Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey
Paul Wouters <paul@nohats.ca> Wed, 11 April 2012 18:10 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B467911E80BA for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.535
X-Spam-Level:
X-Spam-Status: No, score=-0.535 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HOST_MISMATCH_COM=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hihUih3kYLl2 for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
Received: from letoams.cypherpunks.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by ietfa.amsl.com (Postfix) with ESMTP id 44AE211E808D for <tls@ietf.org>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
Received: by letoams.cypherpunks.ca (Postfix, from userid 500) id B101180335; Wed, 11 Apr 2012 14:10:16 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by letoams.cypherpunks.ca (Postfix) with ESMTP id A3DF880331; Wed, 11 Apr 2012 14:10:16 -0400 (EDT)
Date: Wed, 11 Apr 2012 14:10:16 -0400
From: Paul Wouters <paul@nohats.ca>
To: Jim Schaad <ietf@augustcellars.com>
In-Reply-To: <01c901cd1801$9cff3fa0$d6fdbee0$@augustcellars.com>
Message-ID: <alpine.LFD.2.02.1204111401400.24167@bofh.nohats.ca>
References: <173124B6-9480-443E-9FA6-98BBB1A01F5F@vpnc.org> <alpine.LFD.2.02.1204051126330.4059@bofh.nohats.ca> <F53123FA-2A9C-434D-92CF-0B938B072984@vpnc.org> <alpine.LFD.2.02.1204100955050.5054@bofh.nohats.ca> <BB11250E-D827-490A-9C9D-C83028844EF6@vpnc.org> <alpine.LFD.2.02.1204101202270.11272@bofh.nohats.ca> <01c901cd1801$9cff3fa0$d6fdbee0$@augustcellars.com>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: tls@ietf.org
Subject: Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 18:10:17 -0000
On Wed, 11 Apr 2012, Jim Schaad wrote: >> Oops. I checked draft-wouters-tls-oob-pubkey-00 and it was already >> removed there after discussion with EKR in Quebec City. > > If this is really what you want to do, then I would suggest that the > document be expanded so that there exists the possibility to include an > identifier and/or a public key in the certificate form defined by the oob > document. Personall, I strongly prefer not adding more fields to the bare key certificate type, as those people who want to cover client authentication can use full PKIX certs already, and TLS client authentication in the wild seems to be extremely rare. The only two cases I knew are CAcert and Fedora (and for the latter it does not even add security, as I need to identify with another factor anyway (yubikey)) Is there an actual use case where bare keys would be preferable over full PKIX, that also include client auth not based on burned in keys covered by server side SPKI lookups? Paul
- [TLS] Client certificate authentication and draft… Paul Hoffman
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Paul Hoffman
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Paul Hoffman
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Paul Hoffman
- Re: [TLS] Client certificate authentication and d… Daniel Kahn Gillmor
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Daniel Kahn Gillmor
- Re: [TLS] Client certificate authentication and d… Bill Frantz
- Re: [TLS] Client certificate authentication and d… Eric Rescorla
- Re: [TLS] Client certificate authentication and Martin Rex
- Re: [TLS] Client certificate authentication and d… Jim Schaad
- Re: [TLS] Client certificate authentication and d… Paul Wouters
- Re: [TLS] Client certificate authentication and d… Jim Schaad
- Re: [TLS] Client certificate authentication and Martin Rex
- Re: [TLS] Client certificate authentication and d… Joe Salowey