[TLS] Proposals for draft-ietf-tls-subcerts-02
"Patton,Christopher J" <cjpatton@ufl.edu> Tue, 24 July 2018 19:24 UTC
Return-Path: <cjpatton@ufl.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79826131161 for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 12:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYrbnTHqwWsT for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 12:24:13 -0700 (PDT)
Received: from smtp.ufl.edu (smtp-prod05.osg.ufl.edu [128.227.74.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE157130E0A for <tls@ietf.org>; Tue, 24 Jul 2018 12:24:13 -0700 (PDT)
X-UFL-GatorLink-Authenticated: authenticated as (<>) with from 10.36.133.41
Received: from exmbxprd15.ad.ufl.edu ([10.36.133.41]) by smtp.ufl.edu (8.14.4/8.14.4/3.0.0) with ESMTP id w6OJOCmj001540 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Tue, 24 Jul 2018 15:24:12 -0400
Received: from exmbxprd23.ad.ufl.edu (128.227.145.167) by exmbxprd15.ad.ufl.edu (10.36.133.41) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 24 Jul 2018 15:24:12 -0400
Received: from exmbxprd23.ad.ufl.edu (2002:80e3:91a7::80e3:91a7) by exmbxprd23.ad.ufl.edu (2002:80e3:91a7::80e3:91a7) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 24 Jul 2018 15:24:12 -0400
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (207.46.163.47) by exmbxprd23.ad.ufl.edu (128.227.145.167) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Frontend Transport; Tue, 24 Jul 2018 15:24:12 -0400
Received: from MWHPR22MB0461.namprd22.prod.outlook.com (10.173.55.7) by MWHPR22MB0493.namprd22.prod.outlook.com (10.173.55.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.21; Tue, 24 Jul 2018 19:24:09 +0000
Received: from MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f]) by MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f%2]) with mapi id 15.20.0973.022; Tue, 24 Jul 2018 19:24:09 +0000
From: "Patton,Christopher J" <cjpatton@ufl.edu>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Proposals for draft-ietf-tls-subcerts-02
Thread-Index: AQHUI4J2izOpwygh4UiboxDIYgPCqQ==
Date: Tue, 24 Jul 2018 19:24:09 +0000
Message-ID: <MWHPR22MB046162AC2C43A3A56FB1A8C4C6550@MWHPR22MB0461.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2606:4700:ff01:8210:e59c:725d:ec6e:3ce1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR22MB0493; 6:D9g2GrBWKsBhBPHjtUmxctZZAsIXUqwzDnQLSmRvG80nWaQc1URgb/o7qKy4wgjv22voDIABBbjNpIVza8lMOauqLN5Ap9goIVvhy04MkF3s33SyXLY029ZnjuqTQqXp8CGrgAe1zqtwnelhoXCNgl476fYw+Vaxzy90xggPseY9ohWsG0GlBjKM29Z7lODvVqNc3IAFybyV9bio+naK5deYipizAli6Sqs5AO68YrCw9yyIMbAoiVl0j99y6h+pH/ZFHZL3VJccfLlYBBK2sR1jOR8BGTp9Jy30XokUyDb7wugr7RRZ5g1sObYi7Dagn1clpH1gLP6MDIcYTV6m2BIxK6mWzZfIyUrjt5CQigIjejk3yhlupo7a0X0i1RMU+tJ0AO+fOMGDEj5CXp3pSEe0Pjy+qtUeKbogs3vGPjc9NZzEytm40ilc6+DUX/+7QmYVX4b1ZnACU7B8mqugZg==; 5:BpQntUJ+05CimS7GHlS/m0y6wvScF6h01hrYvDcloPh1hFsNg5iv6R1yrtST+FJrc0DC94OFi/CMzZCXwZ+pNnBhZCtDFYE7IhcIc4oSX82ttm4mf8k8FfXyah83Zm5Cg0L7+VQrHAvY1sDh1pR62Jl90psYmXtJSmSgckmsvao=; 7:6p3CprBfnbXEdn5b1zfe8mYhXpvfMxMWEKonj1NYDfNZsqX1gwJDuH7ZvwDVcU/lxzcyDuaaiBTMgwddZsAfgjY3v250hMCP88khD3HbPCXwWITfRTtFmH4z97RbZQHZC7cPvfAkchWMAFjPpL3Cy7YF5JxvDo6/ElYL2HPa7CCZTsnfNi0Qt9m3TxAA9UxgDZQEbTQ2GF1/siGzGay2/tkYiyYeznHTDbyPzdJSko2F0Zq3A5wflqNkpJswLK9G
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7f261bea-7dfc-4d45-65d5-08d5f19b07a3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:MWHPR22MB0493;
x-ms-traffictypediagnostic: MWHPR22MB0493:
x-microsoft-antispam-prvs: <MWHPR22MB04931A50B53D845F10928DBCC6550@MWHPR22MB0493.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(149027)(150027)(6041310)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:MWHPR22MB0493; BCL:0; PCL:0; RULEID:; SRVR:MWHPR22MB0493;
x-forefront-prvs: 0743E8D0A6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(39860400002)(396003)(366004)(199004)(189003)(53754006)(6606003)(256004)(88552002)(2900100001)(5660300001)(105586002)(6116002)(2351001)(606006)(106356001)(5640700003)(6306002)(53936002)(55016002)(74316002)(9686003)(54896002)(25786009)(6916009)(97736004)(6436002)(75432002)(53336002)(236005)(68736007)(46003)(478600001)(19627405001)(8936002)(33656002)(6506007)(81166006)(81156014)(14454004)(1730700003)(7736002)(2906002)(7696005)(8676002)(186003)(966005)(86362001)(102836004)(99286004)(5250100002)(316002)(476003)(2501003)(486006)(786003); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR22MB0493; H:MWHPR22MB0461.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ufl.edu does not designate permitted sender hosts)
x-microsoft-antispam-message-info: JHIQjMdPucKpImw+kNbW3ah4iFVNyI72AROco6BpPl7K7aUd3r5rkCEOt8p26e+XR3xSZYEu1rw/pY8QSS4yvTXM+iNylZeX0R6tKzyRojHRX1E7LEDvXv8GvlS9fVEHOFviFS43o+8jnF1wMfu44DXNU+2FdqfPh3toDoY5QYAv+My409Mr8OTv4wWvvB6OVswe3yjNMoq55SfCqFfOUMNkWFIuxZ4Fus31rw9QfsOWM1fh4WW7lh5kELO1wZwgto96OFGSeVQAObW3951KuJNpgS5mprvsejcTGzX5QURXF2Y5koBB9rhEubS7iqYAS5+fUeI4N4wPvtCD5w88FWC61zokGLLHR/k48lb3J6Q=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR22MB046162AC2C43A3A56FB1A8C4C6550MWHPR22MB0461namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f261bea-7dfc-4d45-65d5-08d5f19b07a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2018 19:24:09.0454 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4da0f8-4a31-4d76-ace6-0a62331e1b84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR22MB0493
X-OriginatorOrg: ufl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-24_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=508 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807240204
X-UFL-Spam-Level: *
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xCOhgooUEtaRfQ7wbtLQ8nMUpYs>
Subject: [TLS] Proposals for draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 19:24:17 -0000
Hi all, I've taken the liberty of addressing the changes to the delegated credentials extension that were requested at IETF: https://github.com/tlswg/tls-subcerts/pull/13 The changes that would be adopted in draft-02 are as follows: * Drop support for TLS 1.2. * Allow the critical bit of the X.509 extension to be set. * Add the protocol version and credential signature algorithm to the Credential structure. * Make the KeyUsage of the delegation certificate stricter. * Specify undefined behavior in a few cases. It was suggested that we add optional "must-use-DC" semantics to the certificate. The solution we came up with was to add a "strict" flag to the extension that is set if (and only if) the extension is marked critical. The idea is that if the "strict" flag is set and the server doesn't offer a DC, then client must abort the handshake, In my opinion, the complexity this adds to the protocol outweighs the potential benefits. Comments on the PR are welcome. Thanks, Chris Patton
- [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Ilari Liusvaara
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Nick Sullivan