Re: [keyassure] Interpreting certificates (and summary)
Martin Rex <mrex@sap.com> Wed, 23 February 2011 20:38 UTC
Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD79B3A6A5E for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 12:38:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.232
X-Spam-Level:
X-Spam-Status: No, score=-10.232 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdewbWTg9yCI for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 12:38:49 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 79F113A6A5F for <keyassure@ietf.org>; Wed, 23 Feb 2011 12:38:49 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1NKdXCT007210 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 23 Feb 2011 21:39:34 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102232039.p1NKdXR2008868@fs4113.wdf.sap.corp>
To: hallam@gmail.com
Date: Wed, 23 Feb 2011 21:39:32 +0100
In-Reply-To: <AANLkTi=-bGc1ws0VvrsudV55GRk6KasSsydtiWMTNyua@mail.gmail.com> from "Phillip Hallam-Baker" at Feb 23, 11 02:45:31 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org, i.grok@comcast.net
Subject: Re: [keyassure] Interpreting certificates (and summary)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 20:38:50 -0000
It seems were quoting / replying to the wrong mail. Phillip Hallam-Baker wrote: > > BER encoding is supported by practically every ASN.1 library. It is > identical semantically to DER which is a pain in the patootie. > > From a drafting perspective, I would first state that the identifier > corresponds to an X.509v3 cert without mentioning encoding at all. I don't think that mentioning the encoding creates a problem. My main concern at this point was about "DER" alone rather than "ASN.1 DER". > > Then I would follow that with a statement that the TLS protocol requires > certificates to conform to the X.509v3 requirement for DER encoding and the > requirements of the PKIX certificate profile. Which is pretty much plain wrong. ;-) Nothing in TLS precludes the use of X.509v1 certs, The last sentence of Section 1 of all TLS documents (2246,4346,5246) reads: The TLS standard, however, does not specify how protocols add security with TLS; the decisions on how to initiate TLS handshaking and how to interpret the authentication certificates exchanged are left to the judgment of the designers and implementors of protocols that run on top of TLS. Which clearly explains that PKIX is just one possible approach to interpreting the certificates exchange -- and definitely not the only one. Similarily, RFC-2818, the informational RFC which describes how "HTTP Over TLS" is commonly performed says this: If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.) Which describes a case where the TLS server certificate matching is a PKIX-free memcmp() on X.509 certificates. > > Specifying X.509v3 If you keep sticking the v3 onto X.509, then you're creating a necessity for a bare public key format. While I'm pretty sure that self-signed end-entity X.509v1 certs interoperate with all TLS implementations I've tested, I'm not aware of a definition of a self-signed EndEntity X.509v3 cert (that isn't in conflict with some version of X.509v3). > in DER encoding may appear to be more precise and less > ambiguous, but might well actually introduces ambiguity since another > interpretation of the statement is that there should be an additional ASN.1 > structure wrapping the cert. If there was a wrapping ASN.1 structure, it would be named and its ASN.1 definition appear in an Appendix of the document. I don't think that the document will grow the necessary level of ambiguity for this to happen. -Martin
- Re: [keyassure] Interpreting certificates (and su… Stephen Kent
- Re: [keyassure] Interpreting certificates (and su… Martin Rex
- [keyassure] Interpreting certificates (and summar… Scott Schmit
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Scott Schmit
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Paul Wouters
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Martin Rex
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Peter Gutmann
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Martin Rex
- Re: [keyassure] Interpreting certificates (and su… Zack Weinberg
- Re: [keyassure] Interpreting certificates (and su… Paul Hoffman
- Re: [keyassure] Interpreting certificates (and su… Zack Weinberg
- Re: [keyassure] Interpreting certificates (and su… Phillip Hallam-Baker
- Re: [keyassure] Interpreting certificates (and su… Stephen Kent