On 05/04/17 18:07, Subodh Iyengar wrote: > > The threat model here is that since if a less-trusted host having a > key is compromised for a certain period of time without detection, and > an attacker can steal private keys during that period. In many > situations we are fine with giving the TLS terminator a certificate / > key, i.e. they actually have a trust relationship, however we want a > compromise to only give the attacker a limited power to use the > credential. Revocation is arguably effective, so we would not be okay > with giving a less trusted host a long term private key. However we'd > be okay with giving a less-trusted host a short term key. > Your argument hinges somewhat on the ineffectiveness of revocation but I'm not sure how true that it is. Also, if it is shouldn't the fix be applied there instead?
> > To me the increase in security weighted with the difficulty of > obtaining > such short-lived certificates from a CA probably does not justify the > extra > complexity of adding subcerts. > > > @Simon Friedberger Do you feel that short lived CA certificates are > actually deployable in large server deployments? I do not see that to > be the case. I see a security gain here but just being able to deploy > short lived credentials to not only less trusted locations, but also > to more trusted locations as well which is another use case that I > want to use this for. > You original mail seemed to imply that is doable but tedious and given that some CAs seem to offer interfaces that can be automated it should be possible for many servers but I am in no way an expert on the matter. Considering however the very specific case that is required for a security gain (undetected & temporary compromise & revocation ineffective) it might still not be worth the increased complexity. Also, take into account that a compromise that leaks certificates will potentially put an adversary in a position to carry out whatever attack he wants to perform directly without stealing the certificates. But I'm not saying there is no security gain, I just wanted to point out that it seems to me it's not worth any extra complexity. Best, Simon _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
