WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] from WebID Incubator Group Issue Tracker on 2011-02-01 (public-xg-webid@w3.org from February 2011)

From: WebID Incubator Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 01 Feb 2011 10:18:23 +0000
To: public-xg-webid@w3.org
Message-Id: <E1PkDJX-00008I-TK@barney.w3.org>

WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

http://www.w3.org/2005/Incubator/webid/track/issues/19

Raised by: Nathan Rixham
On product: WebID Spec


WebID Protocol is currently tightly bound to the use of X.509v3 certificates, re-purposing the subjectAltName extension in order to carry an "Identification Agents" "WebID URI".

However, RFC 4346 "Transport Layer Security (TLS) Extensions" [1] (obsoleting RFC 3546) defines several general extension methods including "Extended Client Hello" [2].

The Client Hello of TLS can be extended in order to pass the identifying agents "WebID URI" in a certificate independent manner, by creating a well defined extension.

This approach is already used by such specifications as Secure Remote Password (SRP) [3,4,5] which defines the "SRP Extension" [6] in order to pass user names via Client Hello.

The definition and use of a TLS extension would remove the need for "custom" X.509v3 certificates which require the presence of a "WebID URI" in the subjectAlternativeName certificate extension, allowing any X.509v3 certificate (should the use of certificates be deemed as needed), or the use of PGP Certificates as defined by TLSPGP[7], and additionally resolve ISSUE-1 "Multiple URI entries in the SAN extension".

[1] http://tools.ietf.org/html/rfc4366
[2] http://tools.ietf.org/html/rfc4366#section-2.1
[3] http://en.wikipedia.org/wiki/Secure_remote_password_protocol
[4] http://srp.stanford.edu/
[5] http://tools.ietf.org/html/rfc2945
[6] http://tools.ietf.org/html/rfc5054#section-2.8.1
[7] http://tools.ietf.org/html/rfc5081

Received on Tuesday, 1 February 2011 10:18:25 UTC