-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the CanSignHttpExchanges extension non-critical. #247
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few nits, but overall looking good :)
{{!I-D.ietf-tls-tls13}}). This simplifies security analysis of this protocol | ||
and avoids encouraging server operators to put exchange-signing keys on servers | ||
Conforming CAs MUST NOT mark this extension as critical. This allows new clients | ||
with old operating systems to handle the extension. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we'd want to include the second sentence in the spec. That is, it presumes that new clients use the OS verifier, or that they even have an OS verifier, which... isn't going to hold :)
(Section 4.4.2.2 of {{!I-D.ietf-tls-tls13}}). This discourages server operators | ||
from using the same certificate to sign both TLS connections and signed | ||
exchanges, which in turn simplifies security analysis of this protocol and | ||
avoids encouraging server operators to put exchange-signing keys on servers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the motivation might be better detailed in security considerations.
The reason this is a bit tricky is that by virtue of non-critical, clients that don't recognize this extension WILL accept this extension in TLS connections. So we don't have a hard security boundary. Because of this motivation, it seems like it makes sense to be discussed in the security section, calling out that this is not a security boundary itself, but simply an ecosystem health thing.
But warn servers away from using it in TLS servers. Fixes WICG#238.
226f4ef
to
4e95bad
Compare
Ok, @sleevi, I've moved the whole rationale to the security considerations. That section is a bit awkward: I could try to move some bits into 6.2 or 6.4, or decide that we don't need the full explanation at all, or just keep what I have. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
But warn servers away from using it in TLS servers.
Fixes #238.
@sleevi and any CA folks who see this, do you think I'm right to say "Conforming CAs MUST NOT mark this extension as critical.", or should I leave them without a requirement here?
Spec: Preview, Diff
Impl draft: Preview, Diff