IETF Logo Mail Archive

Re: [Secdispatch] draft-leggett-spkac: Signed Public Key and Challenge

Graham Leggett <minfrin@sharp.fm> Wed, 09 November 2022 22:56 UTC

Return-Path: <minfrin@sharp.fm>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 191CDC1522A2 for <secdispatch@ietfa.amsl.com>; Wed, 9 Nov 2022 14:56:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sharp.fm
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0daHdXnfsVH for <secdispatch@ietfa.amsl.com>; Wed, 9 Nov 2022 14:56:17 -0800 (PST)
Received: from chandler.sharp.fm (chandler.sharp.fm [78.33.206.219]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB12C14CE24 for <secdispatch@ietf.org>; Wed, 9 Nov 2022 14:56:16 -0800 (PST)
Received: from smtpclient.apple (unknown [IPv6:2001:4d48:ad5d:6301:48bf:2da8:f39f:43de]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTPSA id 63252191DF2; Wed, 9 Nov 2022 22:56:12 +0000 (GMT)
Authentication-Results: chandler.sharp.fm; arc=none smtp.client-ip=2001:4d48:ad5d:6301:48bf:2da8:f39f:43de
ARC-Seal: i=1; a=rsa-sha256; d=sharp.fm; s=default; t=1668034572; cv=none; b=K56UhV9dVVcg4oTZG0a/IoiOtdXKmK7vHnXBwxtQDLa8+B4l0BhiRTrNblu1A8SgjnVRM0kdbnjYyDywiB6J7tj5zN5O6VKZE36TwzSa85ESa4FpmEaMJX/ehGXB99c4ZhNfSQTiHVDMFSKITDxhfOzLCUbhAHA6EOz1M0N8xfU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sharp.fm; s=default; t=1668034572; c=relaxed/simple; bh=WY5OkjayHQX2K3LIq86JZpMws5Wa4AgzQAeLI/Xdws4=; h=DKIM-Filter:DKIM-Signature:Content-Type:Mime-Version:Subject:From: In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id: References:To:X-Mailer; b=Y9hcyOS72ZX7aSoIddDBmT2xAEfr3fGsaimPQjo/jGrFfGr0xtj2E3TOUjZmRsk8tDpHilNvGX4hJE1LAn1YcbIisLw6mLkNBP8Y8VpxgoW0zdY/YuS+4u9a4V8KOFhR7G2l4M54pnHwW8g9amKvT2GlUOIR+0CufUQNVoYsORA=
ARC-Authentication-Results: i=1; chandler.sharp.fm; arc=none smtp.client-ip=2001:4d48:ad5d:6301:48bf:2da8:f39f:43de
DKIM-Filter: OpenDKIM Filter v2.11.0 chandler.sharp.fm 63252191DF2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharp.fm; s=default; t=1668034572; bh=rHpU9eV83uD+T+HEYKWBV3xiN76GdoJRkqON+9+60m8=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kVfk2HF3not8FpIgy6ax+bsYVpb1t56nustSMu0m3wwoen9osvf9bUsirZLqtRJHv rvBPsXLkQ+rDdSIGEyD0L5e2GbGSzWDF8QSGPGO0KE/3D4Ta2LGoa73gWFiMSgGRmx ceO8DvxbxX73V5k5u3VtfhSPbMeQs4fFq5/uLOdQ=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Graham Leggett <minfrin@sharp.fm>
In-Reply-To: <417704.1668014608@dyas>
Date: Thu, 10 Nov 2022 00:56:11 +0200
Cc: secdispatch@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A19ED83C-529F-4EE0-90D7-A35AF983F5EC@sharp.fm>
References: <77101A6A-7D9C-4817-B16D-70505FA10C6D@sharp.fm> <CADNypP8VhSkWX-gjLAs5mTV2YzUc0LRHsNNPdeqE7DiTHjR=3g@mail.gmail.com> <171941.1667844726@dyas> <FC5C3A5D-27A2-4E87-9148-282A7CB8E192@sharp.fm> <417704.1668014608@dyas>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/c7tQvn4AqdqbkYJrCWrPxnbM0oQ>
Subject: Re: [Secdispatch] draft-leggett-spkac: Signed Public Key and Challenge
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 22:56:23 -0000

On 09 Nov 2022, at 19:23, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> I also care, because I'm involved in cacert.org, and there is an uptick in
> client-side certificate use, but... now impossible to generate new keys in
> the browser :-)

Almost impossible… :)  you can still do it in Microsoft Edge using Internet Explorer compatibility mode as described here: https://interop.redwax.eu/rs/csr/

Safari can trigger a SCEP conversation, but it’s done using Mac/IOS specific mobileconfig files, as described here: https://interop.redwax.eu/rs/csr/

It would be great if the generic SPKAC mechanism could be properly finalised.

>> these days is done by “here is your cert, also here is your key that we
>> generated for you and is therefore by definition not private, and
>> therefore we can’t trust anything you signed with this”.
> 
> I also hate that :-)

There is so much dangerous code out there. I found a keygen tag replacement that did none of the proof-of-possession, and quietly delivered a PKCS12 file. End user would be none the wiser.

Regards,
Graham
—

v2.23.0 | Report a Bug | By Email