Re: [TLS] Consensus call for certificate URL extension

To: tls at ietf.org
Subject: Re: [TLS] Consensus call for certificate URL extension
From: Magnus Nyström <magnus at rsa.com>
Date: Thu, 25 Sep 2008 15:10:03 +0200 (W. Europe Daylight Time)
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <2E7FFF9A-0517-4B25-98C6-37745CC099F4 at checkpoint.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE5069401B0 at xmb-sjc-225.amer.cisco.com> <87ej38y9g6.fsf at mocca.josefsson.org> <2E7FFF9A-0517-4B25-98C6-37745CC099F4 at checkpoint.com>
Sender: tls-bounces at ietf.org

I do not know if this extension still has value or not, but as one of theauthors of the original RFC 3546, I just wanted to provide some background...

This extension came about a long time ago when the WAP Forum (today: OpenMobile Alliance) was looking at introducing support for TLS in theirarchitecture. Given bandwidth-constraints in the mobile networks at thetime, it made sense to devise a way for clients to not having to sendtheir certificates (or chains) but rather have the servers pick them upsomewhere. Clearly, today's networks are more capable.


-- Magnus

On Thu, 25 Sep 2008, Yoav Nir wrote:

On Sep 25, 2008, at 10:24 AM, Simon Josefsson wrote:

If the assumption in (B), that there are no known deployments of this
extension, is correct, my preference is to deprecate the extension,
without creating a new extension with different properties.

The way I am reading the replies so far imply that few if anyone really
needs this extension.  If that is the case, I don't see why we need to
spend time on it.

/Simon


Well, somebody went to the trouble of writing it...

I can see the value of this for a protocol such as IKE, because there youneed to send the whole cert (sometimes a chain, sometimes also a CRL) withinone UDP packet. With TLS, I guess there is much less value there.



_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Consensus call for certificate URL extension
  - From: Martin Rex

References:
- [TLS] Consensus call for certificate URL extension
  - From: Joseph Salowey (jsalowey)
- Re: [TLS] Consensus call for certificate URL extension
  - From: Simon Josefsson
- Re: [TLS] Consensus call for certificate URL extension
  - From: Yoav Nir

Prev by Date: [TLS] Tr: Behaviour when TLS fails
Next by Date: Re: [TLS] Consensus call for certificate URL extension
Previous by thread: Re: [TLS] Consensus call for certificate URL extension
Next by thread: Re: [TLS] Consensus call for certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Consensus call for certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.