Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

On 1 Feb 2011, at 10:18, WebID Incubator Group Issue Tracker wrote:
> However, RFC 4346 "Transport Layer Security (TLS) Extensions" [1] (obsoleting RFC 3546) defines several general extension methods including "Extended Client Hello" [2].

In addition there seems to be another mechanism, which might be appropriate for indicating that a certain certificate should only be used for WebIDs: 

"Extended Key Usage" in RFC 5280 [1]:

"This extension indicates one or more purposes for which the certified
   public key may be used, in addition to or in place of the basic
   purposes indicated in the key usage extension.  In general, this
   extension will appear only in end entity certificates."

and very importantly: 

"Key purposes may be defined by any organization with a need."

As an example: 

"id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   -- Signing OCSP responses
   -- Key usage bits that may be consistent: digitalSignature
   -- and/or nonRepudiation"

So we could have ext-webid-1 or something like that, and define as part of WebID what that means. 

However, I am not an expert on the details of SSL, so I am not sure if I read that text correctly. 


Received on Tuesday, 1 February 2011 16:44:06 UTC