Re: [TLS] Draft minutes for Tuesday

2019-07-24 Thread Patton,Christopher J
Hey martin, > Firefox nightly now has the preference > "security.tls.enable_delegated_credentials" > in about:config. I wouldn't recommend turning that on on a permanent basis, > but > you can now use a browser to drive this. Is there any indication in the UI that a DC was negotiated? Thanks,

Re: [TLS] Comment/question on draft-ietf-tls-subcerts-02 (Ilari Liusvaara)

2018-10-30 Thread Patton,Christopher J
Hi Watson, you're right! Thanks for noticing this. And thank you to Ilari for confirming. See PR#20 for the appropriate change: https://github.com/tlswg/tls-subcerts/pull/20 Chris Patton ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/li

Re: [TLS] Proposals for draft-ietf-tls-subcerts-02

2018-07-26 Thread Patton,Christopher J
ntity certificate. Any additional feedback is welcome. Thanks, Christopher Patton From: Blumenthal, Uri - 0553 - MITLL Sent: Tuesday, July 24, 2018 4:40 PM To: Ilari Liusvaara; Patton,Christopher J Cc: tls@ietf.org Subject: Re: [TLS] Proposals for draft-ietf-tls-subcer

[TLS] Proposals for draft-ietf-tls-subcerts-02

2018-07-24 Thread Patton,Christopher J
Hi all, I've taken the liberty of addressing the changes to the delegated credentials extension that were requested at IETF: https://github.com/tlswg/tls-subcerts/pull/13 The changes that would be adopted in draft-02 are as follows: * Drop support for TLS 1.2. * Allow the critical bi

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-24 Thread Patton,Christopher J
Aww, I see your point. You're right, it should be that crit=true if and only if crit=true. > Actually, what usecase do strict certificates serve anyway? I can not > figure out any usecase that would make much sense to me. Dealing with > server endpoints that are capable of LURK but not proof-of

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-20 Thread Patton,Christopher J
> Because it means that if the client does not understand DC, then it must > reject the certificate, ... This is the desired behavior, as far as I understand. > ... but if client understands DC, it can accept it even in non-DC contexts. I don't see why this is nonsensical. One way to understand

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-19 Thread Patton,Christopher J
on behalf of Ilari Liusvaara Sent: Thursday, July 19, 2018 4:18 PM To: Patton,Christopher J Cc: Santosh Chokhani; tls@ietf.org Subject: Re: [TLS] Proposed changes to draft-ietf-tls-subcerts On Thu, Jul 19, 2018 at 07:56:05PM +, Patton,Christopher J wrote: > So you think we need that the exten

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-19 Thread Patton,Christopher J
rsday, July 19, 2018 3:39 PM To: Patton,Christopher J Cc: Santosh Chokhani; tls@ietf.org Subject: Re: [TLS] Proposed changes to draft-ietf-tls-subcerts On Thu, Jul 19, 2018 at 07:04:31PM +0000, Patton,Christopher J wrote: > Thanks both of you for the feedback. > > > I've rev

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-19 Thread Patton,Christopher J
hink! Best, Chris From: Santosh Chokhani Sent: Wednesday, July 18, 2018 6:00 PM To: Patton,Christopher J; 'Ilari Liusvaara' Cc: tls@ietf.org Subject: RE: [TLS] Proposed changes to draft-ietf-tls-subcerts I do not think you can change an extension syntax or seman

Re: [TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-18 Thread Patton,Christopher J
extension body? The condition would be: "If the flag of the extension is set, then the server MUST NOT offer the certificate unless ..." From: ilariliusva...@welho.com on behalf of Ilari Liusvaara Sent: Wednesday, July 18, 2018 2:56 AM To: Patton,

[TLS] Proposed changes to draft-ietf-tls-subcerts

2018-07-17 Thread Patton,Christopher J
Hi all, I've added a few pull requests to the draft "Delegated credentials for TLS" that address the proposals discussed at IETF. Specifically: * https://github.com/tlswg/tls-subcerts/pull/8 -- Creates a tighter binding of the DC to the handshake parameters; * https://github.com/tlswg

[TLS] Key agility issue in draft-ietf-tls-subcerts?

2018-07-05 Thread Patton,Christopher J
The string over which the delegation signature is computed contains the `SubjectPublicKeyInfo` of the DC public key. This in turn contains an `AlgorithmIdentifier`. Does an X.509 `AlgorithmIdentifier` determine a unique TLS `SignatureScheme`? If not, this might lead to key agility issues, since

[TLS] Editorial comments for draft-ietf-tls-subcerts

2018-06-07 Thread Patton,Christopher J
Hi all, Another PR with editorial changes: https://github.com/tlswg/tls-subcerts/pull/3 The most significant change is renaming of "DelegatedCredentialParams" to simply "Credential". Thanks Christopher Patton ___

[TLS] Editorial comments on draft-ietf-tls-subcerts

2018-05-19 Thread Patton,Christopher J
Hi all, I just opened a PR for the delegated credentials extension draft: https://github.com/tlswg/tls-subcerts/pull/2 Most of these changes are minor; the most significant change is the presentation of the client verification procedure. Forgive me if this question seems nit-picky: I noticed th