127.GA28236@LK-Perkele-VII> <MWHPR22MB046126F4302517E7A8871E2DC6510@MWHPR22MB0461.namprd22.prod.outlook.com>, <20180724171629.GA27830@LK-Perkele-VII>
In-Reply-To: <20180724171629.GA27830@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2606:4700:ff01:8210:e59c:725d:ec6e:3ce1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR22MB0079; 6:dkDFsFV528IeRl3KqokxQJQUqkCxs8YjNe1FIQOyHiOT6t6Q/ZQV6uZkWR7TgOh3+xjGVZrn3LTSCGi3dnnAdX+iblo1hovJ5e2GrlY/083GEdS6nxs6zNTFtfYI5LeX5tEPdDweKMRJ8g4Vi0TwVhYwfHmX2gx4DB13DONp4ug81O1vRCHFt9uNdjqgMMLiu1G/7H5JFUFoOv0GDh9JxFhUotBS64RAs+ZFITyevs+XuK4SO0tZxWTUJMEt+A7Tt+YmM7aKvj+on/BvneWqIG4NL1ou2OmMZaa0fKORL+tr1h3pPnhQ4a8H32TKWeUXMJ3Qhh8PFa7VQ3bIMcRecufKwnY3HcFEtbqYmL3dwjA9nIXOv0Wqq4zNFeMIgnWSGtYQKKCLtkVWPpTTDH/uMHofsvVc8fnAJJLRYUCBsQaHafmSqWUlQRNPNBHfMZL05JYExjQpI3frDryP/RxRjQ==; 5:zD7zqAS/MT54mWddSkjdqOSkW5xx4kejhxrAMhem7S6IMVt9qaGQ7iXuA5q2O1b8/1niYuEnhWdTPKE8hANVk09yZZkEzGkGfTXnSHmUXOVt5KRNqPhI3MQ73BpGvv9SN3LxwD14cSS9dl52oXhYQIhNBoxPf5/FOsRbzXXpkLo=; 7:YHDdO3sgA39VoTqMkObn1dXTTMxrbpOm23wo6gNJFeQHYU3v8DFcINfWXM4lOIyRyi0EBTVem9SYhIxkHCzUlLvrPrihcE8yKyzomH0ee3x1YHo7iV13ekivJJsXe6gJVHklxV/JbIMN2RcW88/c43uxlb7j3lNn8XkNv7ugCxP6rL7xScEvTbbNjiph8ThsWtHgwxYv5NMbsI8fGrzwhX5h1UUJ5QzNzrUtA1bDKByTl+6RQJYnmNztyMaGwgCd
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ad262727-f0af-4cd6-bfb9-08d5f18fe58a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:MWHPR22MB0079;
x-ms-traffictypediagnostic: MWHPR22MB0079:
x-microsoft-antispam-prvs: <MWHPR22MB00793B09000E320BC6B0EBC5C6550@MWHPR22MB0079.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(149027)(150027)(6041310)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:MWHPR22MB0079; BCL:0; PCL:0; RULEID:; SRVR:MWHPR22MB0079;
x-forefront-prvs: 0743E8D0A6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(39860400002)(136003)(366004)(346002)(199004)(189003)(75432002)(102836004)(478600001)(486006)(81156014)(81166006)(6606003)(46003)(6116002)(186003)(476003)(8936002)(2906002)(55016002)(9686003)(54896002)(68736007)(97736004)(6436002)(86362001)(6246003)(93886005)(2900100001)(229853002)(99286004)(33656002)(316002)(4326008)(105586002)(74316002)(786003)(256004)(11346002)(19627405001)(25786009)(6916009)(7696005)(8676002)(6506007)(14454004)(76176011)(446003)(5250100002)(5660300001)(88552002)(106356001)(53936002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR22MB0079; H:MWHPR22MB0461.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ufl.edu does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Y/O2a9IUplfE0CAJnaI+lo9h8ybko/WP7ivgPO7/hBQASSECQs5BjWXWUL515CflRUEGfQsG/uYMeBE89Rzfltwl7CNrOJqEreWtpQ6r60TFeLA3Ktt+SdoUEjpCbCWY6pA5NfcP92gFBNnx3w/YlZ5+DUy1ZblUJy+1EmucVhE6LUFwn+mD8HkvR9RmpjmmO+FxAKTMKgI2ljui2dzG/zLy7qol9ttlib+qMnB7gkF3oeqfgKgZoR7CrKzAJwhmqL9IbdQRDFeWxAY1B8mFWKAWvqvY5GOwtbGJI0XvpMt/Ff1/WZT1YZDk9dQT/LdAHAwwx9PILHy1pH58GXXhWgdm5rNcjnDdhTW2AA61zZU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR22MB0461C41A5D7D67FDBE2427BAC6550MWHPR22MB0461namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ad262727-f0af-4cd6-bfb9-08d5f18fe58a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2018 18:04:27.2562 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4da0f8-4a31-4d76-ace6-0a62331e1b84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR22MB0079
X-OriginatorOrg: ufl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-24_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=767 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807240191
X-UFL-Spam-Level: *
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lWKp-bjVTpCKJelIjI4WW6Oy4OY>
Subject: Re: [TLS] Proposed changes to draft-ietf-tls-subcerts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 18:04:37 -0000

Aww, I see your point. You're right, it should be that crit=true if and only if crit=true.


> Actually, what usecase do strict certificates serve anyway? I can not

> figure out any usecase that would make much sense to me. Dealing with
> server endpoints that are capable of LURK but not proof-of-possession
> nor is the keyserver capable of format-checking?

The point was to enforce that, if a delegation certificate is offered in a handshake, then a DC must be negotiated in that handshake. I wasn't actually there, but I'm told that this feature was brought up at IETF. It doesn't seem like there's a clean way to do this, and I'm not sure this feature is worth the added complexity.

I'm going to propose we drop the strict flag and let the critical bit be optional for the extension. What do you think?

-Chris

v2.23.0 | Report a Bug | By Email