[TLS] Exported Authenticators proposed change to incorporate authenticator request

Nick Sullivan <nicholas.sullivan@gmail.com> Thu, 23 November 2017 21:18 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D11D1127275 for <tls@ietfa.amsl.com>; Thu, 23 Nov 2017 13:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsRCE67P2hQ6 for <tls@ietfa.amsl.com>; Thu, 23 Nov 2017 13:18:22 -0800 (PST)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6A501243F6 for <TLS@ietf.org>; Thu, 23 Nov 2017 13:18:15 -0800 (PST)
Received: by mail-wr0-x232.google.com with SMTP id w95so18679512wrc.2 for <TLS@ietf.org>; Thu, 23 Nov 2017 13:18:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=xKzWRKHb+0VsUQzPlbSo6KdxSUvJ1OG/Kr56a+uZPNc=; b=VMJY96nHNWvDapiaDirOZi4a+7v+JirgGZlnY/oeo4wCIfuu8zc2t1hQLfBRSEgr+3 U9ufnTPeG5rsR4rPGl9lKNmoEfbKwenVG8t5MVU98emPMhZNuCzbEZ7G5JLEwmoz9mrO ljuT/8yQIcqwaOg4BOglLan5tAfrKCQ6a0xQ0I0odoU/Al1JqLv72zvfDSjJWHMBHz2b AoBEROzF6onENLB7HlyEglGsuJ6Mb3gm/kcr56x1vdNBalKZz6k1gIi65xGSCTZEjlVX oc3540h9J174OaHJxT46rt4X2QF2VaoYLbsf1vsJquY/R69EC45GtWGTy14S5Mxb/fD5 z6Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xKzWRKHb+0VsUQzPlbSo6KdxSUvJ1OG/Kr56a+uZPNc=; b=DNTlcwHN3nCTp3Z4pVeeO7FnovLEFUR6uWE1h1LWaNoKCLCeedp0e7JOWDX7yFhGW2 RywH5kHpUVk7AaIY9wVU1mIgzdTApvRseFEWBKv9PKcq6Zxc2e+Y7mZpj0b0B2lzitsg /HQ9N8wg9uj8Fur4PNY4z6hC8EsqmZRYSokz1Hj3A/FAorHE5FRK4sTdKGlFNZPkEPTa bgOEivvjotfqNT0lsm12juC2WT2ZrIa0s6Y122w0a/kG02iwFXJQlqb1xyOGEv3ZGB3k HtAVDTofBbpGMfSetr9thRX1OGg3ZBjfDbLJ2zRVOSJEM9NV94etHACoLwgiIVoc3bFC c4OA==
X-Gm-Message-State: AJaThX6MRGapTen1JJQStVbd8063UmBVZ4IvWf3NXK8KYKVCJ835RXnA ACzBZqckWfPqvYl+oXnOThxFGa+qsPysGpSfDL8=
X-Google-Smtp-Source: AGs4zMYUT4uSOGNp/R8QnKprCa2SW3rGAz0x1PyLncMV0fUHGm9+9LjNMlng2cL5PtPdETM4nUApPA4aORSCD12hk3Q=
X-Received: by 10.223.135.3 with SMTP id a3mr21385846wra.109.1511471894081; Thu, 23 Nov 2017 13:18:14 -0800 (PST)
MIME-Version: 1.0
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Thu, 23 Nov 2017 21:18:03 +0000
Message-ID: <CAOjisRwn4WMmViL8vCACMv1faSZRkub0zG-onygwdxYUFEqVDQ@mail.gmail.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a11491a5e55b83e055eacf9bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u9a2g7hQQny_ExqFCV6FxKpZKQo>
Subject: [TLS] Exported Authenticators proposed change to incorporate authenticator request
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2017 21:18:24 -0000

Martin Thomson raised an issue Github (Issue #5
<https://github.com/tlswg/tls-exported-authenticator/issues/5>) suggesting
that we modify the exported authenticators draft to include the ability to
incorporate a CertificateRequest into an authenticator. I have put together
a set of changes to the draft to incorporate this suggestion:
https://github.com/tlswg/tls-exported-authenticator/pull/9

The advantage of this change is that it provides a more explicit binding
between a request for an authenticator (which includes TLS extensions) and
the authenticator itself. This change also significantly simplifies the HTTP/2
Additional Certificates draft
<https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs-04>
that depends on exported authenticators. I presented this change at IETF
100 and there were no objections.

Comments welcome,
Nick