Hi everyone, The draft below details an extension for Exported Authenticators (EAs) that allows multiple EAs sent in the same TLS session to be linked into an authentication chain using backward references. This gives a form of joint authentication between EAs.
This means that not only does an EA provide authentication of the certificate it contains, an EA using this extension also authenticates all previous EAs in its chain. In short, if the last EA in the chain is authentic then all the EAs in that chain are authentic. (Or alternatively, if any EA in a chain is authentic, then all prior EAs are authentic.) This could be used for things like securely updating pinned keys. If this mechanism were in use it would require an attacker who was trying to maliciously update the pinned key to compromise both the pinned certificate's LTK and acquire an improperly issued certificate from the PKI. This would require compromising two separate administrative domains. Other use cases and a description of the mechanism appear in the draft. I'd really appreciate any feedback on the design, use cases, and the draft in general. Thanks, Jonathan Hoyland ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Mon, 25 Jun 2018 at 15:18 Subject: New Version Notification for draft-hoyland-tls-layered-exported-authenticator-00.txt To: Jonathan Hoyland <jonathan.hoyl...@gmail.com> A new version of I-D, draft-hoyland-tls-layered-exported-authenticator-00.txt has been successfully submitted by Jonathan Hoyland and posted to the IETF repository. Name: draft-hoyland-tls-layered-exported-authenticator Revision: 00 Title: Layered Exported Authenticators in TLS Document date: 2018-06-25 Group: Individual Submission Pages: 5 URL: https://www.ietf.org/internet-drafts/draft-hoyland-tls-layered-exported-authenticator-00.txt Status: https://datatracker.ietf.org/doc/draft-hoyland-tls-layered-exported-authenticator/ Htmlized: https://tools.ietf.org/html/draft-hoyland-tls-layered-exported-authenticator-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-hoyland-tls-layered-exported-authenticator Abstract: This document describes an extension that allows for Exported Authenticators (EAs) to authenticate each other. The extension includes a reference to a previous EA. An EA containing this extension constitues an attestation of the authenticity of the referenced EA. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
