W3C home > Mailing lists > Public > public-webid@w3.org > December 2013

Re: [TLS] TLS 1.3 wishlist

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 7 Dec 2013 11:15:56 +0100
Cc: TLS Mailing List <tls@ietf.org>, public-webid WebID Group <public-webid@w3.org>
Message-Id: <01CA3CC6-C3C4-4412-80F8-E7101BA5C209@bblfish.net>
To: Michael D'Errico <mike-list@pobox.com>

On 18 Sep 2013, at 20:45, Michael D'Errico <mike-list@pobox.com> wrote:

> A "wish list" for an upcoming new version of TLS is available
> online (I found it via a message on Twitter):
> 
> https://www.ietf.org/proceedings/87/slides/slides-87-tls-5.pdf
> 
> Is it appropriate to discuss this now, prior to rechartering?

Hi,

  One thing that would be nice would be some way of having more flexibility
for the server to request a client certificate. In TLS 1.2 it seems
the only way to do this is to use the certificate_authorities
list. 

  With WebID over TLS [1] a server may in fact be satisfied if the 
Client certificate contains a WebID in the Subject Alternative Name.
But this then leaves the question open as to how the server can transmit
to the client it's ability to accept such certificates.

The only solution currently available that I know of 
would be to create a CA with DN such as

   CN=WebID, O={}

that every WebID enabled certificate would claim it is signed by (somewhere
in the certificte chain)

Then this could be passed by the server in the certificate_authorities
list as specified in http://tools.ietf.org/html/rfc5246#section-7.4.6


Some people are worried that this would require CAs to resign their root
CAs with a WebID certificate in case they wanted to release WebID 
certificates.

Is there a better way to do this currently? Could there be a better 
way to do it?


Henry


[1] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html


Social Web Architect
http://bblfish.net/
Received on Saturday, 7 December 2013 10:16:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:52 UTC