Re: [pkix] Support for delegate certificates

Phil Lello <> Fri, 15 April 2016 06:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A97E12D885 for <>; Thu, 14 Apr 2016 23:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dAaBZPP2a1WO for <>; Thu, 14 Apr 2016 23:11:41 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E7B1D12D65A for <>; Thu, 14 Apr 2016 23:11:40 -0700 (PDT)
Received: by with SMTP id c126so133870878lfb.2 for <>; Thu, 14 Apr 2016 23:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=qBBxYBFZ3wLnKy4Lwe7iv7FDHG4Zgu50bqpBc4sUKas=; b=TDy/GBp1mDq0YeQR4oF1CGnrqFoUtYaUjFx3IFaapFQ2b/0a9boc44M7KLA3NF885N JgXxTVWwAGOIpruwTQ2W9h867SSkyzDNfqlJi4vC+e6e/HDH2p6T7EiShM/t3GYvt5/l kQtBv+mF2hjFUwN/ON5+N6GDUruHWCa7ytxlT5INdHTdjDk0sWH+ijihgD8+tl4iAbbE lpyu73envbK0VsgBKQoijM3fUmejBspjW0/BOAPskYPSwW0HMdk42daBWlqkCxJYtzXq mH3Nf4nwPzBoMWsOgjKAhq8xO8SU01wEDXprvPwxs9EEiGkukoTQ2cLBPK7QWHK1UxbW vIow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=qBBxYBFZ3wLnKy4Lwe7iv7FDHG4Zgu50bqpBc4sUKas=; b=BEjy25GLloeQeepuDFJikCsHDEW2hJwVxUox55cRx7yKF7j9PbnQVbbOqN+GJd2co3 MjJeV/x8tW0mARYIpNe1r9HzZVtfH77KcdR+BlltGMeyb8J239r4WCeA3yDWK0Mnpa6O /OX1XcwR6phz58lyfKVV8XJp7XwVoNYsc9y9yQtU6V9snlgrlyhmLoCc8nQQACPd4EXm O6DcjMCWxFjt8WLzmbUwgo8zDP/OYMxS2LeTqUgHYjR6yMTFJBOn19UJHx9npDaE9vLR poNFstCpwsC9DEay8s22IOt7v/cfwepCMRfp+p/90jQlLKSGHBFv3t2wR1MdGACCHt06 hkJQ==
X-Gm-Message-State: AOPr4FVdmKjiC9nhoIGksOVNJcmPhrISl2zJxQ5bHeHZU4r5fqZ+5bSxGCIQMUAEx1ZI3ajjOXty+hLvNuTyElbJ
MIME-Version: 1.0
X-Received: by with SMTP id d140mr8716813lfg.109.1460700698966; Thu, 14 Apr 2016 23:11:38 -0700 (PDT)
Received: by with HTTP; Thu, 14 Apr 2016 23:11:38 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Fri, 15 Apr 2016 07:11:38 +0100
Message-ID: <>
From: Phil Lello <>
To: "<>" <>
Content-Type: multipart/alternative; boundary=001a114128ca491c9305307fe2d0
Archived-At: <>
Subject: Re: [pkix] Support for delegate certificates
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Apr 2016 06:11:44 -0000

On Fri, Apr 15, 2016 at 4:04 AM, Peter Bowen <> wrote:

> On Thu, Apr 14, 2016 at 12:16 PM, Phil Lello <> wrote:
> > Not sure if this has already been discussed (I couldn't find it), or
> indeed
> > if this is the most appropriate list, but I have a variation on
> certificate
> > chains I'd like considered.
> >
> > I have a couple of scenarios in mind where it could be useful for the
> holder
> > of a certificate, say for * to act as a CA for issuing
> > certificate to delegates. Examples include:
> >
> >   - * issues a certificate to (to
> reduce
> > number of admins trusted with wildcard cert)
> >   - * issues a certificate to (to support
> > HTTP's Alt-Svc)
> >   - * issues a certificate to, who
> issues a
> > certificate to
> >
> > The basic principle is that the certificate (as vetted by a public CA)
> > identifies the party responsible for the signed content, but allows
> > generation of certificates for alternate distribution points (or
> individuals
> > who can do so).
> >
> > This would require explicit changes for libraries supporting protocols
> such
> > as TLS (assuming the chain verification isn't hopelessly broken) to
> provide
> > a notification to the client to identify who's behalf the certificate was
> > issued on.
> This concept already exists today in the form of name constraints
> (  Name
> constraints provide namespace (e.g. and only allow
> issuance to subtrees of that name.  They are defined to work with DNS
> names, email addresses, IP addresses, SRV names, and other name forms,
> so almost everything you propose could work.
> Have you looked at name constraints?

I don't think name constraints are suitable for the sub-domain use-case,
since I want to support generation of sub-domain certs from a CA-issued
certificate with "Certificate Basic Constraints" of "Is not a Certificate
Authority", which should reliably be checked and enforced in current
use-cases - as far as I'm aware, Name Constraints aren't correctly/widely
enforced (although I may be referring to old information), so there's a
significant risk of a name-constrained CA certificate from a public CA
chain being treated as a general-purpose CA certificate by older libraries.

Further, I explicity need cross-domain functionality for a protocol I'm
designing - I'm envisaging a cache for signed content that generates signed
content in some scenarios (for example, an optimised image,
upstream-unavailable message, or adding headers for virus-scan results on a
download). In this case, the client should want to know:

  - Where the original content came from (certificate signature)
  - Where the cache-generated content came from (delegated certificate
  - That the cache had permission to generate content (delegated
certificate issuer)

The cross-domain functionality may also be an appropriate mechanism for
HTTP's Alt-Svc (RFC7838), where Host and Alt-Used are on different domains.
RFC7838 gives an example of

     GET /thing HTTP/1.1

RFC7838 s2.1 specifies

   For example, if the origin's host is "" and an
   alternative is offered on "" with the "h2" protocol,
   and the certificate offered is valid for "", the
   client can use the alternative.