[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] TLS CCA certificate filtering according to Google
From:       Anders Rundgren <anders.rundgren () telia ! com>
Date:       2012-10-12 8:35:50
Message-ID: 5077D666.8090706 () telia ! com
[Download RAW message or body]

On 2012-10-12 10:21, Henry Story wrote:
> Btw. The WebID protocol we do have a case for certificate filtering,
> which I explain in more detail here:
> 
> http://lists.w3.org/Archives/Public/public-webid/2012Oct/0117.html
> 
> Perhaps this can be used as a guide for this group to think about improvements.

This is what I've been playing with in non-TLS CCA contexts:

https://code.google.com/p/openkeystore/source/browse/trunk/library/src/org/webpki/crypto/CertificateFilter.java


Anders


> Otherwise I would like to know what people here make of the feasability of 
> having a WebID DN hack as suggested there?
> 
> Henry
> 
> On 12 Oct 2012, at 10:13, Anders Rundgren <anders.rundgren@telia.com> wrote:
> 
> > http://code.google.com/p/android/issues/detail?id=38393
> > 
> > "I designed the API with the intent that filtering could be added later if \
> > necessary, but I've never been convinced that users really are going to have \
> > large numbers of keys. What I said about issuer filtering really is true. It \
> > almost always is configured wrong if at all. If you can motivate a use case, I'm \
> > all ears" 
> > The fact is that certificate filtering in TLS is in a big need for improvement,
> > not only in Android but at the protocol level as well.
> > 
> > The alternative (which is probably what will happen) is that TLS CCA remains
> > a great solution for creating "secure tunnels between boxes".
> > 
> > -- Anders
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> 
> Social Web Architect
> http://bblfish.net/
> 


[prev in list] [next in list] [prev in thread] [next in thread]