IETF Logo Mail Archive

Re: [certid] additional security consideration

Joe Orton <jorton@redhat.com> Thu, 18 March 2010 19:50 UTC

Return-Path: <jorton@redhat.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D17503A6A56 for <certid@core3.amsl.com>; Thu, 18 Mar 2010 12:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.019
X-Spam-Level:
X-Spam-Status: No, score=-107.019 tagged_above=-999 required=5 tests=[AWL=2.450, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eu8LKEPrb4Qz for <certid@core3.amsl.com>; Thu, 18 Mar 2010 12:50:58 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by core3.amsl.com (Postfix) with ESMTP id 0FD833A6A48 for <certid@ietf.org>; Thu, 18 Mar 2010 12:50:51 -0700 (PDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2IJoeK0028920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Mar 2010 15:50:40 -0400
Received: from turnip.manyfish.co.uk (vpn-9-252.rdu.redhat.com [10.11.9.252]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2IJocHL009050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Mar 2010 15:50:40 -0400
Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from <jorton@redhat.com>) id 1NsLjp-0000P2-IP; Thu, 18 Mar 2010 19:50:37 +0000
Date: Thu, 18 Mar 2010 19:50:37 +0000
From: Joe Orton <jorton@redhat.com>
To: ArkanoiD <ark@eltex.net>
Message-ID: <20100318195037.GA502@redhat.com>
References: <20100318040731.GA15227@eltex.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20100318040731.GA15227@eltex.net>
User-Agent: Mutt/1.5.20 (2009-08-17)
Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Cc: certid@ietf.org
Subject: Re: [certid] additional security consideration
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2010 19:51:00 -0000

On Thu, Mar 18, 2010 at 07:07:31AM +0300, ArkanoiD wrote:
> Second level domain MUST NOT be wildcarded, thus *.com is invalid and should
> never match. (as well as "*", of course)

I don't think it's appropriate for the draft to specify any requirement 
beyond the "left-most label" rule, so far as wildcards go.  I could 
imagine a "*.local" or similar could be useful to allow, and *.com is 
really little more dangerous than *.co.uk.  Yet *.blah.fr is fine.  And 
so on.  The rules could get stupidly complicated really quickly if you 
go down this road.

So, I would just leave it at the "left-most label" rule.  Having a 
simple rule like this is sufficient for interoperability purposes, which 
is the end goal here.  It will remain up to the CAs to validate CN 
sanity beyond that.

Regards, Joe

v2.8.7 | Report a Bug | By Email