IETF Logo Mail Archive

Re: [Spasm] [saag] Best practices for applications using X.509 client certificates

Alan DeKok <aland@deployingradius.com> Tue, 20 September 2016 15:43 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F3512B348; Tue, 20 Sep 2016 08:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQylzhE45eLx; Tue, 20 Sep 2016 08:43:16 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 310C212B6DB; Tue, 20 Sep 2016 08:43:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 730CA1EF7; Tue, 20 Sep 2016 15:43:03 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJWr1W-QVSLK; Tue, 20 Sep 2016 15:43:03 +0000 (UTC)
Received: from [192.168.100.59] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by mail.networkradius.com (Postfix) with ESMTPSA id CF2061B5B; Tue, 20 Sep 2016 15:43:02 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <22611.1474382971@obiwan.sandelman.ca>
Date: Tue, 20 Sep 2016 11:43:03 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/85Jxwq8Ze2Mnc5MDi4Uo0qzCdz4>
Cc: spasm@ietf.org, David Woodhouse <dwmw2@infradead.org>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 15:43:19 -0000

On Sep 20, 2016, at 10:49 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> I think that the major problem with X.509 client certificates is that many
> applications and protocols don't know if 509 is being used as a container for
> a self-signed certificate, for poorly(privately) signed certificate, a
> corporate CA, or a webCA.
> 
> That's where PHB's suggestion of a new meta-format would win.
> (It means that we could eventually not have the keys in X.509 format.)

  This proposal may be applicable:

https://tools.ietf.org/html/draft-winter-opsec-netconfig-metadata-00

  Alan DeKok.

v2.23.0 | Report a Bug | By Email