Re: [rtcweb] DTLS version for RTCweb

["Olle E. Johansson" <oej@edvina.net>]

10 maj 2013 kl. 11:12 skrev "Olle E. Johansson" <oej@edvina.net>:

> 
> 10 maj 2013 kl. 11:08 skrev Tim Panton <tim@phonefromhere.com>:
> 
>> 
>> 
>> On 9 May 2013, at 22:46, Marc Petit-Huguenin wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> 
>>> I read the various security drafts and it looks like they all reference DTLS
>>> 1.0 (RFC 4347), but RFC 4347 was obsoleted by RFC 6247.  So will the
>>> references being updated to use DTLS 1.2 as the base version, or will DTLS 1.0
>>> stay as the base version, with possibility of negotiation to 1.2 and higher?
>> I think we should move to 1.2 - There are specific cases where 1.0 doesn't exactly do what we
>> want. 
>> 
>> e.g. I think for a server to ask for a client cert, technically in 1.0 you are supposed to list the CA's
>> you are interested in and you'll only receive certs from those CAs. In 1.2 you can leave this
>> empty and get a list of all certs (effectively a CA wildcard). 
> 
> What? Will any server get a list of all my private certs? That sems to me like a big fat privacy issue.
From RFC 5246 (TLS 1.2) that DTLS 1.2 refers to:

"If
      the certificate_authorities list is empty, then the client MAY
      send any certificate of the appropriate ClientCertificateType,
      unless there is some external arrangement to the contrary."

This doesn't mean that you will get all, but that the client can select any certificate in the 
cert store to present to the server. Previously the server had to present a list of 
acceptable CAs. It does open for self-signed certs, really. If you by other means have
established trust for a self-signed cert, you can use it as a client cert in TLS 1.2. The
server doesn't have to trust a CA, but can trust a specific cert.

This goes hand in hand with DANE.

/O