IETF Logo Mail Archive

Re: [TLS] AD review of draft-ietf-tls-oob-pubkey

Sean Turner <turners@ieca.com> Tue, 14 May 2013 18:48 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FE421F901B for <tls@ietfa.amsl.com>; Tue, 14 May 2013 11:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.965
X-Spam-Level:
X-Spam-Status: No, score=-100.965 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50EtAulC00bJ for <tls@ietfa.amsl.com>; Tue, 14 May 2013 11:48:16 -0700 (PDT)
Received: from gateway06.websitewelcome.com (gateway06.websitewelcome.com [69.93.164.14]) by ietfa.amsl.com (Postfix) with ESMTP id 41ABC21F9007 for <tls@ietf.org>; Tue, 14 May 2013 11:48:16 -0700 (PDT)
Received: by gateway06.websitewelcome.com (Postfix, from userid 5007) id CA0F93C99EDE2; Tue, 14 May 2013 13:48:15 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway06.websitewelcome.com (Postfix) with ESMTP id BCB293C99EDBE for <tls@ietf.org>; Tue, 14 May 2013 13:48:15 -0500 (CDT)
Received: from [198.180.150.142] (port=51147 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UcKGl-0000xp-Cx; Tue, 14 May 2013 13:48:15 -0500
Message-ID: <519286ED.4050304@ieca.com>
Date: Tue, 14 May 2013 19:48:13 +0100
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Bert Greevenbosch <Bert.Greevenbosch@huawei.com>
References: <516D5ADE.3050506@ieca.com> <A95B4818FD85874D8F16607F1AC7C628BCDCF4@xmb-rcd-x09.cisco.com> <518BFECB.8050501@fifthhorseman.net> <A95B4818FD85874D8F16607F1AC7C628BE391F@xmb-rcd-x09.cisco.com> <46A1DF3F04371240B504290A071B4DB63D7272A9@szxeml558-mbx.china.huawei.com>
In-Reply-To: <46A1DF3F04371240B504290A071B4DB63D7272A9@szxeml558-mbx.china.huawei.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [198.180.150.142]:51147
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 8
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: "<tls@ietf.org>" <tls@ietf.org>, "<draft-ietf-tls-oob-pubkey@tools.ietf.org>" <draft-ietf-tls-oob-pubkey@tools.ietf.org>
Subject: Re: [TLS] AD review of draft-ietf-tls-oob-pubkey
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2013 18:48:24 -0000

On 5/14/13 4:30 AM, Bert Greevenbosch wrote:
> [Joe]  I agree, but to your point above would you want to restrict the use of an extension that could easily be extended to use a different mechanism in the future?   I think here we would probably want to add text to the document to say that this document does not cover how revocation either.
>
> "Revocation of keys is not covered by this document.  Specifications that make use of this extension need to describe if and how revocation of keys is performed.  At the time of this document's publication, OCSP does not support the revocation of raw public keys so [TLS-OCSP] and [TLS-MULTI_OCSP]  do not apply. "
>
> [Bert] I wonder if it would make sense to add some kind of a meta field as follows:
>
>        SubjectPublicKeyInfo  ::=  SEQUENCE  {
>             algorithm            AlgorithmIdentifier,
>             subjectPublicKey     BIT STRING
>             meta                 OCTET STRING
>        }
>
> This could then be used to provide meta information about the public key, e.g. information that may be needed by an out of band authentication method. The field could be ignored by default, unless the particular trust model requires differently.
>
> I guess DER encoding also allows addition of unspecified fields, but I am not sure if they will be ignored or lead to exceptions.

Please don't add the meta field there.  The idea was that the 
SubjectPublciKey might just be grabbed from a certificate and that 
field's not there in a certificate.  Further, I think the DANE 
structures require that SubjectPublicKeyInfo be as specified in RFC 5280 
(i.e., sans meta).

spt

v2.23.0 | Report a Bug | By Email