IETF Logo Mail Archive

Re: [certid] Review of draft-saintandre-tls-server-id-check

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 13 September 2010 16:16 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D51803A69FE for <certid@core3.amsl.com>; Mon, 13 Sep 2010 09:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.464
X-Spam-Level:
X-Spam-Status: No, score=-100.464 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_05=-1.11, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkPIZ-dQS0Uk for <certid@core3.amsl.com>; Mon, 13 Sep 2010 09:16:38 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id BCBF13A69A0 for <certid@ietf.org>; Mon, 13 Sep 2010 09:16:38 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8DGH2HB007426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Sep 2010 09:17:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624083dc8b3fe8cef8f@[10.20.30.158]>
In-Reply-To: <4C8E4C6B.3040803@stpeter.im>
References: <20100908195349.GA4292@isc.upenn.edu> <C8ADC7ED.EBA4%stefan@aaa-sec.com> <20100909182253.GB3460@isc.upenn.edu> <4C8E4C6B.3040803@stpeter.im>
Date: Mon, 13 Sep 2010 09:17:01 -0700
To: Peter Saint-Andre <stpeter@stpeter.im>, Shumon Huque <shuque@isc.upenn.edu>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, Stefan Santesson <stefan@aaa-sec.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org, daedulus@btconnect.com
Subject: Re: [certid] Review of draft-saintandre-tls-server-id-check
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2010 16:16:40 -0000

At 10:08 AM -0600 9/13/10, Peter Saint-Andre wrote:
>As I see it, this I-D is attempting to capture best current practices
>regarding the issuance and checking of certificates containing
>application server identities. Do we have evidence that any existing
>certification authorities issue certificates containing both an SRVname
>for the source domain (e.g., example.com) and dNSName for the target
>domain (e.g., apphosting.example.net)? Do we have evidence that any
>existing application clients perform such checks? If not, I would
>consider such complications to be out of scope for this I-D.

A big +1 here. It is a Good Thing that people are starting to look at the interaction between SRV and security (it's also happening on the keyassure list), but it definitely seems like "starting to look at". Please do not instantiate anything until this has been discussed more widely.

--Paul Hoffman, Director
--VPN Consortium

v2.8.7 | Report a Bug | By Email