IETF Logo Mail Archive

Re: [certid] Comments on draft-saintandre-tls-server-id-check-04

Martin Rex <mrex@sap.com> Wed, 02 June 2010 22:51 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 256FC28C169 for <certid@core3.amsl.com>; Wed, 2 Jun 2010 15:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.518
X-Spam-Level:
X-Spam-Status: No, score=-7.518 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UAV2UcAX69A for <certid@core3.amsl.com>; Wed, 2 Jun 2010 15:51:05 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 3C03328C139 for <certid@ietf.org>; Wed, 2 Jun 2010 15:51:04 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o52MooWk004160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Jun 2010 00:50:50 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006022250.o52Moncr001727@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Thu, 3 Jun 2010 00:50:49 +0200 (MEST)
In-Reply-To: <201006022237.o52MbEuR000805@fs4113.wdf.sap.corp> from "Martin Rex" at Jun 3, 10 00:37:13 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2010 22:51:09 -0000

Martin Rex wrote:
> 
> Matt McCutchen wrote:
> > 
> > For some test results for implementation support for multiple CNs
> > (possibly outdated by now), see:
> > 
> > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test
> 
> Thanks for that link!
> 
> I'm puzzled why the list shows IE.  AFAIK, the hostname matching
> is entirely performed inside of SChannel SSP
> (Microsoft's TLS implementation), and that is a part of the operating
> system since at least Windows 2000, and _not_ a part of the MSIE browser.
> 
> And even today, the installed base of Windows XP outnumbers the
> installed base of Windows Vista and Windows 7 combined, so talking
> about particular versions of MSIE instead of specific combinations
> of the Windows Operating System plus a particular version of
> the MSIE browser is confusing/misleading.

Background info:
http://msdn.microsoft.com/en-us/library/aa375924%28VS.85%29.aspx

See description of function parameter pszTargetName in the
API description of the SSPI call InitializeSecurityContext(SChannel).

The pszTargetName input parameter is necessary to make client side
session caching work, so it is likely always asserted by all versions
of MSIE -- causing the SChannel SSP to perform the certificate
verification against this name -- if the documentation is correct.

However, MSIE could add additional checks on top of that,
which I am not aware of.


-Martin

v2.8.7 | Report a Bug | By Email