Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
Alan DeKok <aland@deployingradius.com> Tue, 20 September 2016 16:36 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB5512B3A2; Tue, 20 Sep 2016 09:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUdPoaYH_Ope; Tue, 20 Sep 2016 09:36:01 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 1D03012B0E9; Tue, 20 Sep 2016 09:36:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 70D341EF7; Tue, 20 Sep 2016 16:36:00 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOjVjW8pOs3z; Tue, 20 Sep 2016 16:36:00 +0000 (UTC)
Received: from [192.168.100.59] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by mail.networkradius.com (Postfix) with ESMTPSA id BADC31704; Tue, 20 Sep 2016 16:35:59 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1474387598.144982.452.camel@infradead.org>
Date: Tue, 20 Sep 2016 12:36:01 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <11F16CFE-3554-4F07-811A-8F5D4BE3A6AE@deployingradius.com>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com> <1474387598.144982.452.camel@infradead.org>
To: David Woodhouse <dwmw2@infradead.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hzixq8MzEHcuee6zZp5VV3WqfZo>
Cc: spasm@ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>, Security Area Advisory Group <saag@ietf.org>, Winter Stefan <stefan.winter@restena.lu>
Subject: Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 16:36:03 -0000
On Sep 20, 2016, at 12:06 PM, David Woodhouse <dwmw2@infradead.org> wrote: >> https://tools.ietf.org/html/draft-winter-opsec-netconfig-metadata-00 > > That looks like a layer above what I'm talking about. My goal is that > we should be able to refer to certificates in a simple consistent way. > > If the certificate is in a system store then applications should allow > it to be used by means of a consistent identifier string (which is > defined by RFC7512 for PKCS#11, and may be different for OSX/Windows > system certificate stores). I think that the two solutions complement each other. > Looking at the proposal above, I see there is some attempt to handle > certificate encodings — it the CertEncodingEnum has values of PEM, DER, > and P12. > > This looks a lot like the problematic applications we need to fix... > for PKCS#1 and PKCS#8 you have to manually specify whether it's PEM or > DER file even though the software could work that out for itself. And > for PKCS#12 you *don't* have to specify; it's going to assume DER. All > very suboptimal. I agree. > My assertion is that applications shouldn't *need* that nonsense, and > should just take the filename and deal with the contents. Please don't > entrench that horridness further. I understand, but... that's easier than scanning the file to see if it's one of N possible unknown formats. And likely more secure. > It also seems that the proposal you reference doesn't have any kind of > support for using keys from hardware. If the key I want to use is > identified by an RFC7512 PKCS#11 URI, how do I indicate *that* in this > format? The proposal would need updating to handle that. Alan DeKok.
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- [Spasm] Best practices for applications using X.5… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] Best practices for applications using… Phillip Hallam-Baker
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] Best practices for applications using… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Nikos Mavrogiannopoulos
- Re: [Spasm] [saag] Best practices for application… Olle E. Johansson