WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]


Raised by: Nathan Rixham
On product: WebID Spec

WebID Protocol is currently tightly bound to the use of X.509v3 certificates, re-purposing the subjectAltName extension in order to carry an "Identification Agents" "WebID URI".

However, RFC 4346 "Transport Layer Security (TLS) Extensions" [1] (obsoleting RFC 3546) defines several general extension methods including "Extended Client Hello" [2].

The Client Hello of TLS can be extended in order to pass the identifying agents "WebID URI" in a certificate independent manner, by creating a well defined extension.

This approach is already used by such specifications as Secure Remote Password (SRP) [3,4,5] which defines the "SRP Extension" [6] in order to pass user names via Client Hello.

The definition and use of a TLS extension would remove the need for "custom" X.509v3 certificates which require the presence of a "WebID URI" in the subjectAlternativeName certificate extension, allowing any X.509v3 certificate (should the use of certificates be deemed as needed), or the use of PGP Certificates as defined by TLSPGP[7], and additionally resolve ISSUE-1 "Multiple URI entries in the SAN extension".

[1] http://tools.ietf.org/html/rfc4366
[2] http://tools.ietf.org/html/rfc4366#section-2.1
[3] http://en.wikipedia.org/wiki/Secure_remote_password_protocol
[4] http://srp.stanford.edu/
[5] http://tools.ietf.org/html/rfc2945
[6] http://tools.ietf.org/html/rfc5054#section-2.8.1
[7] http://tools.ietf.org/html/rfc5081

Received on Tuesday, 1 February 2011 10:18:25 UTC