Re: [TLS] Proposed Change to Certificate message (#654)

Nick Sullivan <nicholas.sullivan@gmail.com> Fri, 07 October 2016 00:55 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394F41294E2 for <tls@ietfa.amsl.com>; Thu, 6 Oct 2016 17:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37XwFlEW1unr for <tls@ietfa.amsl.com>; Thu, 6 Oct 2016 17:55:40 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5438212947F for <TLS@ietf.org>; Thu, 6 Oct 2016 17:55:39 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id l13so2657852itl.1 for <TLS@ietf.org>; Thu, 06 Oct 2016 17:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S6YLLjNv+aOLEboEEOXgKw+5jrVFRF13dNLfL6iPgZ0=; b=aEw9+Y/FCP5GuT/TjBfoRQHHq/WdiMMOQQcgeMAJvDDTQHVJxrlVMMBrOgxSEu9uFN p09pYAOFw3dcD7IvIWrE16GzNV8Kitfyzm37IuuAJ1HiSm8/j4tRY6aPajaHvCG3zH9S O8Vu1X7NfmAWTGcPhbESOfwS7AlK0If08hrAPj+f7zxjxU4kkY+aNoWGP+xiJ18jbtxu HikKnYkluCiUH/8PoSChbfNcEN03WKpTSjVFUMGflkiA+TNvMHksHIt4EmGPS6WwtVn2 h29OWjVacDhpW3B/Zi7o5YOcMHLTSYGPc8V8SksCJ3WteLQPRz+kNWMG3LzXGl1D3kMj /6Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S6YLLjNv+aOLEboEEOXgKw+5jrVFRF13dNLfL6iPgZ0=; b=ABbXbhgdbQQ4NxwovlvW4xNmNRzFiqzjKWjtfpATAnksbWq5sBtaSxvJdUbDCSIyJA 9sNc2D0ea8Q4kBL8ozcywNHfRxjL4SMQIXEGubOnPjZOGA1DhB2+H+munssxmRAu2apP P7yPBiKfQfnhwuwhl0dOOMcavQMu8R1XmEV4FE+XmjAOD9WeCJHRybmhZOr/gQVAqmJE JEhBQR/KBl0RGc3odG35/zJLVus6CXVD3MOuY7wHNi0t6S57wti2q8qGdPBUkfrNudL5 wH6vZ8ZRR6RVHlGozai3MAfKF9m9FxcqZSEnvTZKqVjX77bfcBOORR2VbYy2xt3V/bU0 45vw==
X-Gm-Message-State: AA6/9RmhZL6rSsEsRdV4JtlPsskuQfWKACiTDmd6ZWGI9k8lUVmPJh8eG0ASqadLwuncTcqyiVrdhZdOYCdVBg==
X-Received: by 10.36.253.200 with SMTP id m191mr15489930ith.35.1475801739138; Thu, 06 Oct 2016 17:55:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAOjisRyDx0Wa5tcFT3gN496jhf-AjLfDH4JNN+w70r8jBsxt5g@mail.gmail.com> <F157C00C-921E-48AB-BAB7-C8CA882D1A05@sn3rd.com> <20161005194028.GA26154@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnXsytcfEatQVaz=Yi_E=HvTJT9b-aPafvD5BSUeboCp4g@mail.gmail.com> <20161006064220.GA30076@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVGLOJkSa49favLe7gAJTfYGWYF5_ZHVUpnpcFnsoxaow@mail.gmail.com>
In-Reply-To: <CABkgnnVGLOJkSa49favLe7gAJTfYGWYF5_ZHVUpnpcFnsoxaow@mail.gmail.com>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Fri, 07 Oct 2016 00:55:28 +0000
Message-ID: <CAOjisRyPBfqhLPBK+qS2Os8DsHHqrqrpifuJxiEJBrq4FiK_bQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary=94eb2c0361e26c32ce053e3bde98
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TQj73eIbJ6XVk1mi9DYJu3BF-vk>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Proposed Change to Certificate message (#654)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 00:55:42 -0000

This seems resolved.

I'll update the text to reflect that per-chain extensions should be
included as extensions of the end-entity certificate. For RFC 7250
client/server_certificate_type values (such as X.509) that apply to the
entire chain should be extensions of the EE cert.

The client_certificate_type extension sent from the server in RFC 7250 can
go in either the encrypted extensions or the proposed CertificateRequest
extension field, but that has no bearing on this proposal.



On Thu, Oct 6, 2016 at 2:26 AM Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 6 October 2016 at 17:42, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> > Perhaps also put server_certificate_type/client_certificate_type
> > there? That would eliminate the anomaly that one must know the
> > server certificate type before sending the certiifcate.
>
>
> Sounds like a perfect use for the CertificateRequest extension field,
> for the client certificate anyway.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>