Hey folks-- I thought that people in UTA might be interested in this recent academic work on teasing apart various facets of X.509 validation:
https://cbw.sh/static/pdf/larisch-ccs22.pdf This is: "Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies" They describe a project that splits apart X.509 certificate mechanism from policy, and their policy is rich enough to be able to express a near-perfect match for different browser policies (they focused on Chrome and Firefox), concise enough to be represented in < 650 lines of prolog. I'm personally a little horrified that either browser's policy require anything close to 650 lines, especially in terms of how much they can diverge from one another. But at least it's a more compact and directly comparable form to be able to tease apart what the differences are between implementations. At the very least, it's useful to be able to see the gaps more clearly -- they compare Firefox and Chrome explicitly in ยง7.3 and identify 9 variations. Any TLS client-side deployment should be interested in considering how their approach follows (or diverges) from others. --dkg
signature.asc
Description: PGP signature
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
