[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs,

To: home_pw@xxxxxxx
Subject: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs,
From: Martin Rex <martin.rex@xxxxxxx>
Date: Tue, 2 Jan 2007 17:31:45 +0100 (MET)
Cc: tls@xxxxxxxx
In-reply-to: <BAY103-DAV32C3E536342FDAC659EB992C40@xxxxxxx> from "home_pw@xxxxxxx" at Dec 31, 6 11:58:19 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex@xxxxxxx

home_pw@xxxxxxx wrote:
> 
> Concerning 7.4.5. Certificate request
> 
>            "A list of the distinguished names of acceptable certificate
>            authorities. These distinguished names may specify a desired
>            distinguished name for a root CA or for a subordinate CA;
>            thus, this message can be used both to describe known roots
>            and a desired authorization space. If the
>            certificate_authorities list is empty then the client MAY
>            send any certificate of the appropriate
>            ClientCertificateType, unless there is some external
>            arrangement to the contrary."
> 
> 
> So, what does this all really mean,
> just staying within the traditional PKI world?

This is *NOT* about PKI.
It is about X.509 certificates and certificate chains.

It means that the client should search his credentials and see
whether there is a match between one of the CAs from that list
of the Server and the issuer field of the certificate of
the clients credentials (itself, or of (one) of its chain(s)).

If there's at least one match, the client can use that credentials
for client authentication, including the certification path up
to at least the matching CA from the servers list.

X.509 certs must be DER-encoded, and there MUST be a binary/opaque
match of the CA name sent by the server with the issuer name in
the clients (end-entity or path) certificate, therefore all
the DNames in that list must be DER-encoded (or will likely not
match issuer names - except for broken CAs issuing defective certs
with non-DER encoded issuer names).

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices
  - From: home_pw

Prev by Date: RE: [TLS] sending error alerts: MUST? SHOULD? MAY?
Previous by thread: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices
Next by thread: [TLS] CRLFs and comments
Index(es):
- Date
- Thread