[pkix] Support for delegate certificates
Phil Lello <phil@dunlop-lello.uk> Thu, 14 April 2016 19:16 UTC
Return-Path: <phil@dunlop-lello.uk>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDFB612DB2C for <pkix@ietfa.amsl.com>; Thu, 14 Apr 2016 12:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dunlop-lello-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ocx1rmvoLi_a for <pkix@ietfa.amsl.com>; Thu, 14 Apr 2016 12:16:53 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE5F12DABF for <pkix@ietf.org>; Thu, 14 Apr 2016 12:16:52 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id e190so120804506lfe.0 for <pkix@ietf.org>; Thu, 14 Apr 2016 12:16:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dunlop-lello-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=PfAWtCH7c8KfKKHQ9Cc9TRC6WtsIjpMa1sEZM4kWP78=; b=0IkJ7Kt5Sz8hz67QjaSItZ2YUp0jAHzUimTC/GtqnMcUyLN8qR+x3LyK3kKqN7pP2g 4hmAW+7B+HCCWEZocIWKkOSC2Ewcadym6c1H1xgfm9Uu5npuTdESj1DtecXiYUmSzR34 UsQwztxvDwyfhOhCnanD5tC0V4EYzUFfQsvkSxp5MMy5Tb/Vcz2Llx+7lgFmGEbjROzw dUH4tETYu9rz7hhlKCdKo+gk4n8UHAtr0YmHC+i2c/PEdgRQnUTWtpfkWt2Xut9j2X8h ManXEqD28wHdWL21DIUGkJNqx/o+ivNCfbkvElHhRPxf6aOweGdwqIxmdbpi44mNk9j+ q8BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=PfAWtCH7c8KfKKHQ9Cc9TRC6WtsIjpMa1sEZM4kWP78=; b=QI9msyl5HojRaomLd6rIcbCifYNLGzkK2kTzEhbdhtE++j6yiRLymIvH42OhtBjEFr O5kc6X2FBHKh1cFqdrZ+NSa5pLhZgKgCV3TPxAR2GdFNFD414ua8LyGX30Y2BxKU0XId 1CZlTpXaO6nctWm9aQIUbxrYpe1K7vrqip3ppyrQIDJueMVqFp2/p9UDtJTl04ob71dO ElHrnNVVi9KivccxbACb2M1E76SDx12uD7uwpxHkobRd0z0ZoawBDB/NCfb0j8JDOb+X Tgl2Po7hRWRVMjWqBrAUR7gn1RqdWfgbqAsc8qcK1baim/WR3m14xVrx+wsOVPNKLekg GWHA==
X-Gm-Message-State: AOPr4FWAOGn4+REYxLxx//aa1lqkVd7bEObn75Wii3pI1tpNS6dFvQsPbzp4L95K8uUqdLIH88OJabY06rQHBpWw
MIME-Version: 1.0
X-Received: by 10.25.165.140 with SMTP id o134mr7517538lfe.35.1460661410809; Thu, 14 Apr 2016 12:16:50 -0700 (PDT)
Received: by 10.25.27.16 with HTTP; Thu, 14 Apr 2016 12:16:50 -0700 (PDT)
Date: Thu, 14 Apr 2016 20:16:50 +0100
Message-ID: <CAPofZaE52_FJpfYOu_VcpDAyvNWdeymTE+fYZB0G3mYrbvikdA@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="001a11410a0e877012053076bc42"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/w66BLnD0JGAZ23HPrZSQmMFx6d0>
Subject: [pkix] Support for delegate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 19:16:56 -0000
Hi all, Not sure if this has already been discussed (I couldn't find it), or indeed if this is the most appropriate list, but I have a variation on certificate chains I'd like considered. I have a couple of scenarios in mind where it could be useful for the holder of a certificate, say for *.example.com to act as a CA for issuing certificate to delegates. Examples include: - *.example.com issues a certificate to project1.example.com (to reduce number of admins trusted with wildcard cert) - *.example.com issues a certificate to server.altsvc.com (to support HTTP's Alt-Svc) - *.example.com issues a certificate to J.Smith@example.com, who issues a certificate to www.randompublisher.net The basic principle is that the certificate (as vetted by a public CA) identifies the party responsible for the signed content, but allows generation of certificates for alternate distribution points (or individuals who can do so). This would require explicit changes for libraries supporting protocols such as TLS (assuming the chain verification isn't hopelessly broken) to provide a notification to the client to identify who's behalf the certificate was issued on. I'd like to avoid adding any extra metadata to the delegating certificate, as that would seem to serve no techincal purpose, and simply be an excuse for a public CA to charge more. Does this sound feasible/desirable? The TLS use-case should probably define extra handshake options to guide the server on selecting an appropriate cert/logging a useful error. Best wishes, Phil Lello
- [pkix] Support for delegate certificates Phil Lello
- Re: [pkix] Support for delegate certificates Dr. Pala
- Re: [pkix] Support for delegate certificates Peter Bowen
- Re: [pkix] Support for delegate certificates Phil Lello