Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
Sean Leonard <dev+ietf@seantek.com> Mon, 26 September 2016 19:54 UTC
Return-Path: <dev+ietf@seantek.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E74F312B249; Mon, 26 Sep 2016 12:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RiZE5hz6zCz1; Mon, 26 Sep 2016 12:54:04 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88961127076; Mon, 26 Sep 2016 12:54:04 -0700 (PDT)
Received: from [192.168.123.7] (unknown [75.83.2.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 2EBDF50A84; Mon, 26 Sep 2016 15:54:03 -0400 (EDT)
To: David Woodhouse <dwmw2@infradead.org>, spasm@ietf.org, Security Area Advisory Group <saag@ietf.org>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com> <1474387598.144982.452.camel@infradead.org> <6A89750D-EAF8-45A0-97AD-0137A2CB8352@seantek.com> <1474881447.45169.205.camel@infradead.org> <1eb84be4-1c5a-066e-f82d-1cd98c2dddd0@seantek.com> <1474919326.45169.305.camel@infradead.org>
From: Sean Leonard <dev+ietf@seantek.com>
Message-ID: <c2144e2e-0fd1-2f48-326f-7d9ec47f2d5c@seantek.com>
Date: Mon, 26 Sep 2016 12:55:45 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <1474919326.45169.305.camel@infradead.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BVWYZNbpIvqT8F2FUrvNPn-d3-0>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Alan DeKok <aland@deployingradius.com>
Subject: Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 19:54:06 -0000
On 9/26/2016 12:48 PM, David Woodhouse wrote: > >> For interoperable private key formats, I favor PKCS #8 PrivateKeyInfo >> (as .p8) and PKCS #8 EncryptedPrivateKeyInfo (as .p8e). They are >> standardized, widely-supported, and algorithm-agile. > They are also non-portable, because even when RFC5958 was published in > 2010, FFS, it didn't mandate the conversion of the password to UTF-8 > (let alone any mention of Unicode normalisation) for the purpose of the > key derivation. > > PKCS#12 at least gets *part* of that right, by mandating UTF16BE (BMP). draft-seantek-pkcs8-encrypted-01 Glad to see someone else cares about password mapping. :) Sean
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- [Spasm] Best practices for applications using X.5… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] Best practices for applications using… Phillip Hallam-Baker
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] Best practices for applications using… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Nikos Mavrogiannopoulos
- Re: [Spasm] [saag] Best practices for application… Olle E. Johansson