[TLS] PR #290: Removing certificate_types and adding certificate_extensions
Andrei Popov <Andrei.Popov@microsoft.com> Wed, 14 October 2015 20:36 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09F891A873D for <tls@ietfa.amsl.com>; Wed, 14 Oct 2015 13:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulkHFbgP0QtA for <tls@ietfa.amsl.com>; Wed, 14 Oct 2015 13:36:33 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0144.outbound.protection.outlook.com [207.46.100.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A5B1A873B for <tls@ietf.org>; Wed, 14 Oct 2015 13:36:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fA9n864dC2PQEvQAdP25OsVlGS8Jqdk9dcqBDiyfCck=; b=nTnaVBzo7MzfeKSjp6gCj3Bn9HddMdan+QLvg3Yy2QS6us0nKJbNP53GNBJPy9TJD8hAJkNswBnUoSJh5+gyXWxp8Ris9rFiebqDtY2ZXZZ+juMvvQaKs9/hSf3/IWpceMVnvTjQIlZcrjMaoDQ+8ZH9xfKAGYmKb7txZRypQfU=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.293.16; Wed, 14 Oct 2015 20:36:31 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0293.007; Wed, 14 Oct 2015 20:36:31 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: PR #290: Removing certificate_types and adding certificate_extensions
Thread-Index: AdEGvkcWCUPX/ZnAT+KfrtOmU8gMdA==
Date: Wed, 14 Oct 2015 20:36:31 +0000
Message-ID: <BLUPR03MB1396EB7C5BD75D98D4EE68A88C3F0@BLUPR03MB1396.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:4/iXb0AIDcbSzR4C4jIXW/Fqs/6nnkpw7xygkzdwuqLaVxVPSuSegxuUwISVgEghwhtK4xDhZy2GqK4diRu8liESdVrIRcSdnwKvLPjhLk4gSB1ab4PArFqUuv6f0p513NdZknw8EidxoD7to3B9hA==; 24:KmtTLNN0p65xD7MKwC2OCSS40nx623okQT9bsglfE+JPLpozHEAitWuNblXhvhWlqDJ+l/lYejBGVUedZxqBwkTnD2yAQLHzsjaqyXNbgnc=; 20:VEF7CkyQI9/GPMM70d4GcCK9exCedprl5nfvO0ZHgfZQ9HHZXdYIFULZYm8Rf4+xSrHHiB5EZ7YxmO8XH2KMaw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
x-microsoft-antispam-prvs: <BLUPR03MB13959E0916E004820DE3C0918C3F0@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671)(42673675456677)(83020558694031);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(61426024)(61427024); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(189002)(199003)(19625215002)(19617315012)(54356999)(189998001)(19580395003)(16236675004)(76576001)(229853001)(33656002)(87936001)(46102003)(106356001)(99286002)(110136002)(5007970100001)(5003600100002)(40100003)(101416001)(50986999)(2900100001)(64706001)(107886002)(5005710100001)(86362001)(450100001)(105586002)(10290500002)(19300405004)(102836002)(92566002)(5002640100001)(11100500001)(5004730100002)(10400500002)(81156007)(5001960100002)(74316001)(97736004)(77096005)(15975445007)(86612001)(5008740100001)(122556002)(8990500004)(10090500001)(3826002)(491001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BLUPR03MB1396EB7C5BD75D98D4EE68A88C3F0BLUPR03MB1396namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2015 20:36:31.5667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/oU_q-j0IzicHsszdXu6820ZWYtQ>
Subject: [TLS] PR #290: Removing certificate_types and adding certificate_extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 20:36:36 -0000
As discussed at the Interim, I've submitted a separate PR for TLS 1.3 CertificateRequest changes: https://github.com/tlswg/tls13-spec/pull/290 PR #290 includes the following changes: 1. Removes certificate_types, which are no longer needed. 2. Adds client cert selection by certificate extension values. This helps make CertificateRequest more specific and reduce the need for the confusing "choose a certificate" UI. Suggested text includes specific matching rules for KU and EKU extensions (these are most commonly asked for by the customers). Please review, Cheers, Andrei
- [TLS] PR #290: Removing certificate_types and add… Andrei Popov