[stir] x5u
Russ Housley <housley@vigilsec.com> Mon, 18 March 2024 08:10 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67536C151098 for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSuHCg0ZtJfn for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:10:07 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71934C151535 for <stir@ietf.org>; Mon, 18 Mar 2024 01:09:34 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id C47DE11EC79 for <stir@ietf.org>; Mon, 18 Mar 2024 04:09:33 -0400 (EDT)
Received: from smtpclient.apple (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 3BFC111F5BE for <stir@ietf.org>; Mon, 18 Mar 2024 04:09:33 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Message-Id: <68E625F9-F114-4B40-AC5B-9F636C32D2AE@vigilsec.com>
Date: Mon, 18 Mar 2024 04:09:20 -0400
To: IETF STIR Mail List <stir@ietf.org>
X-Mailer: Apple Mail (2.3731.700.6)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:content-type:content-transfer-encoding:mime-version:subject:message-id:date:to; s=pair-202402141609; bh=nIv0RcXR1z53QpUQXHltE2BL2bF8cZmhkBUZv4SjAKw=; b=NoL9O4oP2669GZwJ/fj69AkQR0wfEwwNJTAtGUbI3U8Dm7cXNq/WL2B3+zVJbcr6LOPT+HRHI/uSDl4S7inYasCCeWa0csSqugJKxGWeNy3QtaN7w4IrZ9CFsIcSoLw5Q4VIxrLymuYIB10Dd8Dd+bl502+WFfia59W4Q+yLXZ7jqWjo1YupSz2JIDfyxU8xo6BftNOm24iJayXthg68M+6uqd1F9EEaf5AU079lY8gTGPXjN/xY4X/VAU3bLcN+3HEusqmVGQEGjDyYvBI6g3Fx8jIdplE8YW6HwCZa1PhATD6BVHg6myCSuxsHQboHyOup8Vk/yqRrHMDfTNMaFg==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Y7m1v9mwX17cpaC8J5Z88PdKZdU>
Subject: [stir] x5u
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 08:10:11 -0000
RFC 5715 says: 4.1.5. "x5u" (X.509 URL) Header Parameter The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers to a resource for the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS. The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [RFC5280] in PEM-encoded form, with each certificate delimited as specified in Section 6.1 of RFC 4945 [RFC4945]. The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [RFC2818] [RFC5246]; and the identity of the server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. Also, see Section 8 on TLS requirements. Use of this Header Parameter is OPTIONAL. And, RFC 4945 says: 6.1. Certificates Certificates MUST be Base64 [19] encoded and appear between the following delimiters: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- An example of a file that uses this encoding is here: https://www.ietf.org/enc/verifybundle.pem Russ
- [stir] x5u Russ Housley
- Re: [stir] x5u Alec Fenichel
- Re: [stir] x5u Russ Housley