Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.txt
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 04 May 2012 17:58 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E712521F859A for <tls@ietfa.amsl.com>; Fri, 4 May 2012 10:58:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.548
X-Spam-Level:
X-Spam-Status: No, score=-102.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m8MM+Ng6no8G for <tls@ietfa.amsl.com>; Fri, 4 May 2012 10:58:27 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id CCD9821F8596 for <tls@ietf.org>; Fri, 4 May 2012 10:58:26 -0700 (PDT)
Received: from [10.20.30.102] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q44HwPY7037803 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <tls@ietf.org>; Fri, 4 May 2012 10:58:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1257)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <A11FC42E-1708-4D82-8163-B14013E4B4BA@cisco.com>
Date: Fri, 04 May 2012 10:58:25 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <1947EFE2-8850-43C3-9590-1D3D44B4B4AA@vpnc.org>
References: <A11FC42E-1708-4D82-8163-B14013E4B4BA@cisco.com>
To: tls@ietf.org
X-Mailer: Apple Mail (2.1257)
Subject: Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 17:58:28 -0000
On Apr 25, 2012, at 5:35 PM, Joe Salowey wrote: > This is an announcement of working group last call for draft-ietf-tls-oob-pubkey-03.txt. Please complete reviews and send comments to the TLS list by Friday May 18, 2012. I support this document moving forwards, but it requires some significant changes first. First, the document needs to say "Updates: 6091" because it very much updates 6091. More importantly, the client auth text added in the last round was: 3.5. Client authentication Client authentication by the TLS server is supported only through authentication of the received client SubjectPublicKeyInfo via an out-of-band method This is both wrong and insufficient. It is wrong in that the server might also authenticate the client through a future TLSA-type protocol that handles user certificates, and might also authenticate the client through LDAP. The entire sentence can be removed. It is insufficient because it does not say how the client should respond if RawPublicKey certificates have been selected but the client does not have a raw client certificate. I believe that an equivalent of the "empty_cert" used in RFC 6091 is needed to be defined here and then used in wording such as: Therefore, this section should probably instead say: 3.5. Client Certificate This message is only sent in response to the certificate request message. The client certificate message is sent using the same formatting as the server certificate message, and it is also required to present a certificate that matches the negotiated certificate type. If RawPublicKey certificates have been selected and no certificate is available from the client, then a certificate structure of type "empty_cert" that contains an RawPublicKey value MUST be sent. The server SHOULD respond with a "handshake_failure" fatal alert if client authentication is required. I hope this helps. --Paul Hoffman
- [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.txt Joe Salowey
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Simon Josefsson
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Paul Wouters
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Paul Hoffman
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Paul Hoffman
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Paul Hoffman
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-oob-pubkey-03.t… =JeffH