Re: [TLS] Updating for non-X.509 certificate types

Martin Thomson <martin.thomson@gmail.com> Fri, 10 March 2017 03:06 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E533129549 for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 19:06:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PoojiTVaPyOk for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 19:06:20 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CEFF12951B for <tls@ietf.org>; Thu, 9 Mar 2017 19:06:20 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id p64so150418878qke.1 for <tls@ietf.org>; Thu, 09 Mar 2017 19:06:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gAJyiaLnre9CwfJzrIOokhtbqJUTIJPmI/M3cmIjJqg=; b=bzXH6ltAbTeNqNyxgjNDlQtP36dUIEz8j+pR6XJj0W9yb03jYnw1MXV4URC5T7lYxW KAYciTfeDgMmNw65Z/QQPdjfRDwsmgWHBKi+RUGbgQOWxu9INCsQIJO/1ULNdRpvOkeZ 3w+tiSSByTuqSsbY9mCipYFgnjYxbTnCzxY8rcEk0RxlkyXFiiJEZJKKFUOgPl/PSz9t ur3u8dYUYxC6HYSP5sJwyMU40WN/lxXmR12ITsIvQ/+2e5A+ZSeeaOGK/LdDHbqIB9eZ SsUqGcjgt7z1+BypdPWHJgAmt7jRnoridpxUbF6r5af58F/GlM2w69vl7tAumSsSc0m+ g7Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gAJyiaLnre9CwfJzrIOokhtbqJUTIJPmI/M3cmIjJqg=; b=QRyEENwB8W5k4BsFRx0IW5+JghCASb0GJs1HWqya3fhZsLKyWq/C9MO7viywdzfI1F g3LjzOkaYrssjDABJn7FUtlwlo0la1SNKwH3ZQk43dia5Z2nGAezwD9uCuUa3aBT71TC bVEoVQ36Qc0hfDBHiY2NzEU802C6unc8z/CHsnqkhxIba9TpFGC9oONdXlhze2OOcVmB sVRjRwApaDxBfG0NtGB9gn2mBEHCsFnnQAVyvFi+CucuGR+RvjLDzyhNAuVM8uMV3ZIP 93boKPPo8v/21xiFOeILc/Zui8Qt+zLMqFvadrI74DrsO2XaNnocosuDVLFR11OCLYzp XSnA==
X-Gm-Message-State: AMke39lS/TSBzAJhRaKfWAC+P42B8UGXdIi8uBYHBykhGZcSlikBeWlccc2xFG/iSlCEkmbiujTgC7Snd7lzqg==
X-Received: by 10.200.33.210 with SMTP id 18mr17526010qtz.159.1489115179749; Thu, 09 Mar 2017 19:06:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.112 with HTTP; Thu, 9 Mar 2017 19:06:19 -0800 (PST)
In-Reply-To: <CABcZeBNGkZVpoGqkc_ePF12mC0HaJgNbytXV70eV4oBBcyD2HQ@mail.gmail.com>
References: <CABcZeBNGkZVpoGqkc_ePF12mC0HaJgNbytXV70eV4oBBcyD2HQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 10 Mar 2017 14:06:19 +1100
Message-ID: <CABkgnnWYVx=hzBtDcb3Y0xaWBgx6DtPXFLEXoV0gtiOSDJhGOQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q4Z3dMSwDuh42Oc51wig5P_pnuY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Updating for non-X.509 certificate types
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 03:06:24 -0000

It seems like the minimum thing TLS 1.3 can do is observe that these
extensions exist and that they can't be used with TLS 1.3 (yet).

On 10 March 2017 at 11:43, Eric Rescorla <ekr@rtfm.com> wrote:
> As noted in https://github.com/tlswg/tls13-spec/issues/722, the new fancy
> TLS 1.3 Certificate structure doesn't map well to the various non-X.509
> cert structures we have defined, specifically:
>
> - Raw Public Keys
> - Cached Info
> - OpenPGP
>
> Probably mapping each of these to 1.3 is relatively straightforward
> (Raw public keys == a list with one key, Cached info == the hash of
> each cert + its extensions, and so on), but I tend to think that given the
> modest/specialized deployment of these extensions, it's better to do a
> set of small bis RFCs to define each of these, rather than add a bunch
> of clutter to TLS 1.3 proper.
>
> Does anyone object to this? Volunteers.
>
> -Ekr
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>