Maturity model for X509 certificates
X509 certificates at their core provide authentication through a trusted third party. A lot of programs use certificates however lack in their support of the general principles of X509. So what are the principles of X509?
Principles of X509
X509 validation is a peer to peer validation. In some cases on peer is a client application like a web browser and the other is a webserver. Other times it is a email client validating a S/MIME email from another email client.
What should application do?
Now that the basics principle of X509 is defined what should applications do?
Validating a peer certificate
- there should be flexibility in the way CAs are managed
the way a certificate is used should match the domain, email information of the DN, SN, SubjectAltName (TODO expand - see vhost taskforce)
- Validation of purpose and validity period should occur date
- OCSP should be used to validate that a certificate hasn't been revoked.
- applications should understand OCSP stapling falling back to direct OCSP requests when OCSP stapling isn't used.
- when SNI information is provided in a TLS connection an corresponding certificate should be provided to facilitate validation
Authenticating to a peer:
- Users should be able to control when and which certificate is presented to a server.
- Users should be able to manage this choice in a flexible manner.
- TLS applications should provide OCSP stapling information
- TLS connections should present hostname information as part of SNI if instigating a connection.
- An acceptable list of CAs should be provided at the beginning of an authenticated TLS connection
User interface:
Certificate usage should be simple and intuitive. The user should be able to set standing preferences to prevent too many repetitive decisions.
- the certificate information should be obvious to the user.
- the user should be able to maintain a trusted store of certificates.
- the application using a certificate that the user trusts should be obvious.
- the way a validation error is presented to the user should use language comparative to the risk incurred.
- applications should have a clear certificate management interface.
Products that could have more support for X509 certificates
X509 certificates are using in ["EmailCertificates" S/MIME] for email encryption and as a Web client side certificate. There are however a large number of other uses for certificates. This pages attempts to describe some of them.
If you like to help out you could just work for on getting X509 well supported in that product. This will also help out CAcert users who will eventually have more uses for their certificates.
Web Applications
There are a large number of web applications that are very dependent on username/password combinations. When you have a X509 certificate you should be able to use that to authenticate yourself to websites.
There are two ways to do this. One with OpenID and the other with direct X509 support.
Here are some applications that would be nice to have either OpenID or X509 support.
List Management
Bug Trackers
Wiki Software
Other Applications
As OpenID is pretty much a web authentication framework, here are a list of other TLS/SSL protocols that could use client side certificates for authentication.
POP3 / IMAP servers
- Dovecot - partial support in version 1.1 though 'ssl_cert_username_field'. Needs OCSP support.
POP3 / IMAP clients
Kmail - cannot specify a client side certificate in TLS/SSL (actually it can
- turn on prompting for the authentication in konqueror and that is shared with kmail.
SMTP servers (for submission)
- Postfix - needs to map to an authentication model. Maybe in the very later versions.
Language support
Having complete support in libraries is key to getting adoption in applications
Python
http://pypi.python.org/pypi/TLS%20Lite
http://docs.python.org/3.0/library/ssl.html
http://bugs.python.org/issue968430
http://wiki.python.org/moin/M2Crypto
S/MIME - notably missing
Perl
http://search.cpan.org/~awestholm/Net-SMTP-TLS/
http://search.cpan.org/search?query=OCSP&mode=all
http://search.cpan.org/~mikage/Crypt-SMIME-0.09/
PHP
http://pear.php.net/pepr/pepr-proposal-show.php?id=591