Re: [TLS] Implementation survey: Client Certificate URL extension

To: tls at ietf.org
Subject: Re: [TLS] Implementation survey: Client Certificate URL extension
From: Mike <mike-list at pobox.com>
Date: Thu, 10 Apr 2008 09:01:43 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200804101549.m3AFnH5T008818 at fs4113.wdf.sap.corp>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200804101549.m3AFnH5T008818 at fs4113.wdf.sap.corp>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

>>>> This vulnerability of Client Certificate URL is already described in
>>>> the Security Considerations text in RFC 4366, so it isn't anything
>>>> particularly new.
> 
> Security Considerations, section 6.3 of rfc4366 already describes the
> problems and implications in quite detail (I wasn't aware of that).
> But maybe that isn't scary enough?  Personally, I feel quite uncomfortable
> with such a dangerous extension in an IETF standard.  *I* can NOT think
> of a safe mode of operation for the client certificate URL extension.
> As soon as the admins enables it, his server is toast.  Do we really need
> to standardize something that is so extremely dangerous?

This could be made safe with some help from PKIX (if X.509 doesn't
already support it -- I haven't read RFC 3280 or -bis in a while).
If root certificates listed constraints on what constitutes a valid
URL for retrieving issued certificates, then a server could scan
the combined list from each trusted root to determine if it is safe
to fetch a client certificate.

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- [TLS] AIA cert fetching seen as harmful
  - From: Nelson B Bolyard

References:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Martin Rex

Prev by Date: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by Date: Re: [TLS] Implementation survey: Client Certificate URL extension
Previous by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by thread: [TLS] AIA cert fetching seen as harmful
Index(es):
- Date
- Thread

Re: [TLS] Implementation survey: Client Certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.