Re: [TLS] TLS 1.3 certificate delegation?
Andy Lutomirski <luto@amacapital.net> Fri, 08 November 2013 06:04 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCB321E816C for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 22:04:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.883
X-Spam-Level:
X-Spam-Status: No, score=-2.883 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iS0G4wfZKnQ1 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 22:04:50 -0800 (PST)
Received: from mail-vb0-f53.google.com (mail-vb0-f53.google.com [209.85.212.53]) by ietfa.amsl.com (Postfix) with ESMTP id 5567A21E8095 for <tls@ietf.org>; Thu, 7 Nov 2013 22:04:50 -0800 (PST)
Received: by mail-vb0-f53.google.com with SMTP id i11so1074392vbh.26 for <tls@ietf.org>; Thu, 07 Nov 2013 22:04:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=U6okDCmhvqdr+yZFXsu5fUiIo5lccIuJclp9drgoxys=; b=JhDAeeCLDBgHg+rJQ1u2aOzMJ2Szy+H0MJQQj263eca8BSpuDCmmpAu0P9IqOZVKHm CXTlEC9P0UIEqLiS3ov8BBhoZDl96H+OAZ8GGQCc+Ccg+A5EOZhLnySzuZryKVLV3HAP HfD2HZmUR7cs1SO2cxcEwLZ0ij1yRfQ76NkfAl0bJ8Q8w9MGnWlQRefEGlZWtYg7018C MQYaZAsOB3GeS4ikdusVv2gtpS0u1I3Ds8TO2nKcekvZakwGwIGCfaoGzx9LBdQAqt2x gz8oRmO4nAxYXaKJtckbPKWe3yC/Z0byitIO2P/fHNqSbeOEnIPaGyqZtFTAGEGlH9qk 9TLQ==
X-Gm-Message-State: ALoCoQk4UQmpNn3KmrL3Z28vJWYp2pCEWri4zG8FAzqtm36H98nBkwerhlm0mR9QwoYX696qPPcT
X-Received: by 10.52.28.243 with SMTP id e19mr202230vdh.36.1383890689612; Thu, 07 Nov 2013 22:04:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.8.18 with HTTP; Thu, 7 Nov 2013 22:04:29 -0800 (PST)
In-Reply-To: <20131108051733.D44D91AA6B@ld9781.wdf.sap.corp>
References: <CEA13683.807E%carl@redhoundsoftware.com> <20131108051733.D44D91AA6B@ld9781.wdf.sap.corp>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 07 Nov 2013 22:04:29 -0800
Message-ID: <CALCETrVff+YE8xhDF21LAMQ15xjEoFwnkkRh=DMGhPmQmYOs4g@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 06:04:55 -0000
On Thu, Nov 7, 2013 at 9:17 PM, Martin Rex <mrex@sap.com> wrote: > Carl Wallace wrote: >> > >> >Interesting -- I'd never noticed that. >> > >> >That being said, proxy certificates are essentially useless unless all >> >clients support them. In the absence of mandatory support or a client >> >extension indicating acceptance of proxy certificates, they won't be >> >used. >> >> Of course, but the same goes for notional hybrid server/CA certificates >> too, no? There is apparently some support for proxy certificates in >> Apache. I've no idea what it's used for or how well it works though. > > The TLS implementations that have the least excuse for ignoring > what travels in the Server's Certificate TLS handshake > message are the TLS clients -- and TLS clients outnumber TLS servers > by maybe three orders of magnitudes. > > What Apache consciously/officially supports might be largely irrelevant > when OpenSSL is used -- because that seems to blissfully send arbitrary > data from two files (cert and chain) provided that the contents > can be ASN.1 decoded as X.509v3 containers. So whatever the admin > manages to put in these files, Apache will send obediently and with > eyes closed. This is, I think, mostly irrelevant -- if I know that my clients understand delegated certificates or proxy certificates or whatever, then I'll find a way to get my server to send them. ISTM that, as long as there's momentum behind a developing a better TLS, it would make sense to use the same version upgrade to improve the certificate situation. (Proxy certificates aren't the only big improvements possible -- a clean way to support DNSSEC-based certificates would be great, too.) FWIW, there's precedent for using new TLS versions to expand the set of allowable certificates. If I"m reading it correctly, TLS 1.2 allows ECDSA certificates that are signed with RSA; TLS 1.1 and below will reject those. --Andy
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Bill Frantz
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Michael D'Errico
- Re: [TLS] TLS 1.3 certificate delegation? Rob Stradling
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester