Open dmfs opened 8 years ago
For TLS 1.2 the certificate request message is specified in RFC 5246, section 7.4.4.
A structure that provides the specified fields is given below:
{
"ttl": 2592000,
"provider": {
"name": "Your Provider",
"image": "https://yourprovider.example.com/icon.png",
"services": [
{
"name": "Calendars",
"service-type": "caldav",
"uri": "https://caldav.example.com",
"certificate-request": {
"is-optional": false,
"certificate-types": ["rsa_sign", "rsa_fixed_dh"],
"supported-signature-algorithms": [{
"hash": "sha1",
"signature": "rsa",
},{
"hash": "sha256",
"signature": "ecdsa",
}
],
"certificate-authorities": ["CN=Example CA, OU=CA, O=Example Corp, C=US"]
}
},
{
"name": "Contacts",
"service-type": "carddav",
"uri": "https://carddav.example.com",
"certificate-request": {
"is-optional": false,
"certificate-types": ["rsa_sign", "rsa_fixed_dh"],
"supported-signature-algorithms": [{
"hash": "sha1",
"signature": "rsa",
},{
"hash": "sha256",
"signature": "ecdsa",
}
],
"certificate-authorities": ["CN=Example CA, OU=CA, O=Example Corp, C=US"]
}
}
]
},
}
The member names are taken from RFC 5246, using -
instead of _
.
I think it's common to specify the DN of the CA as a String. Optionally we could represent it in native JSON:
"certificate-authorities": [{
"CN": "Example CA",
"OU": "CA",
"O": "Example Corp",
"C": "US"
}]
Does anyone know of a standard JSON representation of DNs?
Added a member field to indicate whether a valid client certificate is mandatory or optional.
Would it be useful to provide information about client certificates that might be required to access a service? SSL/TLS has an in-band mechanism to ask the client for a specific certificate but for clients it might be useful to know about that in advance (to improve the UX). Which information do we need?
Anything else?