Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]

"Blumenthal, Uri" <uri@ll.mit.edu> Thu, 08 October 2009 16:22 UTC

Return-Path: <uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA42228C188 for <tls@core3.amsl.com>; Thu, 8 Oct 2009 09:22:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.523
X-Spam-Level:
X-Spam-Status: No, score=-6.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpQsOmRVu6IK for <tls@core3.amsl.com>; Thu, 8 Oct 2009 09:22:17 -0700 (PDT)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id A62B13A6860 for <tls@ietf.org>; Thu, 8 Oct 2009 09:22:17 -0700 (PDT)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id n98GNscN012634; Thu, 8 Oct 2009 12:23:54 -0400 (EDT)
Received: from lle2k7-hub02.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB02.mitll.ad.local" via SMTP by llpost, id smtpdAAAyvaOMQ; Thu Oct 8 12:04:47 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB02.mitll.ad.local ([ ]) with mapi; Thu, 8 Oct 2009 12:04:47 -0400
From: "Blumenthal, Uri" <uri@ll.mit.edu>
To: "'carolin.latze@unifr.ch'" <carolin.latze@unifr.ch>, "'tls@ietf.org'" <tls@ietf.org>
Date: Thu, 8 Oct 2009 12:04:11 -0400
Thread-Topic: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
Thread-Index: AcpH7biOACVip5dLSNu7jpA2KFr1LQAQ1WYT
Message-ID: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BC8@LLE2K7-BE01.mitll.ad.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 16:22:19 -0000

I don't think I understand you.

Are you implying that CA-certified certs are less secure than self-signed ones?! Or that getting your TPM-provided Public Key signed by a CA lessens its security?

And how can self-signed certs be possibly bound to "identity certs signed by a CA"?

I still don't understand your justification (or reasons) for mucking with a perfectly usable TLS model.

Perhaps you'd want to describe in a few sentences what it is that you're trying to accomplish with TPM-generated public keys, and how TLS as-is does not allow that? And why what you're trying to do would of interest to anybody else on the planet who uses TPM and/or TLS?


----- Original Message -----
From: Carolin Latze <carolin.latze@unifr.ch>
To: Blumenthal, Uri
Sent: Thu Oct 08 04:02:09 2009
Subject: Re: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]

They are still valid X.509... the only difference is that they are
self-signed and not CA-signed. And the reason to use self-signed
certificates is that you don't need to send another certificate request
without loosing security since the self-signed certificates are bound to
identity certificates that are signed by a CA.

Blumenthal, Uri wrote:
> And the reason you want to do this instead of using valid X.509 certs is...?
>
>
> ----- Original Message -----
> From: tls-bounces@ietf.org <tls-bounces@ietf.org>
> To: tls@ietf.org <tls@ietf.org>
> Sent: Wed Oct 07 11:16:52 2009
> Subject: [TLS] [Fwd: {Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt]
>
> Hi all,
>
> after several experiments with TPMs as authentication devices in
> EAP-TLS, we figured out, that the specific modifications in order to use
> TPMs might be rather an extension to TLS than an EAP extension.
> Therefore, we gave it a try and defined a new TLS extension in order to
> use TPM certified keys directly with TLS. We are aware of the fact, that
> there is a possibility to request new valid X.509 certificates for those
> keys which allows to use them with standard TLS (and do not require a
> new extension), but since we want to avoid that request (and we think
> that this does not introduce any security issues), we propose this
> extension.
>
> We are always open for discussions, (critical) feedback, suggestions, ...
>
> Regards
> Carolin Latze
>
>
> -------- Original Message --------
> Subject: 	{Virus?} I-D Action:draft-latze-tls-tpm-extns-00.txt
> Date: 	Wed, 7 Oct 2009 16:45:01 +0200
> From: 	Internet-Drafts@ietf.org <Internet-Drafts@ietf.org>
> Reply-To: 	internet-drafts@ietf.org <internet-drafts@ietf.org>
> To: 	i-d-announce@ietf.org <i-d-announce@ietf.org>
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>
> 	Title           : Transport Layer Security (TLS) Extensions for the Trusted Platform Module (TPM)
> 	Author(s)       : C. Latze, et al.
> 	Filename        : draft-latze-tls-tpm-extns-00.txt
> 	Pages           : 10
> 	Date            : 2009-10-07
>
> Trusted Platform Modules (TPMs) become more and more widespread in
> modern desktop and laptop computers and provide secure storage and
> cryptographic functions.  As one nice feature of TPMs is that they
> can be identified uniquely, they provide a good base for device
> authentication in protocols like TLS.This document specifies a TLS
> extension that allows to use TPM certified keys with TLS in order to
> allow for a secure and comfortable device authentication in TLS.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-latze-tls-tpm-extns-00.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>
>   

-- 
Carolin Latze
PhD Student				ICT Engineer

Department of Computer Science		Swisscom Strategy and Innovation
Boulevard de Pérolles 90		Ostermundigenstrasse 93
CH-1700 Fribourg      			CH-3006 Bern
	
phone: +41 26 300 83 30			+41 79 72 965 27
homepage: http://diuf.unifr.ch/people/latzec