[Cryptography] ALPACA
Viktor Dukhovni
cryptography at dukhovni.org
Thu Jun 10 00:57:27 EDT 2021
On Wed, Jun 09, 2021 at 10:16:21AM -0400, Jerry Leichter wrote:
> TLS certificates validate host names, not IP addresses or port
> numbers.
Well, TLS certificates can validate arbitrary Subject Alternative Names,
which can be more specific that just a hostname. The real issue is that
hostnames are the only things that the CA/B forum issuers (i.e. Let's
Encrypt) know how to issue DV certificates for.
There are some RFCs recommending the user of SRV-ID identifiers in
certificates, but of course nobody actually uses these.
When the client uses DANE-EE(3), the TLS certificate can be just a
slightly bloated public key container, even with no names at all, and
with the port number explicit in the TLSA record, it becomse possible
(and a best-practice) to mint a separate key pair for every service.
Below my signature is an example live DANE-validated certificate from an
actual SMTP server. Speaking of SMTP, it is somewhat regrettable that a
design weakness in the browser space is being reported as an issue with
SMTP servers. If browsers don't know who they're talking to, it is not
the SMTP servers' fault.
For Postfix, the only reported nit is that "MAIL FROM" will stutter
malformed input in SMTP error messages, but since Postfix hangs up on
"GET " and "POST ", ... it is not exactly clear how a browser is coaxed
into sending "MAIL FROM:..." without having the connection dropped
before that happens. But even it is practical, the browser's the guily
party, the SMTP servers are not returning a formed HTTP responses.
If browsers choose to act on line noise, that's a browser issue.
--
Viktor.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c3:26:2b:13:ca:b1:36:72
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Validity
Not Before: Jul 27 14:59:59 2014 GMT
Not After : Nov 27 14:59:59 3013 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:
b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:
cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:
c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:
41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:
0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:
db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:
1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:
70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:
90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:
d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:
c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:
17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:
98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:
64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:
37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:
21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:
1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:
d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:
ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:
a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:
e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:
07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:
97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:
01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:
a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:
77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:
fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:
f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:
5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:
7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:
e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:
10:09:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62:
57:17:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b:
d5:1f:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
X509v3 Authority Key Identifier:
keyid:98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0:76:f5:1a:86:
da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29:20:6b:05:a3:
88:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b:ed:7d:f4:03:
07:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39:06:54:9e:71:
68:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da:21:dd:14:19:
d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75:b8:07:cc:0a:
62:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05:0e:ef:9b:c0:
98:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d:b1:95:b4:93:
a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf:03:4e:c0:37:
fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0:43:2e:58:6e:
c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56:60:d4:46:48:
d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab:16:6f:f1:04:
e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8:1c:31:59:da:
c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea:b8:95:5a:d3:
d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a:6d:83:fe:bc:
60:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56:a9:0d:d4:fc:
49:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf:5e:d2:0a:7a:
31:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f:f2:98:0c:3d:
d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a:f1:09:50:5d:
88:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0:17:72:ad:e6:
78:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a:7b:fe:0a:fd:
ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80:7e:c9:5f:da:
80:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94:0a:b8:8e:62:
15:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c:8c:fc:c7:83:
df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8:a5:6f:49:16:
c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce:02:e7:4d:6c:
c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89:37:04:a7:85:
62:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07:53:95:6f:42:
9e:2e:32:12:7b:1c:c1:c3
-----BEGIN CERTIFICATE-----
MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw
NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V
tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ
WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y
AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct
FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq
Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G
uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA
U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne
LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb
6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld
t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID
AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw
FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO
Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh
3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2
qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3
tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc
MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK
40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz
U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7
/gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb
xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD
H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM=
-----END CERTIFICATE-----
More information about the cryptography
mailing list