upvote

points

by nickf2 hours ago |
comments
upvoteby xg152 hours ago|
[-]
It seems reasonable for server-to-server auth though? Suppose my server xmpp.foo.com already trusts the other server xmpp.bar.com. Now I get some random incoming connection. How would I verify that this connection indeed originates from xmpp.bar.com? LE-assigned client certs sound like a good solution to that problem.
reply
upvoteby Avamander1 hours ago|
parent|
[-]
Which is almost exactly why WebPKI doesn't want to support such use-cases. Just this EKU change alone demonstrates how it can hinder WebPKI changes.
reply
upvoteby ge0rg1 hours ago|
parent|
next
[-]
Can you point out, at which point in time exactly, the public TLS PKI infrastructure has been reduced to WebPKI?
reply
upvoteby Avamander1 hours ago|
parent|
[-]
Can you point out at which point in time exactly it was designed to serve every use-case?
reply
upvoteby ge0rg1 hours ago|
parent|
[-]
The public TLS PKI was never supposed to serve every use case and you know it. But let me point out when it was possible to get a public CA certificate for an XMPP server with SRVname and xmppAddr:

  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1096750 (0x10bc2e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
        Validity
            Not Before: May 27 16:16:59 2015 GMT
            Not After : May 28 12:34:54 2016 GMT
        Subject: C = DE, CN = chat.yax.im, emailAddress = hostmaster@yax.im
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:chat.yax.im, DNS:yax.im, xmppAddr:chat.yax.im, dnsSRV:chat.yax.im, xmppAddr:yax.im, dnsSRV:yax.im
Ironically, this was the last server certificate I obtained pre-LetsEncrypt.
reply
upvoteby Avamander59 minutes ago|
parent|
[-]
So you understand that there are different purposes as well. Are you saying that you can't get a client auth certificate any more?
reply
upvoteby xg151 hours ago|
parent|
prev|
[-]
Huh? The entire purpose of that EKU change was to disallow that usecase. How did that demonstrate problems for WebPKI?
reply
upvoteby Avamander1 hours ago|
parent|
[-]
This post here is the demonstration, that some non-WebPKI purpose is causing issues and complaints. This has happened before with SHA-1 deprecation. WebPKI does not want this burden and should not have this burden.
reply
upvoteby xg151 hours ago|
parent|
[-]
Ok, so this is an official split of "WebPKI" and "everything else PKI" then?

Last time I checked, Let's Encrypt was saying they provide free TLS certs, not free WebPKI certs. When did that change?

reply
upvoteby Avamander1 hours ago|
parent|
[-]
That's being overly pedantic. PKIs for different purposes have been separate for a while, if not from the start. LE is still giving you a "TLS cert".
reply