- From: Benjamin Heitmann <benjamin.heitmann@deri.org>
- Date: Tue, 1 Feb 2011 16:41:42 +0000
- To: WebID Incubator Group WG <public-xg-webid@w3.org>
On 1 Feb 2011, at 10:18, WebID Incubator Group Issue Tracker wrote:
>
> However, RFC 4346 "Transport Layer Security (TLS) Extensions" [1] (obsoleting RFC 3546) defines several general extension methods including "Extended Client Hello" [2].
In addition there seems to be another mechanism, which might be appropriate for indicating that a certain certificate should only be used for WebIDs:
"Extended Key Usage" in RFC 5280 [1]:
"This extension indicates one or more purposes for which the certified
public key may be used, in addition to or in place of the basic
purposes indicated in the key usage extension. In general, this
extension will appear only in end entity certificates."
and very importantly:
"Key purposes may be defined by any organization with a need."
As an example:
"id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-- Signing OCSP responses
-- Key usage bits that may be consistent: digitalSignature
-- and/or nonRepudiation"
So we could have ext-webid-1 or something like that, and define as part of WebID what that means.
However, I am not an expert on the details of SSL, so I am not sure if I read that text correctly.
[1] http://tools.ietf.org/html/rfc5280#section-4.2.1.12
Received on Tuesday, 1 February 2011 16:44:06 UTC