Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
"Blumenthal, Uri" <uri@ll.mit.edu> Thu, 08 October 2009 16:22 UTC
Return-Path: <uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA42228C188 for <tls@core3.amsl.com>; Thu, 8 Oct 2009 09:22:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.523
X-Spam-Level:
X-Spam-Status: No, score=-6.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpQsOmRVu6IK for <tls@core3.amsl.com>; Thu, 8 Oct 2009 09:22:17 -0700 (PDT)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id A62B13A6860 for <tls@ietf.org>; Thu, 8 Oct 2009 09:22:17 -0700 (PDT)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id n98GNscN012634; Thu, 8 Oct 2009 12:23:54 -0400 (EDT)
Received: from lle2k7-hub02.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB02.mitll.ad.local" via SMTP by llpost, id smtpdAAAyvaOMQ; Thu Oct 8 12:04:47 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB02.mitll.ad.local ([ ]) with mapi; Thu, 8 Oct 2009 12:04:47 -0400
From: "Blumenthal, Uri" <uri@ll.mit.edu>
To: "'carolin.latze@unifr.ch'" <carolin.latze@unifr.ch>, "'tls@ietf.org'" <tls@ietf.org>
Date: Thu, 08 Oct 2009 12:04:11 -0400
Thread-Topic: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
Thread-Index: AcpH7biOACVip5dLSNu7jpA2KFr1LQAQ1WYT
Message-ID: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BC8@LLE2K7-BE01.mitll.ad.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 16:22:19 -0000
I don't think I understand you. Are you implying that CA-certified certs are less secure than self-signed ones?! Or that getting your TPM-provided Public Key signed by a CA lessens its security? And how can self-signed certs be possibly bound to "identity certs signed by a CA"? I still don't understand your justification (or reasons) for mucking with a perfectly usable TLS model. Perhaps you'd want to describe in a few sentences what it is that you're trying to accomplish with TPM-generated public keys, and how TLS as-is does not allow that? And why what you're trying to do would of interest to anybody else on the planet who uses TPM and/or TLS? ----- Original Message ----- From: Carolin Latze <carolin.latze@unifr.ch> To: Blumenthal, Uri Sent: Thu Oct 08 04:02:09 2009 Subject: Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt] They are still valid X.509... the only difference is that they are self-signed and not CA-signed. And the reason to use self-signed certificates is that you don't need to send another certificate request without loosing security since the self-signed certificates are bound to identity certificates that are signed by a CA. Blumenthal, Uri wrote: > And the reason you want to do this instead of using valid X.509 certs is...? > > > ----- Original Message ----- > From: tls-bounces@ietf.org <tls-bounces@ietf.org> > To: tls@ietf.org <tls@ietf.org> > Sent: Wed Oct 07 11:16:52 2009 > Subject: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt] > > Hi all, > > after several experiments with TPMs as authentication devices in > EAP-TLS, we figured out, that the specific modifications in order to use > TPMs might be rather an extension to TLS than an EAP extension. > Therefore, we gave it a try and defined a new TLS extension in order to > use TPM certified keys directly with TLS. We are aware of the fact, that > there is a possibility to request new valid X.509 certificates for those > keys which allows to use them with standard TLS (and do not require a > new extension), but since we want to avoid that request (and we think > that this does not introduce any security issues), we propose this > extension. > > We are always open for discussions, (critical) feedback, suggestions, ... > > Regards > Carolin Latze > > > -------- Original Message -------- > Subject: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt > Date: Wed, 7 Oct 2009 16:45:01 +0200 > From: Internet-Drafts@ietf.org <Internet-Drafts@ietf.org> > Reply-To: internet-drafts@ietf.org <internet-drafts@ietf.org> > To: i-d-announce@ietf.org <i-d-announce@ietf.org> > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > Title : Transport Layer Security (TLS) Extensions for the Trusted Platform Module (TPM) > Author(s) : C. Latze, et al. > Filename : draft-latze-tls-tpm-extns-00.txt > Pages : 10 > Date : 2009-10-07 > > Trusted Platform Modules (TPMs) become more and more widespread in > modern desktop and laptop computers and provide secure storage and > cryptographic functions. As one nice feature of TPMs is that they > can be identified uniquely, they provide a good base for device > authentication in protocols like TLS.This document specifies a TLS > extension that allows to use TPM certified keys with TLS in order to > allow for a secure and comfortable device authentication in TLS. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-latze-tls-tpm-extns-00.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > > > -- Carolin Latze PhD Student ICT Engineer Department of Computer Science Swisscom Strategy and Innovation Boulevard de Pérolles 90 Ostermundigenstrasse 93 CH-1700 Fribourg CH-3006 Bern phone: +41 26 300 83 30 +41 79 72 965 27 homepage: http://diuf.unifr.ch/people/latzec
- [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-t… Carolin Latze
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Blumenthal, Uri
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Eric Rescorla
- [TLS] [Fwd: Re: [Fwd: {Virus?} I-D Action:draft-l… Carolin Latze
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Blumenthal, Uri
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Carolin Latze
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Pasi.Eronen
- Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-t… Carolin Latze