W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [websec] re-call for IETF http-auth BoF

From: Nico Williams <nico@cryptonector.com>
Date: Wed, 15 Jun 2011 12:00:30 -0500
Message-ID: <BANLkTi=X1ETP+jdVwoYCJ_Vb+HWZO2ijZg@mail.gmail.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: Yutaka OIWA <y.oiwa@aist.go.jp>, "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, pgut001@cs.auckland.ac.nz
On Wed, Jun 15, 2011 at 11:51 AM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
>>> Regarding mutual authentication, it would be piece of cake adding an X.509
>>> extension containing sites/domains that the issuer grants usage with.
>>
>> AFAICT, adding extensions to PKIX is never a piece of cake.  And
>> anyways, there's already naming constraints for PKIX (if that's what
>> you meant).
>
> I meant something similar to what you outlined above but stuffed in
> the *client* certificate.

Ah, an extension for helping the client select credentials...  But
that seems like a local-only feature because you'd have to rely on RPs
looking for client misuse of certs, and it seems too late to do that
by the time the client has signed something with their key and sent
it.

I don't think it will help all that much unless you have a user cert
per-RP, and then you might as well just have RP-only certs all the way
(which requires a cert registration or else certification protocol).

Nico
--
Received on Wednesday, 15 June 2011 17:00:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 June 2011 17:00:55 GMT