Re: [TLS] [EXTERNAL] Re: Servers sending CA names

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 18 April 2023 23:46 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A3CC14CEF9 for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 16:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7RNPq8bG5MI for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 16:46:05 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B233C14CE39 for <tls@ietf.org>; Tue, 18 Apr 2023 16:46:04 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2240.outbound.protection.outlook.com [104.47.71.240]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-81-b00DPBCXMNS-3YbFZcFNOg-1; Wed, 19 Apr 2023 09:46:00 +1000
X-MC-Unique: b00DPBCXMNS-3YbFZcFNOg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY4PR01MB5770.ausprd01.prod.outlook.com (2603:10c6:10:ff::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.45; Tue, 18 Apr 2023 23:45:59 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4bfd:5604:b68:1e2e]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4bfd:5604:b68:1e2e%5]) with mapi id 15.20.6319.021; Tue, 18 Apr 2023 23:45:59 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Richard Barnes <rlb@ipv.sx>, Robert Relyea <rrelyea@redhat.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] [EXTERNAL] Re: Servers sending CA names
Thread-Index: AQHZcUMesBt9x0aoYkWhJTuKN5mxEK8xbjIAgABOr7s=
Date: Tue, 18 Apr 2023 23:45:59 +0000
Message-ID: <SY4PR01MB6251B265C49D63CC0EECBC22EE9D9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <51B56747-0347-43AB-93A7-C3FDF49902D2@akamai.com> <ZDcbv4g5-tjN-Mu-@straasha.imrryr.org> <CAF8qwaBaOq1_Ow_vtB=DGjjDkAx+N+CPMpfn1huP=DRsCiFtaA@mail.gmail.com> <BY5PR00MB06757280F69B9C6D55AD2B048C9BA@BY5PR00MB0675.namprd00.prod.outlook.com> <accacacd-2bd6-4c89-8221-0c32b1a25ae3@betaapp.fastmail.com> <e5970ece-973b-e758-03b5-0e6ea2dc0b1b@redhat.com> <CAL02cgT0OyTP3F7qxTZvOXVv=X+=CywbYpYoE95MijPy5yshXQ@mail.gmail.com>
In-Reply-To: <CAL02cgT0OyTP3F7qxTZvOXVv=X+=CywbYpYoE95MijPy5yshXQ@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|SY4PR01MB5770:EE_
x-ms-office365-filtering-correlation-id: 229a3402-c110-4d27-0f32-08db40670fa1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 7EJaavy1owFKXldnf6emqWD0w4thhqg15Fp782iuW1RQ6NHpInCvq0tvZ+vGHnXbqLbldj+HEUegyKpB7FYGTPaVjW3mrVRZ4Arg9xrU8abRUhb2FnR2gUCZHuKaoPzdaPxd467O8vIhxCzxpRmVQdtmcZQhmzngLpClL/oI2emoe9kqA0bDJfl8wvi1f5eWWBf5piZS1IanShzJheU6k6s5L0ESowznByI1x/W2FnfFiAfrm504zP3GlkRkLIoDcSsjctpzJ7E1qjWIylU7a39qiPX5FcfOi/ts3VVgRXxQME+MT25gf1VvrPBVmkWYMKCEzAZoueTzzVwkcORMMJtvowc3tpfk3OkwIeHjd6tQIxIv+/FpLFrWgqWEGshgNXSWjGp8V5tcjfgr9/wJG5H0Rbp6/mCs/b6jZlx7G/NIxjxLHARYI6EDjjXEmxiHLqlQZClYK6aR+t4oPZQkpmHQP2I93YRBEic5tWRA5Vkqnyj0mW9AcrWoMRmgjzj1CPBWIAENi7/IHtH2rySdMHEGHgYSdbpjkzLKCkrtlrbw+UXqhyXj9JhTgiSuc5j0eCNrZ3PPZ/p0KTFmOVhnZWfG+R8x6h1w98JFgK7uxKo5foBfy4Fy4Dtl+GLs19MV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(366004)(376002)(136003)(346002)(39860400002)(451199021)(52536014)(5660300002)(9686003)(86362001)(186003)(122000001)(6506007)(26005)(38100700002)(38070700005)(8936002)(8676002)(33656002)(110136005)(478600001)(71200400001)(7696005)(41300700001)(55016003)(786003)(316002)(76116006)(66476007)(4326008)(66556008)(66946007)(66446008)(64756008)(2906002)(4744005); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lzGQCP37OvltnDRjYPToErwBqbUQnPxZ7QY/PMx8+ZX+nCdh8spu2fqNd2VtbliwtITGjtzFO9LvQD9xhqO6/43jt/aj14cNshc2ShkwD/Cbm6+xoxSDYudJcjfdm+GnE2dIcB5rWbgvs9HSQPF4qSOymbWZo1HGRwq+nkMSjyaNnyqT+//ql40GX28A/lyHc9EsWv1bXxLvy1TK7JXeRP+tvZf2OaqAkLQ8NYwnOVvyyViF0/nbVXc9xVwFK1S3/1ho7p5SOvNG6fJqvg6x/eiFpCKDoAvLrg6eKumCk70e0UiGp+BJXj7a0EO/8RiE7DLQ7E0bueGeQybWLi/f4QvKfxRkS2VpB1Uk+d/P5Xt/zftz0KXEmH5KO8wsS8CQs1XQ0/XIzKwNVMyWqCRItHZOSxWVD7PyF3O4ghZ15FRdHw9XmB/TT0BcOXsEs1jk00hzAgZr87geCWJKycNqy5Y0aQalIICEQtKuJUAJqDlzHyhksXH0hVgc6rZW60HMw2X7pn5xEDh+sB5uzeOcOohH31uoZ2u76nDpkusTToJsNpCN/mLsVG2hJjrwKPPZXe7IWb7V81MgrSdZTs46AKAcBD2Tb+AanKDwQb446v/oyLmtxYYRITrpj6mm2FliBX3j1K7i5Bq1AHJkag7pfbxN9eUl1368sMNCKy2CS3z2rGZ1Hx7Q0L9FcuktmWIh80aD0CUckntD2VoB8VXDsW2e0zdDDtP5nzTa98TsUXms9hJ4XCOevXMunWulJcwypIReMFUGiH/hjBpe8jhJkrkFQ5UDn4ei9XNx7/OEmd53FlXI53GMX+onF3Kveup7Y9HmBRxm6fHdxktY8sLVLKWIMs0B7lc9G79EsYT8jXh8cM5A6i+Byse9SVI5hFhlNYHFyR+ujg0ZbWMlfdA+07FVqNhICEFgJ/AHT/iWsGN0ElP4KfRO7a2ZwMp1MyezXvf9V76X7BEAPjD4fyuf5R2ULozvnWDaMDcBgqHLdjXr58u/84MwkzD26Y59wc17WFCmlQsujQdRRXa88TbBjm3v7/akZvFFUcnAMYAFZiTgfbPqPGHsUZDuqdKSUpzQywLwZkrQCn4f2CXhyZwPVeCxwX2gMy+YbSVW1Vfi2JctaAEJ7k7pI69Q160FOyGhypsrj3RT+1dR4YoS6czevXCtATWj8HTcOknFg4JyMZfTmVRhqJDifkrOsy6ooOXrI2mCHjJ2EOH4YDnAG2rHli3VbasGPWYCev4fpzobY1YOcRC3m04G9uIT/6GH/DOpEVzVjG0LckJGPz7v+e9Qky6i4HMrT9yJh33b6eEdFK9bWiyvVpw40dJ5FfV52ELu1E7Q3VJiWRo6msdZS5+OCcLEebi21UgSt9D4KU9TGbnekD/+P35bwSpDG54WDR/N6+8bd/F4tZjqeD1YVQ9CPAGtiEACcEJlWCrS0drCO+eZdecQn1dAqPE8LPGD5yDrUOov2i0mllyjFgeaFXdTfWaBKupv5nGDWgejUL+AVcrz5L4QsLSO+CYmNkn2yVYwTMUaKfITDOb8cPmyD+MQMKiuNbh+vyLa9/7d4tJt1CBqDblMXNdbaAJkIWXyXO8P1HsGNuTzCGs5MNqk3wW+Gg==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 229a3402-c110-4d27-0f32-08db40670fa1
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2023 23:45:59.0899 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9ukys7Dm1YV0Lq+CVrNvfsqK0I8Fs6/nevQq6z4+S/uREv98B9SfyxOHgNf54dzrCOMZBb6ISLk0d6Zq99C8LkQAPlulp3WqSBwxSFoC2qU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4PR01MB5770
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2hCu8VE49wpK5i84RvWodCRiLVo>
Subject: Re: [TLS] [EXTERNAL] Re: Servers sending CA names
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 23:46:09 -0000

Richard Barnes <rlb@ipv.sx> writes:

>Let's Encrypt issues roughly 3 million publicly trusted certificates per day
>that contain the client authentication EKU

But they just set that by default for every cert they issue so it's pretty
much meaningless.  There are public CAs that set keyAgreement for RSA certs,
and emailProtection for TLS server certs, doesn't mean any of them ever get
used for that.

(My more snarky response would have been that I should have asked that the
IETF define a peaceOnEarth EKU so Let's Encrypt could set that as well :-).

Peter.