On 04/05/2017 11:07 AM, Subodh Iyengar wrote: > > > There is also an alternate world in which the TLS terminators should > not have certificates/keys on them but it is okay to give them > delegated credentials. Here, one benefit is clear: performance. But > the attacker capabilities against which this is supposed to be > useful/acceptable remain unclear. > > @Kaduk, Ben <mailto:[email protected]> I thought I expressed this in > the use cases, but I might not have been concise enough, so I'll try > again. > > In our original use case when I say less-trusted I mean a CDN running > in a different country or a ISPs data center which has a different > physical security constraints. The less-trusted and trusted hosts do > trust each other, i.e. they could trust each other with the keys > however physical security constraints would prevent this. > > The threat model here is that since if a less-trusted host having a > key is compromised for a certain period of time without detection, and > an attacker can steal private keys during that period. In many > situations we are fine with giving the TLS terminator a certificate / > key, i.e. they actually have a trust relationship, however we want a > compromise to only give the attacker a limited power to use the > credential. Revocation is arguably effective, so we would not be okay > with giving a less trusted host a long term private key. However we'd > be okay with giving a less-trusted host a short term key. > > > My apologies for being blunt, but that text reads like a solution in > search of a problem. That is, what is expected to be achieved by > having shorter-lived credentials? Is there a threat model for which > having them brings security advantages, or are there operational > concerns, or ... ? > > Hopefully the threat model above should answer this question. I > thought I was clear about the use cases. I think just being able to > deploy shorter lived credentials to even higher trust areas has an > advantage beyond the use cases of less trusted locations in case they > are compromised. >
It does, thanks for the clarification -- recovering from undetected compromise is a worthy goal! -Ben
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
