An RFC7169 use case (!)
Thierry Moreau <thierry.moreau@connotech.com> Wed, 02 April 2014 17:15 UTC
Return-Path: <thierry.moreau@connotech.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1661A02ED for <ietf@ietfa.amsl.com>; Wed, 2 Apr 2014 10:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.013
X-Spam-Level:
X-Spam-Status: No, score=-0.013 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmLPndzu_4JE for <ietf@ietfa.amsl.com>; Wed, 2 Apr 2014 10:15:33 -0700 (PDT)
Received: from mail.connotech.com (connotech.com [76.10.176.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1081A024D for <ietf@ietf.org>; Wed, 2 Apr 2014 10:15:33 -0700 (PDT)
Received: from [192.168.1.204] (DODECA1ER.CONNOTECH-INTERNAL.COM [192.168.1.204]) by mail.connotech.com (Postfix) with ESMTPA id D1A49318E5 for <ietf@ietf.org>; Wed, 2 Apr 2014 13:10:55 -0400 (EDT)
Message-ID: <533C4624.50408@connotech.com>
Date: Wed, 02 Apr 2014 17:17:24 +0000
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: An RFC7169 use case (!)
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/RjChg7nEgJJtxpe1V4T_eOeznW0
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 17:15:38 -0000
Dear IETF'ers: Notwithstanding the fact that the RFC7169 and the -02 revision to the Internet Draft draft-housley-pkix-oids are at face value April fool publications in the IETF tradition, the informational X.509 certificate extension does have a specific use case in the context of "first party certification" paradigm. My purpose is neither to document the underlying trust arrangements and security mechanisms (as I did in the ill-fated draft-moreau-pkix-aixcm-00 or http://www.connotech.com/public-domain-aixcm-00.txt), neither to argue about their value, nor to propose an RFC7169bis draft that would fix the semantic deficiencies in the RFC7169 as published. My only purpose is to give notice to IETF'ers that RFC7169 does have an unintended usefulness. Nonetheless, here is a high level description for the reader who would accept to offload the preconceived notions of PKI trust model. A TLS server in the "first party certification" paradigm accepts (or denies) a TLS client identity based on the sole client public key found in the TLS handshake (the server denies client access if an unknown public key is presented). Because bare client public keys are not well supported (if allowed at all) by the fielded TLS implementations, the TLS client has to package the public key in a so-called "client certificate." However, obtaining a proper PKI client certificate is an undertaking in the Internet era similar to the Peary and Scott treks to the North Pole in the nineteen century (neither of them were able to provide reliable evidence of their achievements). The first party certification paradigm relieves the client from the requirement for a proper client certificate. The remaining are implementation details. Self-signed client certificates has been proposed for this purpose (if I recall correctly some PKIX discussions a few years back). I proposed self-issued client certificates, which involves a "dummy certification authority," i.e. with a publicly breached signature key pair and for which the RFC7169 certificate extension applies. If the reader follows the reasoning, it becomes evident that anyone can act (sign security certificates) on behalf of the dummy CA, including the TLS client implementation (just like anyone can issue a self-signed certificate). Thus I am grateful to the RFC7169 author and to the IETF for an official certificate extension in support of the first party certification paradigm, offering an RFC-compliant alternative to the client self-signed certificates. It may me the first time that an April fool RFC is actually useful. Regards, -- Thierry Moreau
- An RFC7169 use case (!) Thierry Moreau
- Re: An RFC7169 use case (!) Sam Hartman
- Re: An RFC7169 use case (!) Ray Bellis