Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2 from Martin Thomson on 2016-07-24 (ietf-http-wg@w3.org from July to September 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 24 Jul 2016 12:56:31 +0200
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnX_0YC5-=EbZfU0XGtXeGvE7GH+5K75PW+FMsRsEOj23Q@mail.gmail.com>

On 24 July 2016 at 12:34, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> I think one needs to also sign and MAC over any implicit parameters
> that are shared over multiple authentications. E.g. Supported end-
> certificate signature algorithms.

My understanding of SIGMA is that the MAC needs to cover the identity
and other properties, but the signature only has to cover the key
shares (or shared key).  Thankfully we don't need to worry about that
distinction because of the way that TLS 1.3 and EMS cause everything
to depend on everything else: keys depend on identity and negotiation
parameters as much as the MAC does.

Either way, I am increasingly of the opinion that we should ask for
this facility from the TLS working group.  There are subtleties to
this that are easy to get wrong and good analysis is crucial.

Received on Sunday, 24 July 2016 10:57:00 UTC