Re: [TLS] draft-ietf-tls-oob-pubkey-09: client auth, but no client key
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 18 October 2013 09:05 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6478B21F9D7C for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 02:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aonxa-zdBp20 for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 02:05:53 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA3221F995A for <tls@ietf.org>; Fri, 18 Oct 2013 02:05:48 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.116.76]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MATlG-1VR0Nt08CY-00Bfz9 for <tls@ietf.org>; Fri, 18 Oct 2013 11:05:47 +0200
Message-ID: <5260FA09.6040205@gmx.net>
Date: Fri, 18 Oct 2013 11:06:17 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Hauke Mehrtens <hauke@hauke-m.de>, tls@ietf.org
References: <52498FF1.1090701@hauke-m.de>
In-Reply-To: <52498FF1.1090701@hauke-m.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:HRSREQMpvMmRF4V398Hs/ZotjKgZ3GI+sHSFjpTRAxQyIihJ5Oz uAl6ZLu3cbDM+rWQYvTyUfwMxcZWKvSgKJnJDeZL4tZ6KbO2fgXtIOhy52GlNH5lA4tNN5x xKNbHK+NM995+bHl2QPMPjeCOsSwSlHC8e2UplAassBaK9rA58vcpe9waISTkS28Vss+XkC o1BBOAn0dpkP2NBCgHEYg==
Subject: Re: [TLS] draft-ietf-tls-oob-pubkey-09: client auth, but no client key
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 09:05:58 -0000
Hi Hauke, with the draft-ietf-tls-oob-pubkey specification the TLS client has a way to indicate what certificate types it supports. As such, the TLS server knows what certificates it can ask for before sending the certificate request message. Hence, the situation that the client receives a certificate request but doesn't actually have a certificate cannot really happen (unless in a failure situation). In that case I believe the suitable error response by the TLS client would be the one you described from RFC 5246. Maybe it is worthwhile to point this out in the document to have this error case clearly described? On 09/30/2013 04:51 PM, Hauke Mehrtens wrote: > RFC 5246 7.4.6 "Client Certificate" says: > > If no suitable certificate is available, > the client MUST send a certificate message containing no > certificates. That is, the certificate_list structure has a > length of zero. > > How should a client act when raw public keys are used and the server > requests client authentication, but there is no public key or no > suitable public key? > > Not adding client_certificate_type to the ClientHello is not enough, > because this could also indicate that the client supports client > authentication with X.509 certificates. > > I would send an empty client certificate handshake message and no > certificate verify message and the server should decide, like it is > specified for X.509 certificates in RFC 5246 7.4.6. By 'empty' you mean that the certificate_list structure has a length of zero (similarly as it is defined in RFC 5246)? Ciao Hannes > > Hauke > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] draft-ietf-tls-oob-pubkey-09: client auth, … Hauke Mehrtens
- Re: [TLS] draft-ietf-tls-oob-pubkey-09: client au… Hannes Tschofenig