IETF Logo Mail Archive

Re: [certid] URI match

Shumon Huque <shuque@isc.upenn.edu> Thu, 01 April 2010 17:15 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D7CA3A6AE3 for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.39
X-Spam-Level:
X-Spam-Status: No, score=0.39 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h66ZNRib3uOY for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:15:15 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 2F52F3A6A71 for <certid@ietf.org>; Thu, 1 Apr 2010 10:15:12 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 76A9B298F; Thu, 1 Apr 2010 13:15:44 -0400 (EDT)
Date: Thu, 1 Apr 2010 13:15:44 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Scott Cantor <cantor.2@osu.edu>
Message-ID: <20100401171544.GA29240@isc.upenn.edu>
References: <201003231500.05187.ludwig.nussel@suse.de> <4BB3C8D6.5030402@stpeter.im> <022c01cad12c$747102d0$5d530870$@2@osu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <022c01cad12c$747102d0$5d530870$@2@osu.edu>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] URI match
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 17:15:16 -0000

On Wed, Mar 31, 2010 at 07:46:59PM -0400, Scott Cantor wrote:
> Somewhat paraphrasing a question that I think was asked at the app
> area open meeting last week, is it the intention to encourage new
> protocols/services that adopt/reference this proposal to favor
> matching based on URIs where possible or appropriate?

That would be my inclination: use an application specific SAN
form if possible. URI or SRVName would be the obvious candidates,
since they are general purpose. But some apps already define their
own custom SAN types. We do need to support current practice of
domain names in CN/dNSName though. The draft currently has this 
text:

   Futhermore, currently the vast majority of deployed application
   servers use domain names in their certificates (typically via a
   subjectAltName extension of dNSName or a subjectName component of
   Common Name).  Ideally, service operators would use application
   service identities in their certificates (such as an SRVName
   [SRVNAME], a URI, or an application-specific name form), since this
   would reduce the possibility of attacks against unrelated services at
   domain names that provide many different application services.

> That's something I'm in favor of, and I think worrying about what
> users think they're connecting to is really beside the point; users
> don't get this stuff. Our software is supposed to do the right
> things for them so that they don't have to.

Yup, absolute agree.

--Shumon.

v2.8.7 | Report a Bug | By Email