IETF Logo Mail Archive

Re: [certid] Why require EKU for certid?

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 30 September 2010 00:12 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC3B43A6974 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 17:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.358
X-Spam-Level:
X-Spam-Status: No, score=-101.358 tagged_above=-999 required=5 tests=[AWL=0.688, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qiuiwnYtIoI1 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 17:12:24 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id E09FD3A6AE3 for <certid@ietf.org>; Wed, 29 Sep 2010 17:12:23 -0700 (PDT)
Received: from [10.20.30.163] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8U0D29h090024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Sep 2010 17:13:05 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624084fc8c98553729e@[10.20.30.163]>
In-Reply-To: <C8C9964F.F751%stefan@aaa-sec.com>
References: <C8C9964F.F751%stefan@aaa-sec.com>
Date: Wed, 29 Sep 2010 17:13:01 -0700
To: Stefan Santesson <stefan@aaa-sec.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Why require EKU for certid?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 00:12:25 -0000

At 1:20 AM +0200 9/30/10, Stefan Santesson wrote:
>My point is more that it is good practice to have serverAuth set when the CN
>attribute is allowed to carry a DN.

Yes it is. However, that is irrelevant to this document. It would be relevant to a document saying how to create a well-formed server certificate for TLS.

>Absent the serverAuth EKU it is hard to programmatically be sure that the CN
>actually contains a DNS name. Yes you can probably be pretty sure but there
>is just a slight chance for problems due to overloaded semantics.

Even if the serverAuth EKU is set, you cannot be sure the CN actually contains a DNS name. The two are orthogonal.

>ServerAuth provides a much cleaner indication than parsing the CN attribute
>only. I see potential security problems if a CA allows you to for example
>set your CN as a friendly name while other attributes such as givenName and
>SureName are checked against your registered name. The friendly name may be
>hard to check as it may differ from your registered name (ex Tim Polk).
>Thus some not so careful implementation may have poor checks and allow you
>to choose a domain name as your friendly name. This certificate may never be
>intended to be used for server authentication, but following the rules of
>the draft this certificate now allows spoofing and you would never detect
>that.

See both points above.

>More importantly it has to do with name constraints processing. If you
>accept the CN attribute as a domain name you need to make sure that it also
>matches any name constraints set for the dNSName of the path. It is much
>cleaner again to use the serverAuth as a mechanism for switching in this
>logic.

Then there should be a PKIX document saying this. It is not relevant to a document that tells how to match a domain name the client has in its left hand against the identities in the cert it holds in its right hand.

>Absent this check, the domain name may violate name constraints and you
>would never know. This is the most important point.

If the TLS client is doing full certificate path validation, the certificate cannot violate name constraints. That is quite different than what you just said.

--Paul Hoffman, Director
--VPN Consortium

v2.8.7 | Report a Bug | By Email