IETF Logo Mail Archive

Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 08 December 2010 22:46 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 767E23A69AE for <certid@core3.amsl.com>; Wed, 8 Dec 2010 14:46:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.086
X-Spam-Level:
X-Spam-Status: No, score=-102.086 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1uWEO8-CDXg for <certid@core3.amsl.com>; Wed, 8 Dec 2010 14:46:54 -0800 (PST)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 66DEB3A69A9 for <certid@ietf.org>; Wed, 8 Dec 2010 14:46:54 -0800 (PST)
Received: (qmail 3424 invoked by uid 0); 8 Dec 2010 22:48:21 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 8 Dec 2010 22:48:21 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=VyQHASB1Pq7+CnUwhmGyMSHrlkM3fnIHURgTqeo4TBpwx5TzQHFMFU5i+qtM66r661wdn5rQZb/iaTjrqMFLZp5ECFMcSVGojN+KenZreOtx+Y7YiG8cPPBAiMFTXhnv;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PQSo9-0000jR-M6; Wed, 08 Dec 2010 15:48:21 -0700
Message-ID: <4D000B33.2050405@KingsMountain.com>
Date: Wed, 08 Dec 2010 14:48:19 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>, Ben Campbell <ben@nostrum.com>, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 22:46:55 -0000

 > Possible text for the Security Considerations:
 >
 > ###
 >
 > 5.4.  Multiple Identifiers
 >
 >    This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a
 >    certificate, but discourages multiple CN-IDs.  The inclusion in the
 >    Common Name of multiple strings whose form matches that of a fully-
 >    qualified DNS domain name (e.g., "www.example.com") makes it more
 >    difficult to parse the Common Name and increases the likelihood of
 >    false positives in the identity verification process.  Although it
 >    would be preferable to forbid multiple CN-IDs entirely, there are
 >    several reasons why this specification states that they SHOULD NOT
 >    (instead of MUST NOT) be included:
 >
 >    o  At least one significant technology community of interest
 >       explicitly allows multiple CN-IDs [EV-CERTS].
 >
 >    o  At least one significant certification authority is known to issue
 >       certificates containing multiple CN-IDs.
 >
 >    o  Many service providers often deem inclusion of multiple CN-IDs
 >       necessary in "virtual hosting" environments because at least one
 >       widely-deployed operating system does not yet support the Server
 >       Name Indication extension [TLS-EXT]
 >
 >    It is hoped that the recommendation in this specification can be
 >    further tightened in the future.
 >
 > ###
 >
 > To be referenced from bullet #6 in Section 3.1:
 >
 >    6.  The certificate MAY contain more than one DNS-ID, SRV-ID, or
 >        URI-ID (but SHOULD NOT contain more than one CN-ID, as further
 >        explained under Section 5.4).


in general looks good to me, thanks.

However, I'd alter the first sentence to  s/allows/accommodates/, and in 2nd 
sentence s/discourages/explicitly discourages/.

I'd alter the last sentence of 1st para s/reasons/reasons at this time/.

And in terms of this..

                                                   The inclusion of
     multiple strings whose form matches that of a fully-qualified DNS
     domain name (e.g., "www.example.com") makes it more difficult to
     parse the Common Name and therefore increases the likelihood of false
     positives in the identity verification process.


..well, no, it doesn't make it more difficult to parse, and "it" is the
Subject, not "the CN". There's multiple CN= AVAs in the Subject, but parsing
them out is simple.  I guess I'd just delete that entire middle sentence "The
inclusion of...process."


=JeffH

v2.23.0 | Report a Bug | By Email