IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

Bill Frantz <frantz@pwpconsult.com> Fri, 08 November 2013 15:56 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C97E311E8240 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 07:56:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZmuvKMvA73v for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 07:56:31 -0800 (PST)
Received: from elasmtp-mealy.atl.sa.earthlink.net (elasmtp-mealy.atl.sa.earthlink.net [209.86.89.69]) by ietfa.amsl.com (Postfix) with ESMTP id D198B11E81AB for <tls@ietf.org>; Fri, 8 Nov 2013 07:56:31 -0800 (PST)
Received: from [173.185.171.74] (helo=Williams-MacBook-Pro.local) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1VeoQ9-0005Km-0x; Fri, 08 Nov 2013 10:56:30 -0500
Date: Fri, 08 Nov 2013 07:56:26 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
X-Priority: 3
In-Reply-To: <527CF707.2070000@secunet.com>
Message-ID: <r422Ps-1075i-7D1B8241D4174A8BAEFBF63DCD3FADA9@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec796dfbec18f035d936775da4b21fb8c64b350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 173.185.171.74
Cc: tls@ietf.org, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 15:56:36 -0000

On 11/8/13 at 6:36 AM, johannes.merkle@secunet.com (Johannes Merkle) wrote:

> > It would be a departure from established practice, but, if certificate
> > #3 permits signing, then there's nothing insecure about this certificate
> > chain.  Whoever has the private key associated with certificate #3 is
> > permitted to host the domains described by the common name and
> > subjectAltNames of #3 (and subdomains if it's a wildcard), so, if
> > they're willing to delegate authority to certificate #4, they should be
> > able to.
> 
> It is a bad idea to introduce violations of PKIX standards (RFC 5280) in TLS  1.3.

Please explain why.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Concurrency is hard. 12 out  | Periwinkle
(408)356-8506      | 10 programmers get it wrong. | 16345 Englewood Ave
www.pwpconsult.com |                - Jeff Frantz | Los Gatos, CA 95032

v2.23.0 | Report a Bug | By Email