Re: [Lurk] [TLS] WG Call for adoption of draft-rescorla-tls-subcerts

Peter Gutmann <> Fri, 14 April 2017 08:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3001127275; Fri, 14 Apr 2017 01:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SASwinCAO2RF; Fri, 14 Apr 2017 01:23:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 796D7124D6C; Fri, 14 Apr 2017 01:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1492158213; x=1523694213; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=m+WL7c4SobG7jRbPLlFibPsbZjSTl0tA+vMUX59Vzaw=; b=rbKml5FvdZS/cnZtGv5Lm1XvfIHGumYhK4w+QSD+YEfzuwTPruWKqNVB zO1pRrswMRbnUCQlq6bQnRTDI3terfko3H38I7nfaJPKKoSCLznokmXKv fAmV9zz1g1sdtKScJSjVxD1QwqSWUohGryTynSDc9+hYaT4N2YVE5hyUd 6pWOAg4dgjOz+IlNo0SSRs0CMO3ES+UxsU7i508ZDBtwKPVL+Up+9AuNP 9fh6hUY8qrJSTY+tfEe5VKS2kJX4k/PCu7gUCVin/CNM7Lx2+nw6OuX6f zczshXFx1nSApmYzM30QsVxG5Y+sXERDi2ZA2cNxFB01aQPJEaDXNjLCs A==;
X-IronPort-AV: E=Sophos;i="5.37,197,1488798000"; d="scan'208";a="149942244"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 14 Apr 2017 20:23:29 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 14 Apr 2017 20:23:29 +1200
Received: from ([fe80::3ccc:9df5:6df4:210e]) by ([fe80::3ccc:9df5:6df4:210e%14]) with mapi id 15.00.1263.000; Fri, 14 Apr 2017 20:23:29 +1200
From: Peter Gutmann <>
To: Russ Housley <>, IETF TLS <>, IETF LURK <>
Thread-Topic: [TLS] [Lurk] WG Call for adoption of draft-rescorla-tls-subcerts
Thread-Index: AQHSs8PW+bNvvlEs1UyLQIXhszxKaaHBdeSAgAADYACAAw/UNQ==
Date: Fri, 14 Apr 2017 08:23:28 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Lurk] [TLS] WG Call for adoption of draft-rescorla-tls-subcerts
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Limited Use of Remote Keys <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Apr 2017 08:23:36 -0000

Russ Housley <> writes:

>I want to see a solution to this problem, but I think we should look at RFC
>3820, X.509 Proxy Certificate Profile.  I know that this was implemented, but
>I do not know if it is still in use.

It's fairly heavily used in grid computing.  It would probably be used outside
that environment as well if people knew it existed, meaning that I have on a
number of occasions encountered people who needed something like proxy certs
but were kludging around it in various ugly ways because they didn't know they