- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Thu, 12 Apr 2018 20:51:13 +0300
- To: Ryan Sleevi <ryan-ietf@sleevi.com>
- Cc: Jeffrey Yasskin <jyasskin@chromium.org>, Yoav Weiss <yoav@yoav.ws>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Apr 12, 2018 at 09:36:30AM -0400, Ryan Sleevi wrote: > I commented on the PR, but in the spirit of bringing things to the list, I > think allowing reuse with TLS is a net-negative for security, and we should > not do this. > > The same conversation being had around Secondary Certificates and Delegated > Credentials is applicable here. In this case, we have an online signing > entity that fundamentally must be near the edge (to terminate TLS), while > also granting it the ability to create long-lived signatures (the web > package). From an operational standpoint, this incentivizes weak key > protection, when the threat model of Web Packaging arguably requires > stronger key protection, due to the greater risk being introduced to > clients - namely, the ability to deploy misused signatures more widely > (from oracles or key compromise). Web packaging is not similar to Secondary Certificates. It is however similar to Delegated Credentials. Both Web Packaging and and Delegated Credentials: - Are insecure against weak compromise. So ROBOT/DROWN type attacks would be devastating. - Can have the key (semi-)offline. However, Secondary Certificates: - Are secure against weak compromise (but not full compromise). - Must have the key online. - More vulernable to ROBOT/DROWN type attacks than TLS handshakes due to longer time windows. Also, saying that keys for for WP/DC SHALL be protected in some specified way would have really nasty interactions with current CABForum BRs, making it effectively impossible to get such certificates. So any enhanced protection is at most RECOMMENDED. -Ilari
Received on Thursday, 12 April 2018 17:51:51 UTC