Re: [TLS] [EXTERNAL] Re: Servers sending CA names

"Soni L." <fakedme+tls@gmail.com> Wed, 19 April 2023 00:06 UTC

Return-Path: <fakedme+tls@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674DCC14F6EC for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 17:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99oU6jGaIx-x for <tls@ietfa.amsl.com>; Tue, 18 Apr 2023 17:06:45 -0700 (PDT)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AE4CC14EB1E for <tls@ietf.org>; Tue, 18 Apr 2023 17:06:45 -0700 (PDT)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-18807540d5aso818472fac.3 for <tls@ietf.org>; Tue, 18 Apr 2023 17:06:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681862804; x=1684454804; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=DgxGiDgSb6MYfo5s6fwouT+JkoLd5EDAewd7Rp73/+U=; b=B6KWnD0uTO5VsPnqi0x19Ewuq1vKecn0jBK6u3raEgU1a37nXPCufks4UV9vF09PmQ bQlEDmJ8IJgUhWg4YfpO9QPD6O0ugtudQCb8UI5++hqyhXEwFngHmvoOZgCVZbjtH4AZ Z9mFjFZTXuHV3mG+O4xFVIDmXsGYcF14I1eEQ5CcnnXG3AUCryPXP3AgjYHBLaUcisko 2PWrGbSQvwV1Rh8ym9QZJvhC6z9zwRwEPp02NxYTzq2W44Tvmk3Eg+UnlzPQrD3K5YPG L0pNoB7IV3FJ2s50yLa8PCoIF2FP3Onz2fnRgujC1OIoHviq0jAE67gdSqacH5LKItFy +AnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681862804; x=1684454804; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DgxGiDgSb6MYfo5s6fwouT+JkoLd5EDAewd7Rp73/+U=; b=A50CW8bGOqjYNkWnxrBRKlk/Ur5kereB3lkyFU6zwCBqWPt+0sUreflVjGP3+wnmSH s0lChjYcMFmvBuVKehdq2dENDoTHWS+68pCH7rWmGrDLFmW4KA/5n3Wg/mGZDTSWpTGh 9wTaBD+c3ofXiEjwpFECrD1/njKaL1LJKydWUC+Fc5CFSKf7N4F/+emLzhDchp9rwssb 9JdMPhQyaV9svYIeCeOQkKGkRW4b9TEm93ntIGKPURN4Lv8HYrNUpxwcDzjLEc/OnNrj 2UNfLZBPlTD71uHYNoHr2IbNZifQ5MpuwnOFLKYLKQs3nehR685LDxcFbbaYItHqgVjI GcEQ==
X-Gm-Message-State: AAQBX9cVqAQG/CC+Rb774w0hPTIChm+kjp918EzGpceVsXX0znTpg110 XtMr1HYk/kADDK3sZNGGqxrHLGx7CUA=
X-Google-Smtp-Source: AKy350YMT/XirxaydjEgfNOUU/fwaHXlU/o1+sVbvx6Z02KXWS5QodPqAda1GCCWHcAt1R8dpa7duA==
X-Received: by 2002:a05:6870:9129:b0:172:2d00:99f7 with SMTP id o41-20020a056870912900b001722d0099f7mr2468060oae.20.1681862803859; Tue, 18 Apr 2023 17:06:43 -0700 (PDT)
Received: from ?IPV6:2804:431:cfcd:aa88::536f:6e69? ([2804:431:cfcd:aa88::536f:6e69]) by smtp.googlemail.com with ESMTPSA id v16-20020a05683011d000b0069457b86060sm6270097otq.47.2023.04.18.17.06.42 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Apr 2023 17:06:43 -0700 (PDT)
Sender: "Soni L." <fakedme@gmail.com>
Message-ID: <91f409fb-79d9-ce73-9700-9d19b9ae0ab9@gmail.com>
Date: Tue, 18 Apr 2023 21:06:40 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: tls@ietf.org
References: <51B56747-0347-43AB-93A7-C3FDF49902D2@akamai.com> <ZDcbv4g5-tjN-Mu-@straasha.imrryr.org> <CAF8qwaBaOq1_Ow_vtB=DGjjDkAx+N+CPMpfn1huP=DRsCiFtaA@mail.gmail.com> <BY5PR00MB06757280F69B9C6D55AD2B048C9BA@BY5PR00MB0675.namprd00.prod.outlook.com> <accacacd-2bd6-4c89-8221-0c32b1a25ae3@betaapp.fastmail.com> <e5970ece-973b-e758-03b5-0e6ea2dc0b1b@redhat.com> <CAL02cgT0OyTP3F7qxTZvOXVv=X+=CywbYpYoE95MijPy5yshXQ@mail.gmail.com> <SY4PR01MB6251B265C49D63CC0EECBC22EE9D9@SY4PR01MB6251.ausprd01.prod.outlook.com>
From: "Soni L." <fakedme+tls@gmail.com>
In-Reply-To: <SY4PR01MB6251B265C49D63CC0EECBC22EE9D9@SY4PR01MB6251.ausprd01.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gyf7CZIBOo2ajx2MOdBP9PMGPnk>
Subject: Re: [TLS] [EXTERNAL] Re: Servers sending CA names
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 00:06:49 -0000

So like a "client" cert is just a way to say "yes I'm really 
example.org" yeah?

That seems particularly useful for federated networks (XMPP, etc). Why 
not call these server-to-server certs?

On 4/18/23 20:45, Peter Gutmann wrote:
> Richard Barnes <rlb@ipv.sx> writes:
>
> >Let's Encrypt issues roughly 3 million publicly trusted certificates per day
> >that contain the client authentication EKU
>
> But they just set that by default for every cert they issue so it's pretty
> much meaningless.  There are public CAs that set keyAgreement for RSA certs,
> and emailProtection for TLS server certs, doesn't mean any of them ever get
> used for that.
>
> (My more snarky response would have been that I should have asked that the
> IETF define a peaceOnEarth EKU so Let's Encrypt could set that as well :-).
>
> Peter.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls