IETF Logo Mail Archive

Re: [TLS] Authenticating the client-facing server with an IP-based certificate

Martin Thomson <mt@lowentropy.net> Wed, 21 April 2021 02:10 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A05FF3A0B56 for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=SOHHG+cD; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=bEaE8VIt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgS5pb6yMiaf for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:10:34 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 932013A0B12 for <tls@ietf.org>; Tue, 20 Apr 2021 19:10:34 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 236BE2CEF; Tue, 20 Apr 2021 22:10:33 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Tue, 20 Apr 2021 22:10:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=uVpCgpVADXESFF9lmKyXAFgmA82l SpsIxkn6oNbC4Ug=; b=SOHHG+cDrru82gJ6hABnmublBzjsULNykI8ddp8KWY0d KwLvSLyVtCLPNPsme/LBMrc0v+d57VM2qePhhP96fb/vLhiKLDGhqBXBlS/NS5SF gLsfXVunj37yzVHtl+80J0dbZWH5bhRsBaBy6pjLd9Ge4/o6dICZVScnUevURbQC CZhcVY5aUM7xgg2MV6Eqf5Al7Ts1LfXKWFkDS6bT0FeTPl7YHgbUCFfgMlmWi0rX M7h4Nxkys/1Qu/Ct0AGcch6npEjTEte/e4NdsB6UwiO0JJGggRDFqcTSMwW0ziJS nxmTiKfiR6Pd2m8OzwZ+fB6ugm27h19oJr8L+VspBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=uVpCgp VADXESFF9lmKyXAFgmA82lSpsIxkn6oNbC4Ug=; b=bEaE8VItnGFvSgUkbyVspQ +iv30l6E7DQzWOZuPpA7aC9xcudZFypHu3mkD3YH7cywSP/Wjczgez3JgPYUdUad BGMenP3kI2RmBkGu8m2E8eI9IollG3pJkr8M58SA218UW0AlveoKvTThPpNH/cuH 78Sfrh45HLcYTCu75Ky1kDGUzQQmMKrFIReeJN5H+Z2ajZTHTJag1n/ApQ2bs2+y ZWoUEVxmfkyXyDhp+nzYkSxQAksNF45/fx8sAY/CHss9VyVuHxhsBohF/yh8h5e5 eEtagMjHaYVmAoSNKH0J374XZvaxiJpO3fyteWzLpphFgi85PB4CPFtWW6bqETbg ==
X-ME-Sender: <xms:l4l_YD--UsPmR_whWnlq5WX-a928-L-GMeheFZKsCn5WRm5Ty_CbCg> <xme:l4l_YPu2Mc1OuJfRI8oN-5ZBAuPZ46jK39Pe7MMstiH0sXoY_zPnzGLvW7bNwKyh1 jPOCAB3ne9uAARfdOo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtjedgheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreerjeenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepheefteduudduhedtkefhvdfhteelffdujeegjeffheffveekudei gfeuveekfeelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:l4l_YBDDVFmVOI72evik-4-ZYnRECPhtKXgsLsisJzGsLUs3GuwBZw> <xmx:l4l_YPfZ-idZ7DLMyy-6CmV9298rj__GHFOuiw7Yq8lCeIpVrsCiMA> <xmx:l4l_YIN8msP3TKw_8dOpnIWJ94dlSLh259teb5Xy2LyAhpxIeEt84A> <xmx:mIl_YDauGRtA3EJ_Y1_JTl0Nl8MV6uS6ilw-PbG2iBYT1ChKU48VhA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BC4894E04D7; Tue, 20 Apr 2021 22:10:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-380-gda4c716772-fm-20210419.004-gda4c7167
Mime-Version: 1.0
Message-Id: <23392d3a-f34c-48f0-b9bf-0c0ca2539789@www.fastmail.com>
In-Reply-To: <53B5686F-0A64-426B-8EC4-6A996F169EAC@icloud.com>
References: <38f4c969-90d8-478e-9c3d-0bdf538dabed@www.fastmail.com> <37c84b96-324b-46a6-a3c0-57eb275f439b@www.fastmail.com> <674A5578-85C8-4134-B9AA-E9D287131701@icloud.com> <4837796a-4528-4df4-aa8b-383ff3229cb6@www.fastmail.com> <53B5686F-0A64-426B-8EC4-6A996F169EAC@icloud.com>
Date: Wed, 21 Apr 2021 12:10:10 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Carrick Bartle <cbartle891@icloud.com>
Cc: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HB_qqVwUo48algV-IwK3_MUo_OA>
Subject: Re: [TLS] Authenticating the client-facing server with an IP-based certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:10:40 -0000

On Wed, Apr 21, 2021, at 11:48, Carrick Bartle wrote:
> > I'm not sure what you are implying might be impossible.  Are you suggesting that it might be impossible to get a name for which you could get a certificate?
> 
> No. I'm implying that if we don't allow clients to authenticate 
> client-facing servers with an IP-based certificate, ECH won't be 
> possible in cases where the client-facing server doesn't have a name.

That in turn implies that getting an IP-based certificate might be easier than a DV certificate (and the associated name).  I'd need more supporting evidence to believe that.  Under what conditions could that be true?

v2.23.0 | Report a Bug | By Email