Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Paul Hoffman <paul.hoffman@xxxxxxxx>, Russ Housley <housley@xxxxxxxxxxxx>
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
From: "Salz, Rich" <rsalz@xxxxxxxxxx>
Date: Wed, 2 Jan 2019 20:32:22 +0000
Cc: "spasm@xxxxxxxx" <spasm@xxxxxxxx>, "draft-ietf-lamps-hash-of-root-key-cert-extn@xxxxxxxx" <draft-ietf-lamps-hash-of-root-key-cert-extn@xxxxxxxx>, IETF <ietf@xxxxxxxx>
In-reply-to: <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <3D85A45C-FE94-45A7-BF37-C3F8C1B3F5AA@vigilsec.com> <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org>
User-agent: Microsoft-MacOutlook/10.14.0.181208

I don't understand what the risk is.
 
If a client sees and understands the extension, it can update its trust store to have the new key.  If a client does not see, or does not understand, the extension, then the trust store will have to be updated out of band, just like it is now.

CA's that use this extension must take proper care to ensure that the private key is not exposed.

Follow-Ups:
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
  - From: Tim Hollebeek

References:
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
  - From: Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
  - From: Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
  - From: Paul Hoffman

Prev by Date: Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Next by Date: RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Previous by thread: Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Next by thread: RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Index(es):
- Date
- Thread

[Index of Archives] [IETF Annoucements] [IETF] [IP Storage] [Yosemite News] [Linux SCTP] [Linux Newbies] [Mhonarc] [Fedora Users]