On Mon, Oct 17, 2011 at 3:09 PM, =JeffH <[email protected]> wrote:
> Tho, getting TLS extensions actually implemented and deployed seems to take > a few forevers. Quite so. > I wonder about hacking it (conveyance of pinning/unpinning info), for the > nearer-term, into a cert extension. Then just modifying client apps (e.g. > browsers) is what's necessary. Your average sys admin is more comfortable telling Apache to send a particular header with particular text than wrangling openssl(1) to add various extensions to a certificate. I don't see a security problem with using the application layer (e.g. HTTP) to inform the transport layer (TLS), as long as the transport layer correctly uses the information to exercise policy on subsequent connections. That's easier said than done in UA implementation code, of course, but I'm willing to (try to) write that code. I'm not willing to make sys admins wrangle with X.509 and the openssl command line. (For example, can anyone here tell me the command line to add a custom certificate extension to an existing certificate?) It would be cleaner to have it all in the TLS layer, but ease-of-deployment concerns dominate. People have a hard enough time with X.509 as it is. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
