Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey

Paul Wouters <paul@nohats.ca> Tue, 10 April 2012 16:09 UTC

Date: Tue, 10 Apr 2012 12:09:29 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <BB11250E-D827-490A-9C9D-C83028844EF6@vpnc.org>
Message-ID: <alpine.LFD.2.02.1204101202270.11272@bofh.nohats.ca>
References: <173124B6-9480-443E-9FA6-98BBB1A01F5F@vpnc.org> <alpine.LFD.2.02.1204051126330.4059@bofh.nohats.ca> <F53123FA-2A9C-434D-92CF-0B938B072984@vpnc.org> <alpine.LFD.2.02.1204100955050.5054@bofh.nohats.ca> <BB11250E-D827-490A-9C9D-C83028844EF6@vpnc.org>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: tls@ietf.org
Subject: Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey
Precedence: list

On Tue, 10 Apr 2012, Paul Hoffman wrote:

>> When the TLS client contacts the server, it has some idea of who it is
>> contacting for the out of band authentication of the received raw public
>> key. The server has no such idea when it is contact out of the wild, and
>> if it just receives a SPKI without any identifier, then it cannot really
>> know what to do.
>
> Sure it can. The same way that the client would have an internal list of DNS-to-SPKI associations, the server could have an internal list of ID-to-SPKI associations.

True. It wouldn't be the best system, but you are right.

>> This is why I suggested the TLS extension equivalent for SNI for the
>> client.
>
> Where is this suggested?

Oops. I checked draft-wouters-tls-oob-pubkey-00 and it was already
removed there after discussion with EKR in Quebec City.


> True, but the current draft needs to say how it implements the RFC 6091 semantics. Leaving it silent will lead to misunderstanding.
>
>> But as there is no way currently for the TLS client to convey its own
>> cert_type is different than then cert_type it requested of the server, I
>> guess we should stick with using the same cert_type symantics as in 6091.
>
> Why, yes, you should. :-)
>
>> That would mean that without a new TLS extension, that TLS servers sending
>> a certificate_request in response to receiveing a cert_type="RawPublicKey"
>> is likely to end in a failed TLS connection, because the server cannot
>> authenticate the client based on the received certificate of type RawPublicKey.
>
> As above, I don't see why that is the case. A server can get client names and SPKIs out of band just as a client can.

Yes, it can, but not "as a client can", because the client knows which
identity it is going to contact, while the server does not know which
identity it is contacted by.

> Please add clarifying text regardless, and then we can discuss if we agree with it.

Will do.

Paul

[TLS] Client certificate authentication and draft… Paul Hoffman
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Paul Hoffman
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Paul Hoffman
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Paul Hoffman
Re: [TLS] Client certificate authentication and d… Daniel Kahn Gillmor
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Daniel Kahn Gillmor
Re: [TLS] Client certificate authentication and d… Bill Frantz
Re: [TLS] Client certificate authentication and d… Eric Rescorla
Re: [TLS] Client certificate authentication and Martin Rex
Re: [TLS] Client certificate authentication and d… Jim Schaad
Re: [TLS] Client certificate authentication and d… Paul Wouters
Re: [TLS] Client certificate authentication and d… Jim Schaad
Re: [TLS] Client certificate authentication and Martin Rex
Re: [TLS] Client certificate authentication and d… Joe Salowey