IETF Logo Mail Archive

Re: [TLS] [EXTERNAL] [lamps] Distinguished names for self certified TLS client authj

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 14 June 2022 20:44 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C538FC14CF06; Tue, 14 Jun 2022 13:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_qrskeGlb3H; Tue, 14 Jun 2022 13:44:53 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B4DC14F749; Tue, 14 Jun 2022 13:44:53 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25EJ7HPc016582; Tue, 14 Jun 2022 15:44:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=Wq/3I68wny4VjA+yLy2E/oH/F08uA+Mm5tr7UqKc6hg=; b=MpB6LVyR3kdIXWxSBqgQvthUpp5K4mBia0UzcP0njIGYBqA3nFUJifG9BgmkZO9v9Ox6 Jr0i8MQocyke/FVoZPcW0GgWGdHCvWSS1Vw46kfly5/r5FREmeQpBZ8R8Q4U53ZmXMcj YpSdP5eu2Q1AVbmZlw+fqKfbpOr70jIYnRbiMx9eybjbL03Afp56jzNG7unC8+hw/R7I nk4PUgiFxdWS4bUIUAiqqJYtbSvR9PXlUyMbbI5ALvc+qV8febA6I5NfL9FAPdMGgGX6 sy7RTLKMuqMWdRVBGTKJMsGd0py3BoEgxCbHickO8A2D4anpmP+ut3Pn7G7Pz8MRcSqY Iw==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3gmp1r3ar1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 14 Jun 2022 15:44:49 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OsGoeoXWJcUn0GNJgG0h+9pSNNfMUE1DEhsby8wZn21GLSb4QleJYtwRCTrFvnLH2Py5kfydMi/Bd4CnEJ3qweUo2/DKxUfUVz0Ay7+hR7BDJBoo2Z9tcQKi6qWnh46AypN7M9/oviY0q3R27NZIyVBzsBOyrC/V2D+2vU1My7gDjr0QrrFkiTlg/1nAHI57KPdeT4MQpOwKuIzdLjwC+9BvWdsejFPD1KV7jpVmJLrM69sFmUBTx9DRryShENedapHuo+GCo3QSBkisHvDKZg9jcRT6/f4h87Q8OOrska/0UjA9Wy2tp7N1styDFwS8vMIVbjfqr9WEuUew9xV1sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Wq/3I68wny4VjA+yLy2E/oH/F08uA+Mm5tr7UqKc6hg=; b=cgaL8mHz2dpKLoy3ZqoHtpbOClaF615CYNfh71GnwYDMhmOrSxo6iu2PZxpxbiB1xxvOs6r/9HvNEFVybqedW2qATMuPFxmDo8sNXTJPNxixDD4gro2z6ih/JEo1s1ogSWdo8vGiBVuJobIgYSiJzNmhwfooCxBH2YAMN6JbWjAj3hHxs6lkzwwIBJ2y+hBuT0B02dVvMiz33G8jActeQoNts907ZD4w7qiOXjrxSWMlk4bBAhssTEy7Mb++hKh2OmzqRpsAHb4eBdtznvu0CWKOjxAT7SSKtToeosQ/tEK7ciiTWTFp2uwJQmEnKkTQNxO3pSGmEv4/cKGtX441jQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BN9PR11MB5417.namprd11.prod.outlook.com (2603:10b6:408:11e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.15; Tue, 14 Jun 2022 20:44:46 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::610d:1832:5a42:40ad]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::610d:1832:5a42:40ad%5]) with mapi id 15.20.5332.023; Tue, 14 Jun 2022 20:44:46 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, SPASM <SPASM@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] [lamps] Distinguished names for self certified TLS client authj
Thread-Index: AQHYgCki5OlR2V+B10ufVfdwjZA2Ka1PXGwg
Date: Tue, 14 Jun 2022 20:44:46 +0000
Message-ID: <CH0PR11MB573913BCED51B151C31B1FA89FAA9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CAMm+Lwifpf1DCtFtc-sY_sK2tbW02rON9oyjPzwyoCQ6Hcgfvw@mail.gmail.com>
In-Reply-To: <CAMm+Lwifpf1DCtFtc-sY_sK2tbW02rON9oyjPzwyoCQ6Hcgfvw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 004127ce-d816-4218-875c-08da4e46b7e5
x-ms-traffictypediagnostic: BN9PR11MB5417:EE_
x-microsoft-antispam-prvs: <BN9PR11MB54174AD672BE0315A0D2632D9FAA9@BN9PR11MB5417.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /CViSu0U+aDnLUAYE4D2VEYK9F+u0ITSV2WluOXtJ0+Rz8G7AhDcXtVzL7J85NVGgWSQ+xbo6BtcQEJIXFdXLpT8tEvUAdigL7jy2HTOYzVE/hC1W+fSdH+1LBrQv/mHVPBDxO3S0VJyrPjEbIGvmVQiwZDTtjdPO4nGg4QO0PbPzlRWx+oo0jca/l8LZO0ysqvU3+fmiBx7l0Af1rsz61K8qBOEs73QPozrGzCi7JN2ebaLQUh4H/tTgDuFOPMl0Xznpf2j4ev71IjxSy3QrwTECWxmAlVnmcVxO2rtxhrrV1zwZIZGoVdTir86o8QQ1r+ysbaVi2A+3bPSpHKyEJxjg475Db/qh7krXkyStk8vpgw2kpeXKxpUgcHpgmUThRIS8DauF22+SKr9Gz/CabyhS7SJWreP6j8mD/U2781uuKQfDcbcely2hjFritLWepkX7UplgNlBBS4z9GWbJ7ePR0bIYBTHwJhFq6uQ7VRR6FxqEJgQ40saN1H6Jz+UP2ywuDJ9b00R8Uasb2O6wgSB5GrvJi3T3OeKMdqiitr+RHPjK5OKOKFrhb1Or8nM2070f0q73MM8e5jNHJNrKyqb1X+0DvjT440+Wdma4yTHE3wwHdXImU+fx4876s6XA58EfzvO6pJJQoLTbGmFLfEqeT1isHW6RrX2dtax/78xvrA03G2J1HKJb7ktLw0isiFS97M7b7QXXmCrRzrtjK7SCzc4p9gJCvIMF/xLxmuIgIWT8GtrOO6KS1vFK7M+7fGcL81N9xs6Vc9uznprit0cVicEAsbiZpSLN+0i2lE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(366004)(71200400001)(86362001)(966005)(52536014)(8676002)(83380400001)(38100700002)(66556008)(8936002)(55016003)(122000001)(66476007)(186003)(33656002)(508600001)(5660300002)(2906002)(64756008)(7696005)(66946007)(66446008)(26005)(76116006)(6506007)(53546011)(9686003)(38070700005)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JSnKjFnJXS5ID/n5exvRrpRNm+KYpcwFF3w9coIMIKjAAh+2DQnL1kVqm2lgKjMWhkl1d0EUljtnTy/XGjJ1ux80M802p7hbXy3BP0ssoCcfOXyHvYyeBd/islt8chbMeP+HV4CB4rt+9D8MNOwuUDimaM69saWHAfauNUu0r9bubPl57o638saHMk1Jzfa9uRNjSGY6okpvIuEY5BJExOW+nVWgkUrjr/jPud0FnkQSQIhW1cshhpk0asy5iIdZCuZkXBoIKzgz8A+Ip+MVpGUtSiS8M4CagIg2IrtBCtc3kcGYVH2cLSJJM/ergoGU5Md+Bq8H1GkRHZp7SbHgt+LwmY0KAX3HwdQnPTDEeYPrxnEoBqPee65qv38qCNB8LpI9GCeetTxS2bbBwBNg6gc8z1osLYRlItzSb2RlB4j0M7vPRj8XBuQo/VjFZXwcviJa1y7BiewZIrp+UgDjpyPt/xtjKH699MBHuzBkW7ts2/c8UfqKUBCbH+Ca4JiLDg79OfCcC1heS5b9h/M5HdI1jyCV0SxhJx6mWFsbEBy5sOFxPSbEZ5MMmWRKBMEHz6LeQDdtCot/ypYDWVtE++8CQV0PkPL/tn85VlNSJDGlbj3sCSphAHP0OzzmBpnCSFt5ycgYoye2KE0ZPUAbiMh2PNXsJToANLUCftJSuP9x5aeQxZu6Xy+BnpieBoBYgTI1twrJaQ9ePgxlM604OP3fUBEompaIuvf7+O0rc9OoeRogslz2qU646rGZKj4rBFRjAse3WbKE8v5O1o+YGxCveeRVOmm+NkWJUehhHqskoJwBUGanZOFIlvbQnJWxpsS25xVR3JVY0o/D58zZrf6QTknQFIQ3Ovbh0cOBXo6/46LQE2n45hs5cIGLNJPXAfsdzNgcQkjOHHZ8WiKQuzTsIV8E9ftZyJuASOep1KCYpW7NZRZeQgRMTk5aUaWnyLi0kQf9I9ci/KVvSV7iMQ5oYbqX3gJWo3XPANxfh2piK0fjsd0ovrhty09vNxBFifGxApsjJHzI7THPm8Hv0mWm5z4mQwRAYKG2HHnZ0FePxHbuMd/DS48p5B5mzsDzf5SiD3Teijeqztohdvqpz31lDLyrSJCJmBpUY6DrX0089y6L7M6ZeyWuiUpLTrg3RUn2/2/TQEH6FXNqwJFHfEo3517JSngD60+TBAGNGOrffuE4bD3X6nbnNlCcf0vpN/AIBnWilf60b4XVVcClENcJBsASXfuCUkI+tmR7T01NDQFCUI8jOrTSOfShRl5tCOJoam1bC1W1BOU1UtZXmrVg4y1i+QS+cidpJ3UGjuIXnNW+d3Kgm270vMsBcs/QdvHHej6N4MhXiRc8B37qeY9HHghShjheqLOTyMVaf+pA7jh8yAIZorL8NRl+ADdsBlagsDmKj0KDaMPHJ+3Ad+RX2sQKU1oe5KQblpvfK/lwy9BaTd+GDVJM5GTi9OkpJD6Zpt25mtF/hzKkOD9ZuY1UZADAiyYuPZIRlyjHrrPS0n4Hup7sXz1OxelQFe5lsgdEMaZvQzs8qQYXoKVBK3Qy0/jqX7Z3C+ye6Wt/ydkjmEPr8hjx9g9dG20a3qyqsXoXuM+a/bjUBUrp2EgCe+bPGw0nEMZ1lDfDRXdyNkE5Jt/ZhVtMy2VrvzyAXZe4uaj8MNRrkDw/hc8naSCCJ10EPr0i5JNsz2hheisUDOyPSjopEYXjyxxTPN4DH0CQyMUNM+w4a3UCoE4L+6oa7g==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 004127ce-d816-4218-875c-08da4e46b7e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2022 20:44:46.6140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: edwoRNiROWoTlr0fuqjqs1pKVJ5Z6/NsWzM+lfinDh37jY1AbDSzb60C3Dk2KmZsaE/KUGxCuXqAgrxQ1jMkMuZW3Yz3vhkzkLFkpfrUpY4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5417
X-Proofpoint-GUID: XnYF8HJZjXFFeYC5EAcesN3UAOKJE_kw
X-Proofpoint-ORIG-GUID: XnYF8HJZjXFFeYC5EAcesN3UAOKJE_kw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-14_09,2022-06-13_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=911 impostorscore=0 suspectscore=0 spamscore=0 priorityscore=1501 mlxscore=0 bulkscore=0 clxscore=1011 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206140074
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/az8KjQZ8E9nbvLmS2z31-sDji4M>
Subject: Re: [TLS] [EXTERNAL] [lamps] Distinguished names for self certified TLS client authj
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 20:44:57 -0000

Hi Phillip,

What clients are you trying to use this with? Browsers? This almost feels like a user-agent question: "What CA DN do you want the server to prompt for so that you put up the right certs in the popup?". Is there a CA DN that you can specify that will cause FF / Chrome to show the user all their loaded certs?

Note: back in 2018 I was fiddling around with this for a stackexchange question and found that (by default) Firefox politely waits for you to select a client cert from the popup, whereas Chrome just starts spamming client certs at the server until it accepts one. I feel like user-agent behaviour is going to affect the viability of your idea here.

https://security.stackexchange.com/a/199518/61443

---
Mike Ounsworth
Software Security Architect, Entrust

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Phillip Hallam-Baker
Sent: June 14, 2022 2:58 PM
To: SPASM <SPASM@ietf.org>; tls@ietf.org
Subject: [EXTERNAL] [lamps] Distinguished names for self certified TLS client authj

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________________
[Yes, I am aware of the FIDO work and it is a completely different use case, does not apply to non web applications. TLS Client Auth is an IETF spec and thus within IETF scope.]

I have an infrastructure that makes private key management really simple for end users. They can manage private keys across devices without being aware they are doing it. This technology has obvious applications for existing public key authentication schemes including EAP, FIDO and TLS Client Auth.

When looking at TLS client auth it seems to me that it is much closer to being a viable replacement for some uses of passwords than experience leads us to believe. In particular, I have maybe 5 accounts I might use a hardware token to secure but I have several hundred Web accounts that all use the same password because when it's not my asset and I am not being paid, I don't use my brain power to remember the password.

So my basic idea here is that Alice connects all her devices to her personal Mesh and they are automatically provisioned with a device specific cert that is chained up to one of Alice's personal PKIX CAs. The CA in turn being (optionally) credentialed under Alice's personal Mesh via an extension if the goal is to establish that the 'Alice' visiting site A is the same as the Alice visiting site B. For cases where we want to prevent linkage, we develop a separate CA per site.

This is not how PKIX is intended to work of course. But the deployed infrastructure supports PKIX and so that is the framework we have to work within.


Looking at how TLS Client Auth works as deployed, a server sends a message back to a client saying 'client certificate required' and a list of distinguished names of CAs it will accept.

So what I want to know is not 'should I do this', but 'what is the string I should send when I do'. That is, this is something I am planning to do and so I am asking what approach is least likely to have unintended effects.

I see a need for two distinguished names:

A) 'Self signed CA speaking to any relying party'
B) 'Self signed CA speaking to a specific relying party'

The server is going to check the certificate chain itself on the other end of course.


And again, yes, I do fully understand the limitations of transport layer client auth. That is why I make use of my own authentication layer for Web Service transactions.

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email