IETF Logo Mail Archive

Re: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2

John Mattsson <john.mattsson@ericsson.com> Mon, 23 January 2023 07:01 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA09BC14F726 for <tls@ietfa.amsl.com>; Sun, 22 Jan 2023 23:01:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GonxgG4KDHjb for <tls@ietfa.amsl.com>; Sun, 22 Jan 2023 23:01:44 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2076.outbound.protection.outlook.com [40.107.104.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01786C14E511 for <tls@ietf.org>; Sun, 22 Jan 2023 23:01:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i3cxgtWxfouk9695NLJ5QmGqtRe4Eu/IWIRxV3djfd9WIFPE4fXdxUtzxpfbJgq0E8fTVivX826HOQTcCQi5GDexebzORz0rZlZPFvkgLDd7UzUHAexfCb+ydSLVxlcFedgXO5oFFguXPLN8oyKtmFBhIpQuJSeG9d8nl5Dspu1/VKzZleeg3Hj7Ak62u9r031xHkHuyRr7j9Qw5qxuoVcOQwmFBnYyKnH5cuo+dhAk0Nk3xECntQWkdJ/2A57ghSZkD+c5Td0N6/dsjcVEe8nHSj6cvtaGJeEtAWH+ck9cdx9Paitl6rxBv/l5y7qowGjaXBQ39/EpMxY+tPiqmpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jlcYgR0RrVocRL3nDASpeM/Dk7FF2mzxd8vBRnDZHas=; b=J4+hE8SX1+tRS2zfhBoObQYllzfblfpYOtwclvle4k3KFlZu8Qv+s8bIQypG1DpsUvLEcha/iogsblxxaRX1APZgC5ZwuyGuUEdnWMP4WMNs9spiMUQzxN1wnX6pkLpYO4sUvDvIADxdafrQrGACSoyw2TJclJf93rAEFFmUhjURKHtEkXMDR+0B13AF0lTcy5AWV73wjSryW4hNEgC/E+hlIYx1HgkTW9uCps3mOuxvMPKcfEQHrMP6zhtXOBbNwtNlDceryIsgMNo/00LssD0dfgOEUdpWrRPp+MBNB/QgzsZUAx5Qe4PS+Nn2YodQZGlQlT/SlQlyLNeLpdY/vQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jlcYgR0RrVocRL3nDASpeM/Dk7FF2mzxd8vBRnDZHas=; b=Gj++agALnKlAhbbkGxXjIswFIq6ZDlTcQAPE4+PdOktEjb/8I0DI6rHGe7/V5l8zAZTk6wGg9FelZdjrKuomQYFuLcmp5RUa3GRF+IsZq5TJTIqWyeUpxZF/ScuyhX7oM4rdS0hECSsUkFau5g638ZRYT9x/jk/lCCFCXLn+8dQ=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by VI1PR07MB9498.eurprd07.prod.outlook.com (2603:10a6:800:1c4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.25; Mon, 23 Jan 2023 07:01:38 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.6002.033; Mon, 23 Jan 2023 07:01:38 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, Achim Kraus <achimkraus@gmx.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2
Thread-Index: AQHZLqHp+1AILaj30UmNtJC/GRYs7a6q6r8AgAChgCc=
Date: Mon, 23 Jan 2023 07:01:38 +0000
Message-ID: <HE1PR0701MB30506CBE68F7B8535F170AB989C89@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <Y82fYuDBJjtSvrGq@straasha.imrryr.org> <16be7100-3214-a6a6-8344-e81943527aed@gmx.net>
In-Reply-To: <16be7100-3214-a6a6-8344-e81943527aed@gmx.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|VI1PR07MB9498:EE_
x-ms-office365-filtering-correlation-id: 9a50b418-4283-41d4-f229-08dafd0fac35
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 39vNV4DlYHHQfhl83nEYh0O04dkqY3a8srac9TDH4rZYvsQRVOUsPk1CMgF2IMK2oELWWFaXmlTKaESjrnnO1ELhrwCsHTa7CZug0aU5DZqtqkN09KRxCqctfrcKvlg3neQ9C4W/IHZz1vzE2DOWj2OHMZPnrqOlGhlznQeJ0a5YqpsK4R7mYkBtaH7vcS4ZT59zmkKpNpFhUDtYrjVnbidHfRH9MTSO9rwA4F24mlrPfJvqTW8kiNaiTCStU2z0szBlunk9h0Vu+XDLKDgTI/2rOT7ri4MvJLTU7poM/FgFBKL7p0gjkYbMearPN2Q5yiIDjBOGfo3hqomxttX9OfunQ94qYn3jim28LjJtfPDAXk5D95sWMyU+SYWdrkEWmPLmJUzQTzTKop9cq0/LQq2Vu6qamb3PdgTh50M9XMiFPs4L49QkwZwbCHp4lzEdjqbBIL57g3afbG6A2Ic+PwC/otMq4Be3rQ5nQtHQA6V+MLDiCoLvzLxw3NhjiN5ca4Fu5bF10G0MQvZlyBNfxgmKdyyhGW6cDs/oDPqOHVeZA72/ws+fGu4PREdDXGrFoJE85JkAmBVLu1pT4+Zom6BpRLu5R/+OVTQuImjsIInb6f5P2r6IX2DCY8QZ3CKbTEkXXWZYWIpS50nBmaQ6vZFik79U6/QrFch/JQYiKNrH9V3ply8YVOKGMjkdCcQm37bxkZEYrK0e0sHobGkr/PW1VfHqYIBlEQD5OKzxtOGBwpAvtsbIEReW8tzW6et/gAdAyvAUCtYjnGHakg6wNGk/JqPfU7h+HioXBMNtTYxjWMzZQKSXKfP4WHgkKCBR
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(346002)(366004)(396003)(376002)(136003)(451199015)(86362001)(966005)(6506007)(122000001)(53546011)(478600001)(8936002)(7696005)(316002)(52536014)(71200400001)(33656002)(5660300002)(186003)(8676002)(64756008)(66446008)(66556008)(82960400001)(41300700001)(91956017)(66946007)(38100700002)(26005)(9686003)(66476007)(83380400001)(166002)(2906002)(38070700005)(55016003)(44832011)(110136005)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PwHPfQ0X9dZB/FFTXvjum5N0/275mC4f3OCUEwpnO3esg8rHl5owXNsOJKfUDWj7mFfHMdoInPaBO+gRy/M2/iwfwAT8SkxuN0oNXZQUcaGV5bGamrDkbfW8YwA+9Hlo6VQc8HJFuAKMMd1kRDYjKv54Jkg+jEQmdqtjIgVS15xausvAbYNeu0QZsCP8xJmqiEnXQb7h0DfeusHd1FOFaA47WB9sLPqf/AMV3We0ppqzq2FKLlQH/7AN1NFdNk+KJz5ZKYwQi3l4G0NgSTIwadzWsI543S0BXXJ76AnF8mz3+oNOm4ee4xX/EzurlMaQSQESNGDGP1gMHHrFABwhfa22rDMexO+d53X8kjPk/hTEVM5LA4AxQUgrcHVp6C3mUlfXP8Dq57WVSeKvMj2hduXvVMIvmXlTh+G6Onl/kHGwXoL5L55J6TxGqZkbRDjuSwjmhVmBXgPevMDoQ6X816hwOa+bjYoRooMga/FyYFX4SSgapPhbod15SbawUrP9DbxJdhZiSQDAfloBHS9LmG+1flDpfdh7DIX/rMMNfhq24GRIZ6vsziF+QhfdTSB+DbdJnZOLkh0Eo6NDlEEvDQUaLmtAyEAzfmsrhU/gLMWNPP64B6Ub3s2pG1jzchoDIursMJGResJDL6jDVxfCWEr7+yA3TqnDkLUF+rm0fqwKYzNiu89jPcrnTDkoxqPk1JenSTAc3rU9nsZmeFV/krSvtKE3jqecKcJa2IF525r32BFVL0SinJtfc87KQkA2bx86IyFPMmVo6XGGbf6cB5PSgB+da6HbZ25bZ+j/9/6sOTLiNFQGFzEeVSKIO8cihbPX/QFa530ayyx6ZnfPdQ0ceYm/0jxtq9vAxYrPlEK+I0m9CMnPx9unLkgaa8brfZaXBVK/v4KJ8iwUbNPpqa6H5Nap0UiPITUcRxvn2OGqAhfGkZGQFnhc6SJf6/sn+y6PDCyUU3Icu9+Oq1SQtoX+gASXFclZqxtT06Iv5ng3T7NzoRW+ngCMcAFoOCRF5A7D+mYoL22N1yE3FdL2rhMsvqJa6GOrFNam+grz6pXVbNj717ygL3u8l8lmpeErseaT/Cz3ZlyLb+JhfpF9SRRLUobRcNhwphMJwQ1/yUfaAaJgFF6ym7xFL6GHY01yrIonqxi94nESYU/uNIbkAqHE8Ehrs0xH6TCD5135cl1IBz7hN2pdafAxeRzJFao+Dx73hmAxtAfLkHPpWNkLSBBgO8b7nePtYZUI5n9EB7O3yjc9eAlWEavao/AIp0P3kqIn7flU6YOoli/g0aNmsFTlluvwxbycar8q8pyDHdUgts3LP52LUdkn0DhfNPQPgnB6kf/TXyQ4qkkm9FeBBSjC32loJePYWPeyxaMFKESQ14yp3iP0y6W7r4rJRFOr39giHlAV/SREzORv/Q4UEJnBdhIq0Cq2F3LXRwOfDTGB9zsQZWFOZ+69yYAIXiJmir11ltXZGRMHNPBEXiMICudUU2+DOJPNFmzc5lOwNbTJ5I55vxkjGOKvR+utbIsmHJ5AlwgC3rY2gOWX/30h4E7oNO/8S9WfJNaoej5ezzmoTH9x20HztaBQMrAZHcHMZGgPETzPENrESo+nos9D5Ca9FbvXL2/ijJKTGpzMVOI=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30506CBE68F7B8535F170AB989C89HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a50b418-4283-41d4-f229-08dafd0fac35
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2023 07:01:38.1274 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lv4aYke3J9RywELI3m2BRo+7GdRk3aK0UlS0OLeXi6Ffs8cI3pZ37FNL394XBKcTof6npqRlK48px0blM7XwXLhsODr/zIOr53dm/pe6xR8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB9498
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z9cyuh5ZqTM_8pu-klem8XQIjb8>
Subject: Re: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2023 07:01:48 -0000

Hi Viktor,

Are point compressed secp256r1 RPKs supported?

- Uncompressed secp256r1 RPKs are 91 bytes.
- Point compressed secp256r1 RPKs are 59 bytes
- Ed25519 RPKs are 58 bytes

Cheers,
John

From: TLS <tls-bounces@ietf.org> on behalf of Achim Kraus <achimkraus@gmx.net>
Date: Sunday, 22 January 2023 at 22:02
To: tls@ietf.org <tls@ietf.org>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2
Hello Viktor,

 > Thanks to Todd Short, RFC7250 raw public keys should be available in
 > OpenSSL ~3.2.  Applications that use unauthenticated opportunistic TLS,

Sounds great. Especially for IoT/constraint use-cases that's a real
benefit.

Just in the case, someone is interested, I asked a couple of months ago,
if https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 has
some considerations about certificate types without a validation date.
See https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-1d6e8c010f9a9db6&q=1&e=45adec37-94c0-453e-b42c-80479cc77e30&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Ftls-subcerts%2Fissues%2F107

 > The pull request <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-66e352cf1acf4bf8&q=1&e=45adec37-94c0-453e-b42c-80479cc77e30&u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fpull%2F18185> is
 > still a work in progress, but complete enough for application
 > integration testing.

I will try to test next week the DTLS interoperability with

Eclipse/tinydtls
Eclipse/Californium

best regards
Achim


Am 22.01.23 um 21:41 schrieb Viktor Dukhovni:
> Thanks to Todd Short, RFC7250 raw public keys should be available in
> OpenSSL ~3.2.  Applications that use unauthenticated opportunistic TLS,
> employ DANE or have other ways to avoid X.509 certificates and make do
> with raw peer public keys can avoid the overhead of receiving and
> processing certificate chains.
>
> The pull request <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-66e352cf1acf4bf8&q=1&e=45adec37-94c0-453e-b42c-80479cc77e30&u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fpull%2F18185> is
> still a work in progress, but complete enough for application
> integration testing.  Likely too late for OpenSSL 3.1 (in beta now), but
> seems likely to land by 3.2.  The TODO items on the OpenSSL side are
> at this point IMHO minor.  Review eyeballs of course always appreciated.
>
> I have a Postfix branch with a reasonably complete implementation:
>
>      # posttls-finger -c <domain>
>      posttls-finger: <mxhost>[192.0.2.1]:25: raw public key fingerprint=<...>
>      posttls-finger: <mxhost>[192.0.2.1]:25: Matched DANE raw public key: 3 1 1 <...>
>      posttls-finger: Verified TLS connection established to <mxhost>[192.0.2.1]:25:
>          TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>          key-exchange X25519
>          server-signature RSA-PSS (2048 bits)
>          server-digest SHA256
>
> based on the the current state of the pull request.
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email