Follow-up on my own post below ...
Thierry Moreau wrote:
A question for those who follow PKI usage trends.
Is there a list of CAs that issue X.509 end-user certificates?
Here is the rationale for the question:
If an end-user has a certificate, he (more or less consciously) controls
a private key. Suppose one deploys a web server that cares *only* about
end-user public keys, e.g. it keeps track of end-user reputation and
that's it for trust management. Then any type of certificate is good
enough (self-signed, auto-issued, issued by a regular
"client-cert-issuing CA").
This web server can have an immediate potential user base if it
negotiates the TLS session with a long list of CA distinguished names
(in the CertificateRequest message).
The management tools for the contemplated web server scheme would
include an issuer DN extraction utility from end-user or CA certificates
so that the list may be augmented based on casual observations. Also,
the SSL debugging tools will report the contents of CertificateRequest
messages from public servers supporting client certs.
Anyone went through such data collection before?
Thanks in advance.
I got a few off-list messages.
One pointed towards the TLS 1.1 provision for an empty list of
client-certs-issuing CA in the CertificateRequest message (in which case
the client may use any certificate, which is the intended purpose). This
is a protocol relaxation from TLS 1.0.
Another observation is that a major TLS *server* implementation
truncates this list (from the operator-supplied configuration) to a much
smaller size than the protocol limit. I don't know if this reflects some
browser-client limitations as a TLS client entity.
So, if I had a long list of distinguished names for
client-certs-issuing-CA, I am not sure I could recommend to use it as a
default configuration item.
I guess it's preferable to focus on configuration management tools that
ease the job of supporting a more specific server user base.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
