On Tue, Nov 24, 2015 at 2:31 PM, Bill Cox <waywardg...@google.com> wrote: > > From the paper, it sounds like using delegated keys currently has some > unanticipated security problems, at least in the near term while we > continue to accept incorrectly padded RSA based certs. Would Hugo's > suggestions for extending certificates address weaknesses due to delegated > keys, and allow DH keyshares to be used for proof-of-possession, and > possibly MQV? If so, it sounds like a valuable upgrade. >
The underlying concern is misuse of *existing* server's signing keys to produce essentially permanent delegations. So, as Hugo observed, requiring a certificate extension (or DH certificates) removes this case. As I mentioned in my earlier message, we discussed this extensively at a number of meetings and came to the WG consensus that it would be good if someone wrote a separate draft documenting one or both of these mechanisms, but that it shouldn't be on the critical path for TLS 1.3. Volunteers wanted! -Ekr > Thanks, > Bill > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
