Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
David Woodhouse <dwmw2@infradead.org> Tue, 20 September 2016 16:06 UTC
Return-Path: <BATV+228e0feef8add010b485+4776+infradead.org+dwmw2@bombadil.srs.infradead.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E485D12B3BC; Tue, 20 Sep 2016 09:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8x09RWKB-1E; Tue, 20 Sep 2016 09:06:44 -0700 (PDT)
Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E4C12B377; Tue, 20 Sep 2016 09:06:44 -0700 (PDT)
Received: from [2001:8b0:10b:1:841b:5eff:0:3b3] (helo=i7.infradead.org) by bombadil.infradead.org with esmtpsa (Exim 4.85_2 #1 (Red Hat Linux)) id 1bmNZA-00043E-RF; Tue, 20 Sep 2016 16:06:41 +0000
Message-ID: <1474387598.144982.452.camel@infradead.org>
From: David Woodhouse <dwmw2@infradead.org>
To: Alan DeKok <aland@deployingradius.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Date: Tue, 20 Sep 2016 17:06:38 +0100
In-Reply-To: <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com>
References: <1474280601.144982.263.camel@infradead.org> <CAPt1N1n_ff_QMYiRoorwvVnnP-Q6oruUE9_pvVr+QabeYJ+WrQ@mail.gmail.com> <CACsn0cnsswBX_-P+=Nd42uXAjPPXedXCefQ+V7R+aZn3U9XNog@mail.gmail.com> <CACsn0c=xHisLqPQzMHKr-0c_MEwM9_Nzq3tKmih5uZTYBnibGg@mail.gmail.com> <CACsn0ckABVfiJ506-uYRG+FXpGQixrS_9nxq6tPXfRu1kG_3pw@mail.gmail.com> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <D2D83C89-12A2-4562-970A-92FAD232DD3B@deployingradius.com>
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-YwJ/lnlnSFahAHrz2F0m"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24)
Mime-Version: 1.0
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by bombadil.infradead.org. See http://www.infradead.org/rpr.html
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rk94reZVx-t_7oSgax6R8QR4kAY>
Cc: spasm@ietf.org, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [Spasm] [saag] Best practices for applications using X.509 client certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 16:08:08 -0000
On Tue, 2016-09-20 at 11:43 -0400, Alan DeKok wrote: > On Sep 20, 2016, at 10:49 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > > I think that the major problem with X.509 client certificates is that many > > applications and protocols don't know if 509 is being used as a container for > > a self-signed certificate, for poorly(privately) signed certificate, a > > corporate CA, or a webCA. > > > > That's where PHB's suggestion of a new meta-format would win. > > (It means that we could eventually not have the keys in X.509 format.) > > This proposal may be applicable: > > https://tools.ietf.org/html/draft-winter-opsec-netconfig-metadata-00 That looks like a layer above what I'm talking about. My goal is that we should be able to refer to certificates in a simple consistent way. If the certificate is in a system store then applications should allow it to be used by means of a consistent identifier string (which is defined by RFC7512 for PKCS#11, and may be different for OSX/Windows system certificate stores). If the certificate is in a file, obviously the identifier is the filename... but we need to fix applications so that they actually *accept* all types of files. Which as I said, none of them do at the moment. Looking at the proposal above, I see there is some attempt to handle certificate encodings — it the CertEncodingEnum has values of PEM, DER, and P12. This looks a lot like the problematic applications we need to fix... for PKCS#1 and PKCS#8 you have to manually specify whether it's PEM or DER file even though the software could work that out for itself. And for PKCS#12 you *don't* have to specify; it's going to assume DER. All very suboptimal. My assertion is that applications shouldn't *need* that nonsense, and should just take the filename and deal with the contents. Please don't entrench that horridness further. It also seems that the proposal you reference doesn't have any kind of support for using keys from hardware. If the key I want to use is identified by an RFC7512 PKCS#11 URI, how do I indicate *that* in this format? -- dwmw2
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Nico Williams
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- [Spasm] Best practices for applications using X.5… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] Best practices for applications using… Phillip Hallam-Baker
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] Best practices for applications using… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Michael Richardson
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Peter Gutmann
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Alan DeKok
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Ted Lemon
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Watson Ladd
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… Sean Leonard
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… David Woodhouse
- Re: [Spasm] [saag] Best practices for application… Nikos Mavrogiannopoulos
- Re: [Spasm] [saag] Best practices for application… Olle E. Johansson