IETF Logo Mail Archive

Re: [saag] [Spasm] Best practices for applications using X.509 client certificates

Alan DeKok <aland@deployingradius.com> Tue, 20 September 2016 16:36 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB5512B3A2; Tue, 20 Sep 2016 09:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUdPoaYH_Ope; Tue, 20 Sep 2016 09:36:01 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 1D03012B0E9; Tue, 20 Sep 2016 09:36:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 70D341EF7; Tue, 20 Sep 2016 16:36:00 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOjVjW8pOs3z; Tue, 20 Sep 2016 16:36:00 +0000 (UTC)
Received: from [192.168.100.59] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by mail.networkradius.com (Postfix) with ESMTPSA id BADC31704; Tue, 20 Sep 2016 16:35:59 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1474387598.144982.452.camel@infradead.org>
Date: Tue, 20 Sep 2016 12:36:01 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <11F16CFE-3554-4F07-811A-8F5D4BE3A6AE@deployingradius.com>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com> <1474387598.144982.452.camel@infradead.org>
To: David Woodhouse <dwmw2@infradead.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kPhHhmxWODK-8roGXWSyU6ZGGKA>
Cc: spasm@ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>, Security Area Advisory Group <saag@ietf.org>, Winter Stefan <stefan.winter@restena.lu>
Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 16:36:03 -0000

On Sep 20, 2016, at 12:06 PM, David Woodhouse <dwmw2@infradead.org> wrote:
>> https://tools.ietf.org/html/draft-winter-opsec-netconfig-metadata-00
> 
> That looks like a layer above what I'm talking about. My goal is that
> we should be able to refer to certificates in a simple consistent way.
> 
> If the certificate is in a system store then applications should allow
> it to be used by means of a consistent identifier string (which is
> defined by RFC7512 for PKCS#11, and may be different for OSX/Windows
> system certificate stores).

  I think that the two solutions complement each other.

> Looking at the proposal above, I see there is some attempt to handle
> certificate encodings — it the CertEncodingEnum has values of PEM, DER,
> and P12.
> 
> This looks a lot like the problematic applications we need to fix...
> for PKCS#1 and PKCS#8 you have to manually specify whether it's PEM or
> DER file even though the software could work that out for itself. And
> for PKCS#12 you *don't* have to specify; it's going to assume DER. All
> very suboptimal.

  I agree.

> My assertion is that applications shouldn't *need* that nonsense, and
> should just take the filename and deal with the contents. Please don't
> entrench that horridness further.

  I understand, but... that's easier than scanning the file to see if it's one of N possible unknown formats.  And likely more secure.

> It also seems that the proposal you reference doesn't have any kind of
> support for using keys from hardware. If the key I want to use is
> identified by an RFC7512 PKCS#11 URI, how do I indicate *that* in this
> format?

  The proposal would need updating to handle that.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email