Re: [TLS] CertficateRequest extension encoding

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 05 September 2016 21:46 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7488312B445 for <tls@ietfa.amsl.com>; Mon, 5 Sep 2016 14:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9OT_w6wJk2z for <tls@ietfa.amsl.com>; Mon, 5 Sep 2016 14:46:53 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0106.outbound.protection.outlook.com [104.47.41.106]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D323C127076 for <tls@ietf.org>; Mon, 5 Sep 2016 14:46:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tH+wRTFRKmmV8zFmYmjlWlBpl8RPJFrJJ1hIJZCUIvM=; b=VkV7I9Up0C4XWGYNFrmTGuGSuLVa36U0hMu/hRYK0UF4zTQM2z5enZe0SL082HeTTihUCTQ06HdN0ilaUZzqfKh9n92e3MCzC9ACQ2OSZsRumth8/Msneb5f1ooIm9gSjh/xQhxYLehsIQLobBTtlOFepK/kYfOioyb/SMasj4w=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0841.namprd03.prod.outlook.com (10.160.163.147) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.599.9; Mon, 5 Sep 2016 21:46:51 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0599.016; Mon, 5 Sep 2016 21:46:51 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: David Benjamin <davidben@chromium.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] CertficateRequest extension encoding
Thread-Index: AQHSBpsXZcombga0NEGFs2xYmfILPaBpmgGAgAAAfICAAc2xcA==
Date: Mon, 05 Sep 2016 21:46:51 +0000
Message-ID: <CY1PR0301MB08421CDD92828E5809E40E8C8CE60@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <20160904105637.sjl4wmr2hc2mito6@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaApcZBC0K8m27CtYbUd3zb5HvVQbDxpN0kkY0c=Pj4Rcw@mail.gmail.com> <CAF8qwaDVGrnzeLQD1ika0=VZbD8gJpigcRv_qgiAYdHV_iS2jA@mail.gmail.com>
In-Reply-To: <CAF8qwaDVGrnzeLQD1ika0=VZbD8gJpigcRv_qgiAYdHV_iS2jA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:b::1d2]
x-ms-office365-filtering-correlation-id: 0d4a7440-bc94-40e7-51ec-08d3d5d62530
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0841; 6:/jE4Wp/2x1F6jGamFYdC5LGlnJidahMtWDygCMercmZinqObzHk6xOcaxT8Ud/C1sHjOhf2bf0e+hc8vqLNPfDpr7b5a8uvbfn4vhvFhvKFJ4Uj438tHHXvDfv526TrClh+JXG8yK3ntUpGaKaL7wWvipLewKvxydN3ITCOxxdGEjWr7wsWE+Po6Tg4RkDJn0OzkZBZXrVMpB/N7Y1vp5TF2P0zV+ag5ET0rmQa8wEHx/XDBLtlkBlaTzQB9B3j9Ol5K2K/M1nhs8h45jj2xcrmvbhdsxCNlccKpaVVms1DZ2h28p/uZT2BROWpR6N1vf0av6kikuzXY32wk0C5+Ag==; 5:zVnNwSqBq0DR8Yc3gI06QNerUhHjueEDlYgcfjQg6Fg4C7WQ6fR5Qn4PzWv0T2GXEGF4QHU4dbWowa36hvF11gYTAuzt8bYb/1BYK5rUYymIsUZD/cFSaNoXiQrf/Pm8Xs9FnhDOZuxWTL3llwaiww==; 24:nZLZnnVP7UUCjAKK0/dMfBzuIpVPM1a5zkeddmsnI1arNlzj9isM3I5C/8HA4mrUJggfoLWp1GXJsDgml4yUEtuK3CvsCBSyQPgc2y9PXz4=; 7:fEnKbyw5TtTzHsE2AWaNt5zMXUatCKOclDqFC4G65pEr4mwHbEAc6Ieb/olRK1MorD9mYYHgJrnIci4KJYBbswn3WPkx7mdMXO8wCbMfadBMMPvsEmG5Sd0KfKe3L9Cftlfn2XwMR54bsr6IseYCMG5oeyJEEeIGaOUX99rj2+ER9WbMIwDfEcBKiO6oUnAmmkfaWIm49gRg1ggN1beWqMHQwrcfEjHMYcAK8Sr/vQUf2fZTV9lUEfaaJarIFztR
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0841;
x-microsoft-antispam-prvs: <CY1PR0301MB08413CA5E5B7C30C07C5C0358CE60@CY1PR0301MB0841.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0841; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0841;
x-forefront-prvs: 005671E15D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(57704003)(199003)(2900100001)(2950100001)(2906002)(189998001)(3280700002)(5002640100001)(16236675004)(3660700001)(106116001)(106356001)(105586002)(7846002)(7736002)(81156014)(92566002)(81166006)(8936002)(7696003)(97736004)(8676002)(10090500001)(101416001)(74316002)(102836003)(790700001)(5001770100001)(9686002)(2501003)(33656002)(19625215002)(5005710100001)(10290500002)(586003)(10400500002)(68736007)(8990500004)(107886002)(77096005)(122556002)(76176999)(86612001)(54356999)(5660300001)(19580395003)(87936001)(50986999)(19300405004)(99286002)(76576001)(6116002)(11100500001)(15975445007)(86362001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0841; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB08421CDD92828E5809E40E8C8CE60CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2016 21:46:51.0451 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0841
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vIwK32WhYAbY0IUv_SbqUIznLeA>
Subject: Re: [TLS] CertficateRequest extension encoding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2016 21:46:55 -0000

Ø  And how is the value encoded? Using the same encoding as
extnValue payload of respective extension in X.509 certifcates?

The same encoding as the respective extension in X.509 certificates (please feel free to suggest the language to make this clearer).


Ø  A CertificateExtension is a hint to the client about what kind of certificates are acceptable. We have a registry of u16s for them. Clients ignore extensions they don't understand, so it is ultimately on the server to check the certificate is acceptable (as it always is). If we wish to filter on OIDs, we define, e.g., a key_usage value whose contents have some KeyUsage-specific meaning.

Do we need to make it this flexible? The idea was to avoid adding complexity to the certificate filtering code in the TLS stack, and instead filter by OIDs in the PKI library. PKI libraries already inspect and match OID values, so this should be a relatively small change for them.

Cheers,

Andrei