Re: [TLS] [EXTERNAL] Re: Servers sending CA names

Rushil Mehra <rmehra@cloudflare.com> Wed, 19 April 2023 01:05 UTC

Return-Path: <rmehra@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7CAC151B29 for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 18:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yj0pA3jRQbhw for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 18:05:18 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BD23C151B23 for <tls@ietf.org>; Tue, 18 Apr 2023 18:05:18 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-4ec8eca56cfso2566863e87.0 for <tls@ietf.org>; Tue, 18 Apr 2023 18:05:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1681866316; x=1684458316; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KESJgUAIiTtkPqordf4aV4KXq44Kr+J5wGgPrg5MF44=; b=fP+QGRNfVOVg7wydBytzXTXo6AYLjAwDb06ArmV281WS9YlkffgjTv1te5Dg/JcL31 Q293645X6MzPUc/6yAFAhNEquv3xk2pSm4CAWJamlEQDPfgl6XfsJ+yZKEnJhnWJOXU8 ALthj3ZxcGrVvCVNPj09retXO0qaO0bBCQY+E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681866316; x=1684458316; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KESJgUAIiTtkPqordf4aV4KXq44Kr+J5wGgPrg5MF44=; b=hoN7VK6qM44fbyTJ9WNYurB8axJgtg9AL9NpBDVAFpj7lJiTpxL23vBFM4IhmFSzrK vDff/ZSLL1tMDlDhSrXpTTohORSufEu75UM+Ghp+iIeQF6aZ/FrGDcLPn8t2VCJGpjG8 C1JQjScaji3HUIc4Yotz3l4tvgAyKLiKONxVDIWcoVNjkECAsH5fNjAkHf6q1CLOUkTV znx0skLWG4M8WZR6tNqgbxrg+v438opYy6mooF0dx64gtap055BEqUErrKDb7ZJKWuoR V0nKPLIr7Xwj1DEghXtqT1003hY6cDIx/I0PXCg13jktUQ7OnclN/FQ8cWS3qn9dvNWU ORVA==
X-Gm-Message-State: AAQBX9c1sOSwYlkjX/HAvy3dTKUhDdVOIZVlXNDoodjVHr16rKF0YH+l f6Rrc3qaPYREnjhuEk6qV6fOST5qIsU7l48CY3en6w==
X-Google-Smtp-Source: AKy350ZotqI6ZiD8IaAKNr1lWcWsGPslBzIZfJFaacUo8YrznwQ8gN92iH7ArGApFU/wFT6i0NwXt53H4ujPoVF9h+I=
X-Received: by 2002:a05:6512:3904:b0:4ec:a12a:4967 with SMTP id a4-20020a056512390400b004eca12a4967mr3749108lfu.54.1681866316013; Tue, 18 Apr 2023 18:05:16 -0700 (PDT)
MIME-Version: 1.0
References: <51B56747-0347-43AB-93A7-C3FDF49902D2@akamai.com> <ZDcbv4g5-tjN-Mu-@straasha.imrryr.org> <CAF8qwaBaOq1_Ow_vtB=DGjjDkAx+N+CPMpfn1huP=DRsCiFtaA@mail.gmail.com> <BY5PR00MB06757280F69B9C6D55AD2B048C9BA@BY5PR00MB0675.namprd00.prod.outlook.com> <accacacd-2bd6-4c89-8221-0c32b1a25ae3@betaapp.fastmail.com> <e5970ece-973b-e758-03b5-0e6ea2dc0b1b@redhat.com> <CAL02cgT0OyTP3F7qxTZvOXVv=X+=CywbYpYoE95MijPy5yshXQ@mail.gmail.com> <SY4PR01MB6251B265C49D63CC0EECBC22EE9D9@SY4PR01MB6251.ausprd01.prod.outlook.com> <91f409fb-79d9-ce73-9700-9d19b9ae0ab9@gmail.com>
In-Reply-To: <91f409fb-79d9-ce73-9700-9d19b9ae0ab9@gmail.com>
From: Rushil Mehra <rmehra@cloudflare.com>
Date: Tue, 18 Apr 2023 18:05:04 -0700
Message-ID: <CAFHNucvEQBQnFA+sYcuvqBWPOZqD-fr=Dv+WCtiMbG+wREXGDg@mail.gmail.com>
To: "Soni L." <fakedme+tls@gmail.com>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000541d2905f9a60460"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RQTGUQ0xsCUZbdm6Jt-9AWoOfUg>
Subject: Re: [TLS] [EXTERNAL] Re: Servers sending CA names
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 01:06:36 -0000

Not necessarily. One could use client certificates to ensure that only
authorized clients (e.g. a laptop with the client certificate in its key
store) can access some resource.

On Tue, Apr 18, 2023 at 5:07 PM Soni L. <fakedme+tls@gmail.com> wrote:

> So like a "client" cert is just a way to say "yes I'm really
> example.org" yeah?
>
> That seems particularly useful for federated networks (XMPP, etc). Why
> not call these server-to-server certs?
>
> On 4/18/23 20:45, Peter Gutmann wrote:
> > Richard Barnes <rlb@ipv.sx> writes:
> >
> > >Let's Encrypt issues roughly 3 million publicly trusted certificates
> per day
> > >that contain the client authentication EKU
> >
> > But they just set that by default for every cert they issue so it's
> pretty
> > much meaningless.  There are public CAs that set keyAgreement for RSA
> certs,
> > and emailProtection for TLS server certs, doesn't mean any of them ever
> get
> > used for that.
> >
> > (My more snarky response would have been that I should have asked that
> the
> > IETF define a peaceOnEarth EKU so Let's Encrypt could set that as well
> :-).
> >
> > Peter.
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>