Re: [TLS] TLS 1.3 wishlist - better certificate selection

Henry Story <henry.story@bblfish.net> Sat, 07 December 2013 12:11 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1B561AE2FD for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 04:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slYzsXCJijCK for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 04:11:20 -0800 (PST)
Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) by ietfa.amsl.com (Postfix) with ESMTP id 9E9851ADBD3 for <tls@ietf.org>; Sat, 7 Dec 2013 04:11:20 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id u56so1732216wes.36 for <tls@ietf.org>; Sat, 07 Dec 2013 04:11:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=lOdyar9m5BuNuid1fY63WpuHk4MZifGncwbzAtwV2xA=; b=VxEcVpcBrJQISjT4j2yDOopPq+3lWdHbPCyW9HRasOTF5pvq2SnQpPBMz0Ht2Ul2C4 K9rVoFAXiROCLljLhvY0R6aKAgZk59ET3epHn76jcScdQP68u2H1d19NjMg4vmB3bL+e C61vGtWvxFcwY3Za6n/t2xj59k9Rt6yO5Qk+5k26cCFbjvjj6zB8FjE0/b9AooUEPogx Df2AFdCYhy1Ad0/hYvubyP3WFe/hl9z7dACmT9fXBmd+eREHK0EkG6JopNn3Oj6aKald 3+Hpe2lAAUlkdPAwOnDPLxUVNPyOnUoXd6+la2IxWdyIU7de68XrtJANQqpXAiGdScAb aJqg==
X-Gm-Message-State: ALoCoQn9FyvLsSCwand7X1Si/7qd101uWJhUMNycPOPrT2iFpNKrecIMxUzVExRjqN7KkiE8xDZB
X-Received: by 10.194.60.103 with SMTP id g7mr60317658wjr.37.1386418275694; Sat, 07 Dec 2013 04:11:15 -0800 (PST)
Received: from bblfish.home (AAubervilliers-652-1-119-108.w83-200.abo.wanadoo.fr. [83.200.86.108]) by mx.google.com with ESMTPSA id hv5sm4983964wib.2.2013.12.07.04.11.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Dec 2013 04:11:13 -0800 (PST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <52A301C5.50608@gmail.com>
Date: Sat, 7 Dec 2013 13:11:09 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C5C630A5-4E23-4E50-BA93-1326C1E8993E@bblfish.net>
References: <5239F4C9.5090805@pobox.com> <01CA3CC6-C3C4-4412-80F8-E7101BA5C209@bblfish.net> <52A301C5.50608@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Mailer: Apple Mail (2.1822)
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 wishlist - better certificate selection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 12:11:31 -0000

On 7 Dec 2013, at 12:08, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2013-12-07 11:15, Henry Story wrote:
>> 
>> On 18 Sep 2013, at 20:45, Michael D'Errico <mike-list@pobox.com> wrote:
>> 
>>> A "wish list" for an upcoming new version of TLS is available
>>> online (I found it via a message on Twitter):
>>> 
>>> https://www.ietf.org/proceedings/87/slides/slides-87-tls-5.pdf
>>> 
>>> Is it appropriate to discuss this now, prior to rechartering?
>> 
>> Hi,
>> 
>>  One thing that would be nice would be some way of having more flexibility
>> for the server to request a client certificate. In TLS 1.2 it seems
>> the only way to do this is to use the certificate_authorities
>> list. 
>> 
>>  With WebID over TLS [1] a server may in fact be satisfied if the 
>> Client certificate contains a WebID in the Subject Alternative Name.
>> But this then leaves the question open as to how the server can transmit
>> to the client it's ability to accept such certificates.
>> 
>> The only solution currently available that I know of 
>> would be to create a CA with DN such as
>> 
>>   CN=WebID, O={}
>> 
>> that every WebID enabled certificate would claim it is signed by (somewhere
>> in the certificte chain)
>> 
>> Then this could be passed by the server in the certificate_authorities
>> list as specified in http://tools.ietf.org/html/rfc5246#section-7.4.6
>> 
>> 
>> Some people are worried that this would require CAs to resign their root
>> CAs with a WebID certificate in case they wanted to release WebID 
>> certificates.
>> 
>> Is there a better way to do this currently? Could there be a better 
>> way to do it?
> 
> I believe we had this discussion before, so here we go again :-)
> Making TLS CCA (Client Certificate Authentication) useful for consumer authentication (be it to an enterprise, bank or social network), is IMO unrealistic, no matter how desirable it may be.
> 
> Technical reasons:
> http://webpki.org/papers/PKI/webauth.pdf#page=1

This thread is not about your ideas of what is wrong with TLS and
why you think it can never be solved, but what can be done to improve
one particular aspect that concerns me.  

Btw. your article mixes up User Interface issues which can be sorted by 
browser vendors UI team with protocol issues which I want to discuss here.
( Eg: logging out would be easy if the browser showed the client certificate
used when logged in ).  


> 
> TLS CCA is also at odds with the market:
> http://www.forbes.com/sites/amadoudiallo/2013/11/30/google-wants-to-make-your-passwords-obsolete
> 
> As an authentication solution for VPNs (and even more "secure box-2-box" communication), TLS CCA is great but that's not "le web".

WebID allows you to use X509 Certs for global authentication without needing to 
pass through CAs. We are using this every day and building some very cool apps on it. 

> 
> Regarding the specific WebID issue, I would be cautious about assigning additional semantics to existing constructs.
> X.509 offers many other ways of signalling a unique/non-standard use.

Thanks for this one paragraph that is somewhat closer to being relevant to this thread.

So clearly if one could have a better way for the server to notify the client which
certificates it accepts, this would allow selection on other fields of the certificates.
Perhaps something like a regexpression in the certificate_authorities list, or a
way to express capabilities of certificates.


> 
> Cheers,
> Anders
> 
>> 
>> 
>> Henry
>> 
>> 
>> [1] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
> 

Social Web Architect
http://bblfish.net/