The PKC-only application security model ...

Thierry Moreau thierry.moreau at connotech.com
Thu Jul 24 07:42:57 EDT 2008 


Eric Rescorla wrote:

> At Wed, 23 Jul 2008 17:32:02 -0500,
> Thierry Moreau wrote:
> 
>>
>>
>>Anne & Lynn Wheeler wrote about various flavors of certificateless 
>>public key operation in various standards, notably in the financial 
>>industry.
>>
>>Thanks for reporting those.
>>
>>No doubt that certificateless public key operation is neither new nor 
>>absence from today's scene.
>>
>>The document I published on my web site today is focused on fielding 
>>certificateless public operations with the TLS protocol which does not 
>>support client public keys without certificates - hence the meaningless 
>>security certificate. Nothing fancy in this technique, just a small 
>>contribution with the hope to facilitate the use of client-side PKC.
> 
> 
> DTLS-SRTP 
> (http://tools.ietf.org/html/draft-ietf-sip-dtls-srtp-framework-02,
> http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp)
> uses a similar technique: certificates solely as a key 
> carrier authenticated by an out-of-band exchange.
> 

In draft-ietf-sip-dtls-srtp-framework, the detailed scheme uses 
self-signed certificates created by client end-entities themselves. The 
basic idea is identical. At the detailed level in my document, the 
client end-entity "auto-issues" a security certificate with a "breached" 
CA private key.

In the TLS Certificate request message, a list of CA distinguished names 
is provided to the end entity. Referring to a "breached" CA public key 
is an invitation to submit a meaningless end-entity certificate, making 
the detailed scheme "more plain" with respect to TLS options (i.e. an 
empty list in a certificate request message could be a not so well 
supported mode in TLS software implementations).

So, maybe the reference to the notion of self-signed EE certificates in 
draft-ietf-sip-dtls-srtp-framework could be replaced by "meaningless EE 
certificates" (or something else), which would include both self-signed 
or auto-issued. In such a case, the RFC publication for my document 
would become more pressing.

A related discussion occurred on the IETK PKIX mailing list in June 2008 
under the subject "RFC 5280 Question".

Regards,


-- 

- Thierry Moreau

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list