Re: Signalling WebID Certificates - the CN=WebID, O={} CA

On 2013-12-07 16:56, Henry Story wrote:

>    certificate_authorities
>       A list of the distinguished names [X501] of acceptable
>       certificate_authorities, represented in DER-encoded format.  These
>       distinguished names may specify a desired distinguished name for a
>       root CA or for a subordinate CA; thus, this message can be used to
>       describe known roots as well as a desired authorization space.  If
>       the certificate_authorities list is empty, then the client MAY
>       send any certificate of the appropriate ClientCertificateType,
>       unless there is some external arrangement to the contrary.
> 
> Now there may be other ways to solve the problem. That is why I sent a mail 
> to the current IETF TLS mailing list, to check if there were
> other possibilities current or ones that were being prepared for
> future specs.

The TLS WG have expressed no interests in such issues.

Not even implementations care about the spec extract you refer to:
https://code.google.com/p/android/issues/detail?id=38393

The TLS credential filtering is clearly inferior but the TLS WG seems to take pride in ignoring consumers in similarity to many other IETF groups.
PKIX latest certificate enrollment protocol (EST) does neither address the web, nor address mobile banking using "Apps".
It remains a mystery (to me at least) what EST is actually targeting.

Possibly the whole space consumer-PKI is outside of the range of current SDOs.
W3C's WebCrypto failed on this one as well so it seems that this is close to a "Universal Truth".

Cheers
Anders

Received on Saturday, 7 December 2013 16:46:35 UTC