I see no reason to preclude DTLS. DTLS-OK should be Y.
Some quick comments on the document: - "certificate key" seems undefined. - "Delegated credentials do not provide any additional form of early revocation." I think this definitly require more security considerations. For systems doing frequent revocation checking this is a significant downgrade. Is it correct that an expiry of an RFC 5280 cert is ”revocation”? - "Since it is short lived, the expiry of the delegated credential revokes the credential." This would be true also for long lived. Is it correct that an expired RFC 5280 cert is "revoked"? - "Revocation of the long term private key that signs the delegated credential (from the end-entity certificate) also implicitly revokes the delegated credential." I think you revoke a certifice, not a private key. Nothing says that the certificate is long lived. They could both be valid for 7 days. Revocation of the certificate is problematic as it revokes certificate and all the delegated credentials (there might be many). Should be given more considerations. - Extended key usage is not discussed at all. That a cert with id-kp-serverAuth but not id-kp-clientAuth can be used to sign a delegated client cert seems strange. - How does delegated credentials work in systems that use fingerprints like RFC 4975 and RFC 5763. I think that need to be discussed/specified. Cheers, John From: TLS <tls-boun...@ietf.org> on behalf of Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> Date: Wednesday, 16 February 2022 at 21:31 To: Sean Turner <s...@sn3rd.com>, TLS List <tls@ietf.org> Subject: Re: [TLS] DTLS for Delegated Credentials (draft-ietf-tls-subcerts)? > Right now the I-D exclusively mentions TLS. The fix might be as easy as a > global replace of TLS with (D)TLS. Can anybody think of a reason to preclude > DTLS? I can't think of one. I wonder if this also extends to QUIC and NTP security, but that's up to those WG's or UTA I guess. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
