Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
On Sun, 24 Jan 2021 at 23:03, wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Transport Layer Security WG of the IETF. > > Title : Delegated Credentials for TLS I'm a little confused too by the meaning of 4.1.3: # 1. Validate that DelegatedCredential.cred.valid_time is no more than # 7 days. I read this as saying that a certificate can only be usable for delegation in the first 7 days after it's notBefore. That follows from valid_time being an offset in seconds from notBefore, and validation step 3 covers the "maximum validity period" mentioned elsewhere in the draft. This sounds a bit odd. Honestly, I find the name and definition of valid_time a little unclear. It's neither a "validity time" instant, or a period. Perhaps "validity_offset"? But it may be simpler to just make it 64 bits and _make_ it a UTC instant -- with the added benefit that this may result in fewer implementations doing unsigned 32-bit arithmetic on times in seconds and breaking ~15 years hence. I think this draft would also benefit from explicitly drawing out (d) in this thought process: a) for performance reasons[1], it seems unlikely that RSA keys are workable as delegated credentials. b) a huge amount of the webpki is still built on RSA. c) given (a) and (b), a common deployment strategy will mean mixed authentication cryptography in handshake authentication: RSA for the webpki portion, ECDSA/EdDSA perhaps for delegation. d) and this is OK (as it is in webpki), and totally allowed, and expected. Thanks, Joe [1] expensive, non-deterministic key generation; large key sizes ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
> On Mar 22, 2021, at 17:17, Michael Richardson wrote: > > On 2021-01-24 6:03 p.m., internet-dra...@ietf.org wrote: >> Filename: draft-ietf-tls-subcerts-10.txt > > I was looking at the DT, wondering what's up, wondering if there was any > implementation report in the document. (When can I use this?... ) > I see in the DT that it is waiting for WG chair go-ahead. I see -10 posted > in January, and a few comments on it, so I'm guessing that we are > waiting for the authors to put out a -11, and then it can go on the IESG? It is stuck on me. We are resolving some Directorate review comments. spt ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
On 2021-01-24 6:03 p.m., internet-dra...@ietf.org wrote: Filename: draft-ietf-tls-subcerts-10.txt I was looking at the DT, wondering what's up, wondering if there was any implementation report in the document. (When can I use this?... ) I see in the DT that it is waiting for WG chair go-ahead. I see -10 posted in January, and a few comments on it, so I'm guessing that we are waiting for the authors to put out a -11, and then it can go on the IESG? ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
Works for me. > On Jan 31, 2021, at 11:58 PM, Sean Turner wrote: > > Do you think this would be clearer: > > The maximum validity period is set to 7 days unless > an application profile standard specifies a shorter > period. > > spt > >> On Jan 25, 2021, at 11:14, Russ Housley wrote: >> >> I have reviewed the recent update, and I notice one inconsistency. >> >> Section 2 says: >> >> In the absence of an application profile standard >> specifying otherwise, the maximum validity period is set to 7 days. >> >> Section 4.1.3 says: >> >> 1. Validate that DelegatedCredential.cred.valid_time is no more than >> 7 days. >> >> I think that Section 2 is trying to say that an application profile can make >> it even shorter than 7 days, but on my first reading I got the opposite. >> >> Russ >> >> >>> On Jan 24, 2021, at 6:03 PM, internet-dra...@ietf.org wrote: >>> >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Transport Layer Security WG of the IETF. >>> >>> Title : Delegated Credentials for TLS >>> Authors : Richard Barnes >>>Subodh Iyengar >>>Nick Sullivan >>>Eric Rescorla >>> Filename: draft-ietf-tls-subcerts-10.txt >>> Pages : 19 >>> Date: 2021-01-24 >>> >>> Abstract: >>> The organizational separation between the operator of a TLS endpoint >>> and the certification authority can create limitations. For example, >>> the lifetime of certificates, how they may be used, and the >>> algorithms they support are ultimately determined by the >>> certification authority. This document describes a mechanism by >>> which operators may delegate their own credentials for use in TLS, >>> without breaking compatibility with peers that do not support this >>> specification. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ >>> >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-tls-subcerts-10 >>> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 >>> >>> A diff from the previous version is available at: >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10 >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> >>> ___ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> ___ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
Hi, It is unclear to me if the current version is expected to address the comments received during the WGLCs or if further versions are expected. Just to clarify the current version does not address my comments concerning the related work section [1]. Yours, Daniel [1] https://mailarchive.ietf.org/arch/msg/tls/B7qc2sPH_d9Tfr-W7vnf24jiGds/ On Sun, Jan 31, 2021 at 11:59 PM Sean Turner wrote: > Do you think this would be clearer: > > The maximum validity period is set to 7 days unless > an application profile standard specifies a shorter > period. > > spt > > > On Jan 25, 2021, at 11:14, Russ Housley wrote: > > > > I have reviewed the recent update, and I notice one inconsistency. > > > > Section 2 says: > > > > In the absence of an application profile standard > > specifying otherwise, the maximum validity period is set to 7 days. > > > > Section 4.1.3 says: > > > > 1. Validate that DelegatedCredential.cred.valid_time is no more than > > 7 days. > > > > I think that Section 2 is trying to say that an application profile can > make it even shorter than 7 days, but on my first reading I got the > opposite. > > > > Russ > > > > > >> On Jan 24, 2021, at 6:03 PM, internet-dra...@ietf.org wrote: > >> > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts > directories. > >> This draft is a work item of the Transport Layer Security WG of the > IETF. > >> > >> Title : Delegated Credentials for TLS > >> Authors : Richard Barnes > >> Subodh Iyengar > >> Nick Sullivan > >> Eric Rescorla > >> Filename: draft-ietf-tls-subcerts-10.txt > >> Pages : 19 > >> Date: 2021-01-24 > >> > >> Abstract: > >> The organizational separation between the operator of a TLS endpoint > >> and the certification authority can create limitations. For example, > >> the lifetime of certificates, how they may be used, and the > >> algorithms they support are ultimately determined by the > >> certification authority. This document describes a mechanism by > >> which operators may delegate their own credentials for use in TLS, > >> without breaking compatibility with peers that do not support this > >> specification. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ > >> > >> There are also htmlized versions available at: > >> https://tools.ietf.org/html/draft-ietf-tls-subcerts-10 > >> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 > >> > >> A diff from the previous version is available at: > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10 > >> > >> > >> Please note that it may take a couple of minutes from the time of > submission > >> until the htmlized version and diff are available at tools.ietf.org. > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ > >> > >> > >> ___ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > ___ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Daniel Migault Ericsson ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
Do you think this would be clearer: The maximum validity period is set to 7 days unless an application profile standard specifies a shorter period. spt > On Jan 25, 2021, at 11:14, Russ Housley wrote: > > I have reviewed the recent update, and I notice one inconsistency. > > Section 2 says: > > In the absence of an application profile standard > specifying otherwise, the maximum validity period is set to 7 days. > > Section 4.1.3 says: > > 1. Validate that DelegatedCredential.cred.valid_time is no more than > 7 days. > > I think that Section 2 is trying to say that an application profile can make > it even shorter than 7 days, but on my first reading I got the opposite. > > Russ > > >> On Jan 24, 2021, at 6:03 PM, internet-dra...@ietf.org wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Transport Layer Security WG of the IETF. >> >> Title : Delegated Credentials for TLS >> Authors : Richard Barnes >> Subodh Iyengar >> Nick Sullivan >> Eric Rescorla >> Filename: draft-ietf-tls-subcerts-10.txt >> Pages : 19 >> Date: 2021-01-24 >> >> Abstract: >> The organizational separation between the operator of a TLS endpoint >> and the certification authority can create limitations. For example, >> the lifetime of certificates, how they may be used, and the >> algorithms they support are ultimately determined by the >> certification authority. This document describes a mechanism by >> which operators may delegate their own credentials for use in TLS, >> without breaking compatibility with peers that do not support this >> specification. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ >> >> There are also htmlized versions available at: >> https://tools.ietf.org/html/draft-ietf-tls-subcerts-10 >> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> >> ___ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
I have reviewed the recent update, and I notice one inconsistency. Section 2 says: In the absence of an application profile standard specifying otherwise, the maximum validity period is set to 7 days. Section 4.1.3 says: 1. Validate that DelegatedCredential.cred.valid_time is no more than 7 days. I think that Section 2 is trying to say that an application profile can make it even shorter than 7 days, but on my first reading I got the opposite. Russ > On Jan 24, 2021, at 6:03 PM, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Transport Layer Security WG of the IETF. > >Title : Delegated Credentials for TLS >Authors : Richard Barnes > Subodh Iyengar > Nick Sullivan > Eric Rescorla > Filename: draft-ietf-tls-subcerts-10.txt > Pages : 19 > Date: 2021-01-24 > > Abstract: > The organizational separation between the operator of a TLS endpoint > and the certification authority can create limitations. For example, > the lifetime of certificates, how they may be used, and the > algorithms they support are ultimately determined by the > certification authority. This document describes a mechanism by > which operators may delegate their own credentials for use in TLS, > without breaking compatibility with peers that do not support this > specification. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-tls-subcerts-10 > https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] I-D Action: draft-ietf-tls-subcerts-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security WG of the IETF. Title : Delegated Credentials for TLS Authors : Richard Barnes Subodh Iyengar Nick Sullivan Eric Rescorla Filename: draft-ietf-tls-subcerts-10.txt Pages : 19 Date: 2021-01-24 Abstract: The organizational separation between the operator of a TLS endpoint and the certification authority can create limitations. For example, the lifetime of certificates, how they may be used, and the algorithms they support are ultimately determined by the certification authority. This document describes a mechanism by which operators may delegate their own credentials for use in TLS, without breaking compatibility with peers that do not support this specification. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-tls-subcerts-10 https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-subcerts-10 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
