Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Eric Rescorla
On Wed, Mar 30, 2016 at 2:47 PM, Ilari Liusvaara wrote: > On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote: > > On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett > > wrote: > > > > > On Wednesday, March 30, 2016 11:22:15 am Eric

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Ilari Liusvaara
On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote: > On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett > wrote: > > > On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > >

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Eric Rescorla
On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett wrote: > On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > > PKIX. > > Adding a PKIX extension to mandate a minimum threshold of

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Watson Ladd
On Mar 30, 2016 9:03 AM, "Daniel Kahn Gillmor" wrote: > > On Wed 2016-03-30 11:22:15 -0400, Eric Rescorla wrote: > > This got a lot of discussion early in the design process and the consensus > > was that the risk of having the default mode (with existing certs) allow the

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Dave Garrett
On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > PKIX. Adding a PKIX extension to mandate a minimum threshold of security configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for TLS <1.2)

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Bill Cox
On Wed, Mar 30, 2016 at 8:22 AM, Eric Rescorla wrote: > This got a lot of discussion early in the design process and the consensus > was that the risk of having the default mode (with existing certs) allow > the > creation of a long-term delegation was too high. See, for instance,

Re: [TLS] Why again can't we use TLS signing certs to create short-lived sub-certs?

2016-03-30 Thread Eric Rescorla
This got a lot of discussion early in the design process and the consensus was that the risk of having the default mode (with existing certs) allow the creation of a long-term delegation was too high. See, for instance, the relative impact of the recent paper by Jager at al. [0] on TLS 1.3 and