Document: draft-davey-tls-braid-00.txt George,
I've given this a quick look. The TL;DR is that I do not think that this is a viable proposal, for several reasons. The most important reason is that I don't think it really addresses the operational issues that people have with short-lived certificates, which mostly have to do with the need to automate renewal. In this design, you still need to automate renewal, not of the certificate itself, but of the rest of the evidence (the DC, witnesses, etc.). It's not clear to me why this is any better. Moreover, as long as this is not universal (which strikes me as very unlikely), peeople will still have to use short-lived certificates for clients which don't support BRAID, at which point they have both operational burdens. Second, this seems to me to have a number of technical drawbacks that have appeared with other related mechanisms. Specifically: - Like TLSA, it depends on DNSSEC, and as a practical matter requires client-side validation. This is already something we know that end-user clients have no appetite for, and what measurements we have indicate that failure rates will be unacceptably high. I know you mention an HSTS-like mechanism, but this only provides reasonable security on second impression, which isn't very good for something this heavyweight. - Because you have to deploy supplemental (non-certificate) data, you have the problem of either updating the server to serve it (roughly isomorphic to OCSP stapling and must-staple) or serving it from some other public endpoint (roughly isomorphic to OCSP). This seems likely to have the same problems we have seen with those mechanisms. Finally, I would note that you could achieve at least some of the properties you are proposing here with existing mechanisms. Specifically, if DNSSEC *is* viable as a means of serving this kind of information, then you can simply use TLSA directly with the EE certificate with certificate usage 1, and then just stop serving the TLSA record directly. This is much simpler than what you are proposing and is at least conceptually available now, so the fact that it is not widely deployed suggests that BRAID will also not be widely deployed. -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
