IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

mrex@sap.com (Martin Rex) Fri, 08 November 2013 05:17 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339DD11E8158 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 21:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.149
X-Spam-Level:
X-Spam-Status: No, score=-10.149 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3dosWbeu5+j for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 21:17:39 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id CCA9C11E80F5 for <tls@ietf.org>; Thu, 7 Nov 2013 21:17:35 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rA85HX7k024212 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Nov 2013 06:17:34 +0100 (MET)
In-Reply-To: <CEA13683.807E%carl@redhoundsoftware.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Date: Fri, 08 Nov 2013 06:17:33 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131108051733.D44D91AA6B@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 05:17:47 -0000

Carl Wallace wrote:
> >
> >Interesting -- I'd never noticed that.
> >
> >That being said, proxy certificates are essentially useless unless all
> >clients support them.  In the absence of mandatory support or a client
> >extension indicating acceptance of proxy certificates, they won't be
> >used.
> 
> Of course, but the same goes for notional hybrid server/CA certificates
> too, no?  There is apparently some support for proxy certificates in
> Apache.  I've no idea what it's used for or how well it works though.  

The TLS implementations that have the least excuse for ignoring
what travels in the Server's Certificate TLS handshake
message are the TLS clients -- and TLS clients outnumber TLS servers
by maybe three orders of magnitudes.

What Apache consciously/officially supports might be largely irrelevant
when OpenSSL is used -- because that seems to blissfully send arbitrary
data from two files (cert and chain) provided that the contents
can be ASN.1 decoded as X.509v3 containers.  So whatever the admin
manages to put in these files, Apache will send obediently and with
eyes closed. 

-Martin

v2.23.0 | Report a Bug | By Email