IETF Logo Mail Archive

Re: [TLS] the use cases for GSS-based TLS and the plea for

Leif Johansson <leifj@it.su.se> Sat, 21 July 2007 12:22 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICDz9-0003xX-GW; Sat, 21 Jul 2007 08:22:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICDz8-0003xP-Ad for tls@ietf.org; Sat, 21 Jul 2007 08:22:58 -0400
Received: from smtp3.su.se ([130.237.93.228]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ICDz6-0007Gd-O9 for tls@ietf.org; Sat, 21 Jul 2007 08:22:58 -0400
Received: from localhost (localhost [127.0.0.1]) by smtp3.su.se (Postfix) with ESMTP id 8C3773BEB8; Sat, 21 Jul 2007 14:22:55 +0200 (CEST)
Received: from smtp3.su.se ([127.0.0.1]) by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30624-02-14; Sat, 21 Jul 2007 14:22:55 +0200 (CEST)
Received: from [83.178.5.157] (m83-178-5-157.cust.tele2.se [83.178.5.157]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.su.se (Postfix) with ESMTP id 34B0B3BEF2; Sat, 21 Jul 2007 14:22:46 +0200 (CEST)
Message-ID: <46A1FA92.4040200@it.su.se>
Date: Sat, 21 Jul 2007 14:22:42 +0200
From: Leif Johansson <leifj@it.su.se>
User-Agent: Thunderbird 1.5.0.12 (X11/20070604)
MIME-Version: 1.0
To: martin.rex@sap.com
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
References: <200707202225.l6KMP1ow027548@fs4113.wdf.sap.corp>
In-Reply-To: <200707202225.l6KMP1ow027548@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.94.2.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at smtp.su.se
X-Spam-Status: No, hits=-2.06 tagged_above=-99 required=7 tests=[AWL=0.252, BAYES_00=-2.312]
X-Spam-Level:
X-Spam-Score: -4.0 (----)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: tls@ietf.org, Nicolas.Williams@sun.com
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

<snip>
>
> I beg to differ.  Several PKI toothing problem can be
> entirely avoided by applications when the ACLs account
> for both, subject AND issuer of a certificate in order
> to support authentication from different independent PKIs.
>
>   
Then you can just aswell avoid the use of issuers at
all and keep track of (say) certificate fingerprints
for self-signed certs.
> SSL/TLS Client certificates from seperate independet PKIs
> is fairly commen, the Web Browsers implement it and
> client components in distributed application backends
> normally also support it today. 
>   
Which was precisely my argument. A set of roots in
a common trust-store effectively makes them all
equivalent in terms of trust and if you think this
doesn't matter I invite you to investigate the pretty
large differences that exist between the CAs that
are all part of (say) the IE default trust-store.
>
>   
<snip>
>
> I belief that a common trust-root is a stupid and flawed approach.
> Of course, the PKI guys desperately need it, because without it
> all their policy and name constraints stuff remains the
> useless bloat that it is.
>   
Good, then we agree on this.
> The Kerberos cross-organization problem exists because
> of the security problems and administrative problems
> of a cross-realm trust.
>
>   
Which are more or less exactly the same problems that
exist whenever you try to setup any kind of federation. In
fact most cross-realm kerberos trusts are much easier to
setup and maintain than your (not so common) bridge CA.

You are comparing apples and pears in this email by holding
up browser-based PKI as an example of how easy cross-
domain trust is compared to kerberos. In fact there are
extremely few examples of cross-domain trusts (brigde-CAs)
in the PKI world compared to the relatively large number
of cross-realm trusts operational today.
> A common trust-root and relying on policy&name constraints
> to work puts PKI technology into a similarily miserable position
> as Kerberos so it is really stupid to go down this road.
>
> Why do I need a dozen different plastic cards in my wallet?
> Can't those issuer not simply agree on a single one?
>   
In fact I sure hope not but that is definitely off topic.
>
>   
<snip>
>
> *I* strongly prefer an initial negotation that provides a high
> probabilty that a particular method will succeed, and then
> exactly one attempt, an error message when it fails and
> NO (automatic) fallback.
>
>
> -Martin
>   

Good - this seems like the core of the disagreement.
   
    Cheers Leif

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status