Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
David Woodhouse <dwmw2@infradead.org> Mon, 26 September 2016 20:32 UTC
Return-Path: <BATV+421cd2077d379962b7d4+4782+infradead.org+dwmw2@bombadil.srs.infradead.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5540D12B23C; Mon, 26 Sep 2016 13:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.506
X-Spam-Level:
X-Spam-Status: No, score=-6.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, T_MIME_MALF=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAyeZY4miY9H; Mon, 26 Sep 2016 13:32:53 -0700 (PDT)
Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8F7712B011; Mon, 26 Sep 2016 13:26:02 -0700 (PDT)
Received: from [2001:8b0:10b:1:841b:5eff:0:3b3] (helo=i7.infradead.org) by bombadil.infradead.org with esmtpsa (Exim 4.85_2 #1 (Red Hat Linux)) id 1bocTR-00085W-Qi; Mon, 26 Sep 2016 20:26:02 +0000
Message-ID: <1474921558.45169.314.camel@infradead.org>
From: David Woodhouse <dwmw2@infradead.org>
To: Sean Leonard <dev+ietf@seantek.com>, spasm@ietf.org, Security Area Advisory Group <saag@ietf.org>
Date: Mon, 26 Sep 2016 21:25:58 +0100
In-Reply-To: <c2144e2e-0fd1-2f48-326f-7d9ec47f2d5c@seantek.com>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com> <1474387598.144982.452.camel@infradead.org> <6A89750D-EAF8-45A0-97AD-0137A2CB8352@seantek.com> <1474881447.45169.205.camel@infradead.org> <1eb84be4-1c5a-066e-f82d-1cd98c2dddd0@seantek.com> <1474919326.45169.305.camel@infradead.org> <c2144e2e-0fd1-2f48-326f-7d9ec47f2d5c@seantek.com>
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-RDHdfDJX+ViU75AAMyGb"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24)
Mime-Version: 1.0
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by bombadil.infradead.org. See http://www.infradead.org/rpr.html
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/mZ0pLVcrOYVeA51RotzybIz0wL8>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Alan DeKok <aland@deployingradius.com>
Subject: Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 20:32:54 -0000
On Mon, 2016-09-26 at 12:55 -0700, Sean Leonard wrote: > On 9/26/2016 12:48 PM, David Woodhouse wrote: > > > >> For interoperable private key formats, I favor PKCS #8 PrivateKeyInfo > >> (as .p8) and PKCS #8 EncryptedPrivateKeyInfo (as .p8e). They are > >> standardized, widely-supported, and algorithm-agile. > > They are also non-portable, because even when RFC5958 was published in > > 2010, FFS, it didn't mandate the conversion of the password to UTF-8 > > (let alone any mention of Unicode normalisation) for the purpose of the > > key derivation. > > > > PKCS#12 at least gets *part* of that right, by mandating UTF16BE (BMP). > > draft-seantek-pkcs8-encrypted-01 OK... so now we have can say Content-Type: application/pkcs8-encrypted; password-mapping=UTF-8 (Did you intend '*pkcs12' to mean UTF16-BE which is BMP, not UTF-16LE?) But I've *never* seen an application make use of certs/files from any container where that Content-Type: header might be present. It's not even permitted to put it in PEM files, is it? So does this really buy me anything in practice? And it still doesn't cover Unicode normalisation. :) > Glad to see someone else cares about password mapping. Mostly when it breaks :) -- dwmw2
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- [Spasm] Best practices for applications using X.5… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] Best practices for applications using… Phillip Hallam-Baker
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] Best practices for applications using… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Nikos Mavrogiannopoulos
- Re: [Spasm] [saag] Best practices for application… Olle E. Johansson