> With that goal in mind, wouldn't it help mitigate the threat if the holder of the longer term credential (the cert subject) were to include within the signature e.g. an IP address range within which the delegated credential is allowed to be used?
We thought about this originally, but we discounted this because it breaks when http and socks proxies are used. Looking at some data I had a non trivial number of requests access our site using proxies. I'm not sure whether there's a good method for a client to enforce ip address ranges when a proxy does the dns resolution. Subodh ________________________________ From: Stephen Farrell <stephen.farr...@cs.tcd.ie> Sent: Wednesday, April 5, 2017 12:30:31 PM To: Subodh Iyengar; Simon Friedberger; tls@ietf.org; Richard Salz; Kaduk, Ben Subject: Re: [TLS] security considerations for draft-rescorla-tls-subcerts I've no strong opinion for or against this. One question below though. On 05/04/17 17:07, Subodh Iyengar wrote: > The threat model here is that since if a less-trusted host having a > key is compromised for a certain period of time without detection, > and an attacker can steal private keys during that period. In many > situations we are fine with giving the TLS terminator a certificate / > key, i.e. they actually have a trust relationship, however we want a > compromise to only give the attacker a limited power to use the > credential. Revocation is arguably effective, so we would not be okay > with giving a less trusted host a long term private key. However we'd > be okay with giving a less-trusted host a short term key. With that goal in mind, wouldn't it help mitigate the threat if the holder of the longer term credential (the cert subject) were to include within the signature e.g. an IP address range within which the delegated credential is allowed to be used? Cheers, S.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls