Re: [lamps] [EXTERNAL] Distinguished names for self certified TLS client authj
Jeffrey Walton <noloader@gmail.com> Wed, 15 June 2022 03:35 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C46FC15AAF7; Tue, 14 Jun 2022 20:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXgv9GTl4erg; Tue, 14 Jun 2022 20:35:31 -0700 (PDT)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76B7FC157B34; Tue, 14 Jun 2022 20:35:31 -0700 (PDT)
Received: by mail-pg1-x52f.google.com with SMTP id 123so10237593pgb.5; Tue, 14 Jun 2022 20:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=BVRAppWUxjGu5TJlZLEP0ViaqeIBEBBhBZGNtm25w1w=; b=i2Yu5TWwGMxn7Q2gL+WoKQGRnxYU2avLI1GKuDRRCcCVgsPTV4+G1A+PhTMCbrdx+T yWPt8Bh6x0bSWFUsBzLDV6DvUkPQA6UBg2IxgHHT/iVJK88OT6gj6IPmALEyX4oABDWD ufNQfce3kZD0KeLsqE7OkaqMAVBn/sSV5WgZulqy/7qG0EJvDNVAdZA7tSeLJ8SU9sRW aawkGi51VQuS2yvY5s1fpGBJqHwE1RhNe2cqtVx2lOnc0o4ytxTgYE5ehFnUanedcXy6 nvgzCptOMZRB8WYnyQT6yaLsBHisab1cbcU3VCRXWINieoPh+3e9wlwblGBq4oE/Tffq ujYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=BVRAppWUxjGu5TJlZLEP0ViaqeIBEBBhBZGNtm25w1w=; b=ze6dwNL/VNxepIOUsuwSv6OpMfeXt7iQoOhRVSrulgs3DOHvrDJl2g3o8MLdl0J3Ts PjLTS9VfqTYj5SVStgayYF8KATr+2clIcLm4KaddLmajyTqTt0C5wpQP0HF7slfmxOE0 d8P5cN7Ma6anu9FIbJAEMogFACpMFVjzsruxfvw05mmt1BSlJ8zbO9MrLzCcvKyqkV/3 KdrF6rhQvaNvNCQhfVtHimTdpcWkNCrZvk055N1LMPrYb3CHjLM+M3dEvu92ze+0ahVZ x4HOXtddNllS+yP4PMaKRNCmLnhMyYQhEFPP/aYm0Iq0ID2ZO/Tp517Hq1f75N7Q3J+w 0Pxw==
X-Gm-Message-State: AOAM533JzT0lAKgjB5KmbrU4y6mZ8QwG8/7yayqdO+6QVfX2MriNQEGM TnTbz26wyWIJYg6BYFLm7h5ShQ5bDSAMQVqD7XDSyi9BWb0=
X-Google-Smtp-Source: ABdhPJygTuSXLhbL6M4x9I3PlGUv9QRyog9E3+OlJjuQPZmJtFWSosbx4mzCD9NfiZ24xvl+1cvT012T6XczmiR5m4w=
X-Received: by 2002:a63:c5c:0:b0:3fd:6053:807d with SMTP id 28-20020a630c5c000000b003fd6053807dmr7065699pgm.526.1655264130990; Tue, 14 Jun 2022 20:35:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwifpf1DCtFtc-sY_sK2tbW02rON9oyjPzwyoCQ6Hcgfvw@mail.gmail.com> <CH0PR11MB573913BCED51B151C31B1FA89FAA9@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwghOrYJfKmmHDG_+t=ufXS+-bWPNHw852MZDbW5mA_Qsg@mail.gmail.com>
In-Reply-To: <CAMm+LwghOrYJfKmmHDG_+t=ufXS+-bWPNHw852MZDbW5mA_Qsg@mail.gmail.com>
Reply-To: noloader@gmail.com
From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 14 Jun 2022 23:34:27 -0400
Message-ID: <CAH8yC8=15VqQ=aWjZ-LoJGCdDpnRtpWbSq25mRjDL=SiQv2iuA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: SPASM <SPASM@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jCOsHU5Py3pXiPkfpxM_2ZcSyY8>
Subject: Re: [lamps] [EXTERNAL] Distinguished names for self certified TLS client authj
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 03:35:35 -0000
On Tue, Jun 14, 2022 at 11:14 PM Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > Hmm... looks like this is a piece of brokenness in the browsers. I don't think client certs are a priority for Browsers. That would significantly hinder support of interception, which is a browser design goal under Priority of Constituencies [1]. Browsers see interception as a valid use case for DLP programs. Instead of client certificates (and Origin Bound Certificates), the browsers prefer transport schemes so traffic can be intercepted like FIDO and token binding gear. (The open question for me is, how does a browser tell "good" interception from a "good" guy opposed to "bad" interception from a bad guy). Jeff [1] https://w3ctag.github.io/design-principles/#priority-of-constituencies
- [lamps] Distinguished names for self certified TL… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Distinguished names for se… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Distinguished names for se… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Distinguished names for se… Jeffrey Walton