Re: [TLS] TLS 1.3 certificate delegation?
Johannes Merkle <johannes.merkle@secunet.com> Fri, 08 November 2013 17:21 UTC
Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70BB21E812C for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:21:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.54
X-Spam-Level:
X-Spam-Status: No, score=-3.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afWKuuQIXDjD for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:21:28 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCA911E81E4 for <tls@ietf.org>; Fri, 8 Nov 2013 09:21:28 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 7CA331A006F; Fri, 8 Nov 2013 18:21:27 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id veKMQLTFcQFu; Fri, 8 Nov 2013 18:21:25 +0100 (CET)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id A57F71A0071; Fri, 8 Nov 2013 18:21:17 +0100 (CET)
Received: from [10.208.1.57] ([10.208.1.57]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Fri, 8 Nov 2013 18:21:17 +0100
Message-ID: <527D1D8D.6090904@secunet.com>
Date: Fri, 08 Nov 2013 18:21:17 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20131108165218.1EEB01AA71@ld9781.wdf.sap.corp>
In-Reply-To: <20131108165218.1EEB01AA71@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Nov 2013 17:21:17.0837 (UTC) FILETIME=[EF559BD0:01CEDCA6]
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 17:21:45 -0000
> It is actually not a violation of PKIX. However, behaviour is undefined. > > PKIX (rfc5280) inherited this from X.509, and it has been spelled out > in rfc5280-clarifications: > > http://tools.ietf.org/html/rfc6818#section-2 > > 2. Update to RFC 5280, Section 3.2: "Certification Paths and Trust" > > > Add the following paragraph to the end of RFC 5280, Section 3.2: > > | Consistent with Section 3.4.61 of X.509 (11/2008) [X.509], we note > | that use of self-issued certificates and self-signed certificates > | issued by entities other than CAs are outside the scope of this > | specification. Thus, for example, a web server or client might > | generate a self-signed certificate to identify itself. These > | certificates and how a relying party uses them to authenticate > | asserted identities are both outside the scope of RFC 5280. > Interesting, this clarification in RFC 5280bis escaped my attention. However, self-issued implies that both certificates share the same Common Name. So this paragraph only applies to the scenario sketched by Andy when the server identity (sub domain) is encoded _only_ in SubjectAltName (dNSName). This is recommended by RFC 2818 anyway. -- Johannes
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Bill Frantz
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Michael D'Errico
- Re: [TLS] TLS 1.3 certificate delegation? Rob Stradling
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester