IETF Logo Mail Archive

Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey

Paul Wouters <paul@nohats.ca> Wed, 11 April 2012 18:10 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B467911E80BA for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.535
X-Spam-Level:
X-Spam-Status: No, score=-0.535 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HOST_MISMATCH_COM=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hihUih3kYLl2 for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
Received: from letoams.cypherpunks.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by ietfa.amsl.com (Postfix) with ESMTP id 44AE211E808D for <tls@ietf.org>; Wed, 11 Apr 2012 11:10:17 -0700 (PDT)
Received: by letoams.cypherpunks.ca (Postfix, from userid 500) id B101180335; Wed, 11 Apr 2012 14:10:16 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by letoams.cypherpunks.ca (Postfix) with ESMTP id A3DF880331; Wed, 11 Apr 2012 14:10:16 -0400 (EDT)
Date: Wed, 11 Apr 2012 14:10:16 -0400
From: Paul Wouters <paul@nohats.ca>
To: Jim Schaad <ietf@augustcellars.com>
In-Reply-To: <01c901cd1801$9cff3fa0$d6fdbee0$@augustcellars.com>
Message-ID: <alpine.LFD.2.02.1204111401400.24167@bofh.nohats.ca>
References: <173124B6-9480-443E-9FA6-98BBB1A01F5F@vpnc.org> <alpine.LFD.2.02.1204051126330.4059@bofh.nohats.ca> <F53123FA-2A9C-434D-92CF-0B938B072984@vpnc.org> <alpine.LFD.2.02.1204100955050.5054@bofh.nohats.ca> <BB11250E-D827-490A-9C9D-C83028844EF6@vpnc.org> <alpine.LFD.2.02.1204101202270.11272@bofh.nohats.ca> <01c901cd1801$9cff3fa0$d6fdbee0$@augustcellars.com>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: tls@ietf.org
Subject: Re: [TLS] Client certificate authentication and draft-ietf-tls-oob-pubkey
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 18:10:17 -0000

On Wed, 11 Apr 2012, Jim Schaad wrote:

>> Oops. I checked draft-wouters-tls-oob-pubkey-00 and it was already
>> removed there after discussion with EKR in Quebec City.
>
> If this is really what you want to do, then I would suggest that the
> document be expanded so that there exists the possibility to include an
> identifier and/or a public key in the certificate form defined by the oob
> document.

Personall, I strongly prefer not adding more fields to the bare key certificate
type, as those people who want to cover client authentication can use
full PKIX certs already, and TLS client authentication in the wild seems
to be extremely rare. The only two cases I knew are CAcert and Fedora
(and for the latter it does not even add security, as I need to identify
with another factor anyway (yubikey))

Is there an actual use case where bare keys would be preferable over
full PKIX, that also include client auth not based on burned in keys
covered by server side SPKI lookups?

Paul

v2.23.0 | Report a Bug | By Email