[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Next steps for Client Certificate URL

To: <Pasi.Eronen@xxxxxxxxx>, <tls@xxxxxxxx>
Subject: Re: [TLS] Next steps for Client Certificate URL
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Fri, 28 Mar 2008 15:22:26 -0400
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <1696498986EFEC4D9153717DA325CB7238EA05@xxxxxxxxxxxxxxxxxxx com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB7238EA05@xxxxxxxxxxxxxxxxxxxxxx>
Sender: tls-bounces@xxxxxxxx

This integrity protection is important.  I support the suggestion.

Russ

At 10:13 AM 3/28/2008, Pasi.Eronen@xxxxxxxxx wrote:
>Hi,
>
>We've seen two replies from people who have implemented the Client
>Certificate URL extension (Certicom SSL-C toolkit and IAIK iSaSiLk).
>
>Given that using this feature -- at least on client side -- probably
>requires that the application specifically asks for it (and supplies
>the URL in some API call), I would also guess that most applications
>that use those two libraries don't actually use this particular
>feature.
>
>Given this, would everyone be OK with updating the existing
>client_certificate_url extension so that including the hash is
>mandatory (client MUST send, server MUST NOT accept without hash)?
>This behavior would be independent of the negotiated TLS version.
>
>(One obvious alternative would be to deprecate current
>client_certificate_url, and allocate a new extension number.)
>
>Best regards,
>Pasi
>_______________________________________________
>TLS mailing list
>TLS@xxxxxxxx
>https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Next steps for Client Certificate URL
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] Security today
Previous by thread: [TLS] Next steps for Client Certificate URL
Index(es):
- Date
- Thread