Re: [TLS] HTTPS client-certificate-authentication in browsers
Wan-Teh Chang <wtc@google.com> Fri, 29 July 2011 21:17 UTC
Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F0311E80AB for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 14:17:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hctVtMASniyT for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 14:17:40 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 9A57921F8AD9 for <tls@ietf.org>; Fri, 29 Jul 2011 14:17:40 -0700 (PDT)
Received: from kpbe19.cbf.corp.google.com (kpbe19.cbf.corp.google.com [172.25.105.83]) by smtp-out.google.com with ESMTP id p6TLHdQe018956 for <tls@ietf.org>; Fri, 29 Jul 2011 14:17:40 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1311974260; bh=LhjrTJcEcumTK2Rr0P1ktGlsHN8=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=s4zDhSZW6XqltLRzVI2JbkoFTGEvMrzIkSyjTTNIc1ZcO0g4eVE/pcCz5KR6JNjC1 UtzUxkvZuwzooMR3R4dMg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=cbuhrAaw/Zuo2372PbzBPG3gTaOLX8sidNIU9J9Du4w7jGm9ep3ec0XMNetJ1Jw9j oVY7d9F9XRbUOz9NvKOBg==
Received: from qwk3 (qwk3.prod.google.com [10.241.195.131]) by kpbe19.cbf.corp.google.com with ESMTP id p6TLHche010061 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Fri, 29 Jul 2011 14:17:38 -0700
Received: by qwk3 with SMTP id 3so2814984qwk.33 for <tls@ietf.org>; Fri, 29 Jul 2011 14:17:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=3JPql8t9VvOPTm4iRbfYahO+63fz8ulb/M6Mebc12LE=; b=eZ31I6TA8upP3+NSVYgGOSfQxZS+7edIWdyuWu7bY2+QVwLilSWHoWH2j7CpVhCP1p xvaNcbWLx0osm8i7iC3w==
Received: by 10.229.68.141 with SMTP id v13mr690153qci.64.1311974258066; Fri, 29 Jul 2011 14:17:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.68.141 with SMTP id v13mr690146qci.64.1311974257908; Fri, 29 Jul 2011 14:17:37 -0700 (PDT)
Received: by 10.229.77.195 with HTTP; Fri, 29 Jul 2011 14:17:37 -0700 (PDT)
In-Reply-To: <4E2D71DB.6020604@telia.com>
References: <4E2D5C63.3000408@telia.com> <FCFA8791-E16A-45F4-B23D-B6A4A4F88AF9@bblfish.net> <4E2D688E.5030509@telia.com> <E2962F5B-AD7C-4AF7-9548-9686CE14FF38@bblfish.net> <4E2D71DB.6020604@telia.com>
Date: Fri, 29 Jul 2011 14:17:37 -0700
Message-ID: <CALTJjxERk5=9G3=8DvKWeobTu+0aoaqnkwTQPuAa77JVubaO_g@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2011 21:17:45 -0000
On Mon, Jul 25, 2011 at 6:38 AM, Anders Rundgren <anders.rundgren@telia.com> wrote: > > On my wife's firefox the bank have deployed two certs and > both of the show up when she is going to login. If she > takes the one marked "non-repudiation" you get a security > error that only experts understand. Anders, Could you email me those two certs, or tell me their key types (RSA, DSA, or elliptic curve) and the "key usage" and "extended key usage" extensions? I will take a look at the Firefox code that filters client certificates for SSL client authentication. I think the filtering algorithm should be: 1. If the key usage extension exists, it must contain the digitalSignature bit (for the TLS rsa_sign, dsa_sign, and ecdsa_sign client certificate types). 2. If the extended usage extension exists, it must contain the id-kp-clientAuth (TLS WWW client authentication) purpose. Note: this implies if neither the key usage nor the extended key usage extension exists, the certificate may be used for SSL client authentication. Do you agree? Thanks, Wan-Teh Chang
- [TLS] HTTPS client-certificate-authentication in … Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Peter Saint-Andre
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Paul Wouters
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Daniel Kahn Gillmor
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Matt McCutchen
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Stefan Winter
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Anders Rundgren
- Re: [TLS] HTTPS client-certificate-authentication… Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] EU cards Anders Rundgren
- Re: [TLS] EU cards Henry Story
- Re: [TLS] EU cards Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex
- Re: [TLS] EU cards Anders Rundgren
- Re: [TLS] EU cards Peter Gutmann
- Re: [TLS] EU cards Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] EU cards Anders Rundgren
- Re: [TLS] EU cards Henry Story
- Re: [TLS] EU cards Nikos Mavrogiannopoulos
- Re: [TLS] EU cards Yoav Nir
- Re: [TLS] EU cards Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] HTTPS client-certificate-authentication… Wan-Teh Chang
- Re: [TLS] EU cards Henry Story
- Re: [TLS] HTTPS client-certificate-authentication… t.petch
- Re: [TLS] HTTPS client-certificate-authentication… Peter Gutmann
- Re: [TLS] HTTPS client-certificate-authentication… Martin Rex