IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 13 October 2010 21:38 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 547F23A66B4 for <certid@core3.amsl.com>; Wed, 13 Oct 2010 14:38:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.137
X-Spam-Level:
X-Spam-Status: No, score=-102.137 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZ07UKgMo98H for <certid@core3.amsl.com>; Wed, 13 Oct 2010 14:38:24 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 1BB443A69DF for <certid@ietf.org>; Wed, 13 Oct 2010 14:38:24 -0700 (PDT)
Received: (qmail 28909 invoked by uid 0); 13 Oct 2010 21:39:41 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 13 Oct 2010 21:39:41 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=FyttNTWYa/l6C2qqWMXo5WcM5NocJ1IORn3HQobYtSbQhBeyrekZdUXvdKTj7I9ER6NZlPNuwMKWkS2QGyZsOEKdDQREdPmLNJgwdHFx7/FfesCgSOagFCoEG9W5urCn;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1P692y-0003hi-SM for certid@ietf.org; Wed, 13 Oct 2010 15:39:41 -0600
Message-ID: <4CB6271A.7090402@KingsMountain.com>
Date: Wed, 13 Oct 2010 14:39:38 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 21:38:26 -0000

 > Note that at least two technology communities have forbidden wildcard
 > certificates:
 >
 > 1. RFC 5992 forbids wildcard certificates in the SIP community.
 >
 > 2. The CA/Browser Forum doesn't allow issuance of wildcard certificates
 > under its "Extended Valuation Certificates" profile.
 >
 > So there is some precedent for forbidding wildcard certificates. Is that
 > a best current practice? Should this I-D state that wildcard
 > certificates (of whatever variety) are NOT RECOMMENDED?


I'm thinking that the latter is the way to go wrt wildcards. RFC2119 sez..

4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
    there may exist valid reasons in particular circumstances when the
    particular behavior is acceptable or even useful, but the full
    implications should be understood and the case carefully weighed
    before implementing any behavior described with this label.

..which certainly sounds reasonable for this situation.

Our working copy of -tls-server-id-check (which are trying to pub by end of 
this week) has further clarifications wrt the spec's not outright forbidding 
current practice and various other current specifications, thus present 
wildcard use does not necessarily conflict with such a "NOT RECOMMENDED" 
stance. Plus such a stance aligns better with the EV Guidelines, RFC5992, and 
perhaps other specs going forward.

=JeffH

v2.8.7 | Report a Bug | By Email