- From: Henry Story <henry.story@bblfish.net>
- Date: Sat, 7 Dec 2013 11:15:56 +0100
- To: Michael D'Errico <mike-list@pobox.com>
- Cc: TLS Mailing List <tls@ietf.org>, public-webid WebID Group <public-webid@w3.org>
On 18 Sep 2013, at 20:45, Michael D'Errico <mike-list@pobox.com> wrote:
> A "wish list" for an upcoming new version of TLS is available
> online (I found it via a message on Twitter):
>
> https://www.ietf.org/proceedings/87/slides/slides-87-tls-5.pdf
>
> Is it appropriate to discuss this now, prior to rechartering?
Hi,
One thing that would be nice would be some way of having more flexibility
for the server to request a client certificate. In TLS 1.2 it seems
the only way to do this is to use the certificate_authorities
list.
With WebID over TLS [1] a server may in fact be satisfied if the
Client certificate contains a WebID in the Subject Alternative Name.
But this then leaves the question open as to how the server can transmit
to the client it's ability to accept such certificates.
The only solution currently available that I know of
would be to create a CA with DN such as
CN=WebID, O={}
that every WebID enabled certificate would claim it is signed by (somewhere
in the certificte chain)
Then this could be passed by the server in the certificate_authorities
list as specified in http://tools.ietf.org/html/rfc5246#section-7.4.6
Some people are worried that this would require CAs to resign their root
CAs with a WebID certificate in case they wanted to release WebID
certificates.
Is there a better way to do this currently? Could there be a better
way to do it?
Henry
[1] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
Social Web Architect
http://bblfish.net/
Received on Saturday, 7 December 2013 10:16:29 UTC