undefined | Better HN

0 pointsAvamander2mo ago0 comments

Which is almost exactly why WebPKI doesn't want to support such use-cases. Just this EKU change alone demonstrates how it can hinder WebPKI changes.

0 comments

ge0rg2mo ago

Can you point out, at which point in time exactly, the public TLS PKI infrastructure has been reduced to WebPKI?

AvamanderOP2mo ago

Can you point out at which point in time exactly it was designed to serve every use-case?

ge0rg2mo ago

The public TLS PKI was never supposed to serve every use case and you know it. But let me point out when it was possible to get a public CA certificate for an XMPP server with SRVname and xmppAddr:

  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1096750 (0x10bc2e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
        Validity
            Not Before: May 27 16:16:59 2015 GMT
            Not After : May 28 12:34:54 2016 GMT
        Subject: C = DE, CN = chat.yax.im, emailAddress = hostmaster@yax.im
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:chat.yax.im, DNS:yax.im, xmppAddr:chat.yax.im, dnsSRV:chat.yax.im, xmppAddr:yax.im, dnsSRV:yax.im

Ironically, this was the last server certificate I obtained pre-LetsEncrypt.

AvamanderOP2mo ago

So you understand that there are different purposes as well. Are you saying that you can't get a client auth certificate any more?

xg152mo ago

Huh? The entire purpose of that EKU change was to disallow that usecase. How did that demonstrate problems for WebPKI?

AvamanderOP2mo ago

This post here is the demonstration, that some non-WebPKI purpose is causing issues and complaints. This has happened before with SHA-1 deprecation. WebPKI does not want this burden and should not have this burden.

xg152mo ago

Ok, so this is an official split of "WebPKI" and "everything else PKI" then?

Last time I checked, Let's Encrypt was saying they provide free TLS certs, not free WebPKI certs. When did that change?

bawolff2mo ago

You are being pedantic but also pedantically incorrect.

Lets encrypt provides value by providing signed TLS certs that are enrolled in webPKI (i.e. trusted by browsers).

If they were just provided a (not necessarily trusted) tls cert, like what anyone can generate from the command line, nobody would use them.

1 more reply

AvamanderOP2mo ago

That's being overly pedantic. PKIs for different purposes have been separate for a while, if not from the start. LE is still giving you a "TLS cert".

account422mo ago

Great circular reasoning there buddy.

j / k navigate · click thread line to collapse

0 comments

ge0rg2mo ago

Can you point out, at which point in time exactly, the public TLS PKI infrastructure has been reduced to WebPKI?

AvamanderOP2mo ago

Can you point out at which point in time exactly it was designed to serve every use-case?

ge0rg2mo ago

  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1096750 (0x10bc2e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
        Validity
            Not Before: May 27 16:16:59 2015 GMT
            Not After : May 28 12:34:54 2016 GMT
        Subject: C = DE, CN = chat.yax.im, emailAddress = hostmaster@yax.im
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:chat.yax.im, DNS:yax.im, xmppAddr:chat.yax.im, dnsSRV:chat.yax.im, xmppAddr:yax.im, dnsSRV:yax.im

Ironically, this was the last server certificate I obtained pre-LetsEncrypt.

AvamanderOP2mo ago

So you understand that there are different purposes as well. Are you saying that you can't get a client auth certificate any more?

xg152mo ago

Huh? The entire purpose of that EKU change was to disallow that usecase. How did that demonstrate problems for WebPKI?

AvamanderOP2mo ago

xg152mo ago

Ok, so this is an official split of "WebPKI" and "everything else PKI" then?

Last time I checked, Let's Encrypt was saying they provide free TLS certs, not free WebPKI certs. When did that change?

bawolff2mo ago

You are being pedantic but also pedantically incorrect.

Lets encrypt provides value by providing signed TLS certs that are enrolled in webPKI (i.e. trusted by browsers).

If they were just provided a (not necessarily trusted) tls cert, like what anyone can generate from the command line, nobody would use them.

1 more reply

AvamanderOP2mo ago

That's being overly pedantic. PKIs for different purposes have been separate for a while, if not from the start. LE is still giving you a "TLS cert".

account422mo ago

Great circular reasoning there buddy.

j / k navigate · click thread line to collapse