[TLS] X509 extension to specify use for only one origin?

Henry Story <henry.story@bblfish.net> Wed, 09 March 2016 14:39 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFC812DFE7 for <tls@ietfa.amsl.com>; Wed, 9 Mar 2016 06:39:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iNS2y9EX5V54 for <tls@ietfa.amsl.com>; Wed, 9 Mar 2016 06:39:11 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A2E912D974 for <tls@ietf.org>; Wed, 9 Mar 2016 06:36:00 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id l68so73682695wml.1 for <tls@ietf.org>; Wed, 09 Mar 2016 06:36:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=QaRRNEIMDqq153fkUEKsgACk3npKXnCyVTgBpwChnKI=; b=Uh9tJJujZq1Pn41ItYZbwqaqsJfI8aW8YEfnZiTbku0BjlkZ4WKrTMEnoBe0N/c9H7 qkIKhE3zWhsNBpbmxZrRvsvdzqqT2zGNRB4F4Ncq8Bk+4HeKCAyqkdJhf5UxPpAf0LTh DG5JRsouMCWhXNjmOyRBNEwHaQ9ze3BzQJuhYCFzbobK97TRPC8bn0/iP2M4Iv5+Q4XA kb4S7MpnU0eGG3+7bL9GfRTnSCkRF7GNIU1ddJ4+hqFEBrOW6tEXYobys5VRzNSVwuRI W5nz/KhXidshJg0sUr97zEFEM8zlc7ewbE4KmPs0/KShqn6U/XVNH0aadkEDAjeXvieT D3gA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=QaRRNEIMDqq153fkUEKsgACk3npKXnCyVTgBpwChnKI=; b=M/OppqmUpDAfwwBqLtqCwiMNFmFsFsamd4M45PTBzm2bQ1IIDdq3hsGm0EmGhQdWR5 JVUJiQ+bdsyHQuwzL64+7tuQkB+jArJS8F8DnbpXrdVqKsUH29ZVHcWaVWs/eUp8ntE6 EgK7CQ5bzIMVfBO5BkSGRq78XppLCGUb1vLmEbEy1velb5hufJflJtZhIXUO2RGDQX4J 3HMAqH0JYkplb5ORz5lOvNyR57HjcZ+BQG61d48Sqp99EYiutKOYMPmKJO3mtxbLWCdg uFBfN6YJxjs9Nu/HGd0o1NMYB8uQ5zXdv4OAnss/LOvnCi/RUz+r6872sQvQ5pfvcYxA TbCw==
X-Gm-Message-State: AD7BkJIsCJBcOALIRlkYb/1zcgPSW9mpRTnLV+sgNcg9hbB6lxv8AdCaPWGct5RHDczenw==
X-Received: by 10.28.134.137 with SMTP id i131mr27723213wmd.62.1457534158867; Wed, 09 Mar 2016 06:35:58 -0800 (PST)
Received: from [192.168.0.6] (cpc2-popl3-2-0-cust563.13-2.cable.virginm.net. [86.21.242.52]) by smtp.gmail.com with ESMTPSA id b1sm8221566wjy.0.2016.03.09.06.35.57 for <tls@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 09 Mar 2016 06:35:57 -0800 (PST)
From: Henry Story <henry.story@bblfish.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <E52FE3EA-AC0A-4CEA-885F-E6558889170F@bblfish.net>
Date: Wed, 9 Mar 2016 14:36:20 +0000
To: "<tls@ietf.org>" <tls@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DC4qGWp9GYjr785hAbXWi9r2mmU>
Subject: [TLS] X509 extension to specify use for only one origin?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 14:39:31 -0000

Hi,

  The W3C TAG is working on a finding for Client Certificates that 
people here should find very interesting [1]. 

One issue that comes up a lot in discussions is the use of certificates
across origins [2], which some folks find problematic, even though it 
clearly has its uses [3].

 It seems that this could be solved neatly with an X509 extension
limiting usage to a certain origin or set of origins. I would not
be surprised if this already exists. With browser chrome support this
would allow the full range of uses from FIDO to cross origin ones
whilst putting the user in control.

Henry


[1] https://github.com/w3ctag/client-certificates
[2] https://github.com/w3ctag/client-certificates/issues/1
[3] https://github.com/w3ctag/client-certificates/issues/1#issuecomment-194318303