ISSUE-19: x509v3 Independence and TLS Extensions
x509v3 Independence and TLS Extensions
- State:
- POSTPONED
- Product:
- WebID-authn-TLS-spec
- Raised by:
- Nathan Rixham
- Opened on:
- 2011-02-01
- Description:
- WebID Protocol is currently tightly bound to the use of X.509v3 certificates, re-purposing the subjectAltName extension in order to carry an "Identification Agents" "WebID URI".
However, RFC 4346 "Transport Layer Security (TLS) Extensions" [1] (obsoleting RFC 3546) defines several general extension methods including "Extended Client Hello" [2].
The Client Hello of TLS can be extended in order to pass the identifying agents "WebID URI" in a certificate independent manner, by creating a well defined extension.
This approach is already used by such specifications as Secure Remote Password (SRP) [3,4,5] which defines the "SRP Extension" [6] in order to pass user names via Client Hello.
The definition and use of a TLS extension would remove the need for "custom" X.509v3 certificates which require the presence of a "WebID URI" in the subjectAlternativeName certificate extension, allowing any X.509v3 certificate (should the use of certificates be deemed as needed), or the use of PGP Certificates as defined by TLSPGP[7], and additionally resolve ISSUE-1 "Multiple URI entries in the SAN extension".
[1] http://tools.ietf.org/html/rfc4366
[2] http://tools.ietf.org/html/rfc4366#section-2.1
[3] http://en.wikipedia.org/wiki/Secure_remote_password_protocol
[4] http://srp.stanford.edu/
[5] http://tools.ietf.org/html/rfc2945
[6] http://tools.ietf.org/html/rfc5054#section-2.8.1
[7] http://tools.ietf.org/html/rfc5081 - Related Actions Items:
- No related actions
- Related emails:
- Re: Formal WebID Teleconf Friday February 1 2013 15:00UTC (from henry.story@bblfish.net on 2013-02-01)
- RE: issue of initiating client auth for parallel SSL sessionids (from home_pw@msn.com on 2011-02-28)
- RE: issue of initiating client auth for parallel SSL sessionids (from ryan-webid@sleevi.com on 2011-02-27)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-04)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from nathan@webr3.org on 2011-02-04)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-04)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from nathan@webr3.org on 2011-02-04)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-03)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-03)
- RE: WebID-ISSUE-26: [WebID Spec] (from home_pw@msn.com on 2011-02-02)
- WebID-ISSUE-26: [WebID Spec] (from sysbot+tracker@w3.org on 2011-02-02)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from henry.story@bblfish.net on 2011-02-02)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-02)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from henry.story@bblfish.net on 2011-02-01)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-01)
- RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from home_pw@msn.com on 2011-02-01)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from henry.story@bblfish.net on 2011-02-01)
- Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from benjamin.heitmann@deri.org on 2011-02-01)
- Re: Documenting implicit assumptions? (from nathan@webr3.org on 2011-02-01)
- WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from sysbot+tracker@w3.org on 2011-02-01)
Related notes:
too complicated to do within current group
Ted Thibodeau, 1 Feb 2013, 15:46:48Display change log