[TLS] certificate_request_context

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 07 October 2016 07:48 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1820B129520 for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 00:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.291
X-Spam-Level:
X-Spam-Status: No, score=-4.291 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zt1VgXaBXMgR for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 00:48:37 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7F1129508 for <tls@ietf.org>; Fri, 7 Oct 2016 00:48:36 -0700 (PDT)
Received: from [192.168.91.133] ([80.92.121.244]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M34eJ-1azlVV1WgZ-00szgQ for <tls@ietf.org>; Fri, 07 Oct 2016 09:48:34 +0200
To: "<tls@ietf.org>" <tls@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <3a6ce7fb-143a-2d67-6682-f221048aed49@gmx.net>
Date: Fri, 7 Oct 2016 09:48:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="go1n95DXRtFOAjDB9ddS5P6n1PxoNtDLk"
X-Provags-ID: V03:K0:p6aY8Gw5aP+c97KQEXA7gyxi54uWDP0zWc9nVdlr4GsetSiepaa Ta5loyGD8AXY9JVsgZJJglS3vLOQ27x9WmmeIYeSar7onA480qVahTtKs3uQnM504zoLeAp j0EWuiiUW0DheA0U7xXwNQacbeQYygcSZ0cIvNXP39r7aczcGdY6Iz+BTQt4ew6PW+mZNeT QxT3yVpUuBEXOq+2BXwMw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:iqK8S9endmE=:nNUZrX8gR75JaxDFbJbhKe 0jJXsSo/KpCsdL0sYyW15YDD5Ikq6qf4E1eNDls9bIqI1VF92N+qSn8l9YO7YNfThwtdRJUiP cpScpc2OiSlszC5bbDkTyWQ/a+VIx5jL5G6eQ7LcslG1fEDYHDBWkb/jEjLAzw76It2+PsLXZ VI5U2RwJpfgQUq6ROlccR33Be4rtrUXc4WMzNPMzEoPADBisBVeYtCGv9Jkr11lg1lmJL0AjG PPxs2tjygmbi+ZjkUEqSzkrVdWSXXzop8hS8gTJf29214IpqkQ/1LZfXJgiykgPD3rQMQABnL jIQK2tuBhoFXBRYo6XUMoAx0j2jpid7UAzlULYE8ukci+pyPJKMfqpaFG5JG0Cn+PZ2cpyGAe SbzsWX/XIe2OqzG2UduW9vTK3hiW6pQ1JCTLL+bOfuzhhrHjUVDKIgMS16w9XtCx7sMr0Naxl k0ft+bKXEOJEcSyl6HzgEVL0x7eCfwdfoSr0hvE91tXN2kAdwW/kvmpFchnBsJ8IUlm082oTx EbAYQWipJ5tfzRzVcSDpaQ1dDsGVy7UV5tiAua4pyY2e6r/QCxprdEIkjJsTjAfHNnTa85qUv PY/mWiUgoJtL7vV2QjmlK+BE1kus/CLwluSjjf7lC0iwCpYDpgUBfq9yooPxPXxd5Z0nhb7iv Vta77yw0qKtIjY34IZtjN0WY2eniwWHQJvLKFuCPqYhye2+kVPV6hBqNdaVLMjb+8aFvcGjr7 RGFKpqQKd8E7gM+Wt9WwBR+m7+hUFUpTOkFYigiuf/6schr3tv05z7QKMN0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LOPjun-V_53oSZe-xphDQdy-ZmY>
Subject: [TLS] certificate_request_context
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 07:48:39 -0000

Hi all,

I am wondering why the certificate_request_context field found in the
CertificateRequest and in the Certificate message is so long. It is
supposed to be used to match a certificate request against incoming
certificate.

Does the field really need to be up to 256 bytes long? I think 8 bytes
should be more than enough.

I would also like to suggest to change the definition of
certificate_request_context:

Here is the current text since the last sentence feels misleading:

"
certificate_request_context

An opaque string which identifies the certificate request and which will
be echoed in the client’s Certificate message. The
certificate_request_context MUST be unique within the scope of this
connection (thus preventing replay of client CertificateVerify
messages). Within the handshake, this field MUST be empty.
"

"
certificate_request_context

An opaque string which identifies the certificate request and which will
be echoed in the client’s Certificate message. The
certificate_request_context MUST be unique within the scope of this
connection (thus preventing replay of client CertificateVerify
messages). This field SHALL be zero length unless used for
post-handshake authentication described in Section 4.5.2.
"


Ciao
Hannes