Re: [TLS] TLS 1.3 certificate delegation?

[Andy Lutomirski <luto@amacapital.net>]

On Thu, Nov 7, 2013 at 9:17 PM, Martin Rex <mrex@sap.com> wrote:
> Carl Wallace wrote:
>> >
>> >Interesting -- I'd never noticed that.
>> >
>> >That being said, proxy certificates are essentially useless unless all
>> >clients support them.  In the absence of mandatory support or a client
>> >extension indicating acceptance of proxy certificates, they won't be
>> >used.
>>
>> Of course, but the same goes for notional hybrid server/CA certificates
>> too, no?  There is apparently some support for proxy certificates in
>> Apache.  I've no idea what it's used for or how well it works though.
>
> The TLS implementations that have the least excuse for ignoring
> what travels in the Server's Certificate TLS handshake
> message are the TLS clients -- and TLS clients outnumber TLS servers
> by maybe three orders of magnitudes.
>
> What Apache consciously/officially supports might be largely irrelevant
> when OpenSSL is used -- because that seems to blissfully send arbitrary
> data from two files (cert and chain) provided that the contents
> can be ASN.1 decoded as X.509v3 containers.  So whatever the admin
> manages to put in these files, Apache will send obediently and with
> eyes closed.

This is, I think, mostly irrelevant -- if I know that my clients
understand delegated certificates or proxy certificates or whatever,
then I'll find a way to get my server to send them.

ISTM that, as long as there's momentum behind a developing a better
TLS, it would make sense to use the same version upgrade to improve
the certificate situation.  (Proxy certificates aren't the only big
improvements possible -- a clean way to support DNSSEC-based
certificates would be great, too.)

FWIW, there's precedent for using new TLS versions to expand the set
of allowable certificates.  If I"m reading it correctly, TLS 1.2
allows ECDSA certificates that are signed with RSA; TLS 1.1 and below
will reject those.

--Andy