IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Mon, 11 October 2010 21:15 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 02C3C3A6B90 for <certid@core3.amsl.com>; Mon, 11 Oct 2010 14:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.551
X-Spam-Level:
X-Spam-Status: No, score=-102.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1kFu3nYWLvN for <certid@core3.amsl.com>; Mon, 11 Oct 2010 14:15:31 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 71AAA3A6B96 for <certid@ietf.org>; Mon, 11 Oct 2010 14:15:21 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7D15B40BB9; Mon, 11 Oct 2010 15:23:11 -0600 (MDT)
Message-ID: <4CB37EB0.9020602@stpeter.im>
Date: Mon, 11 Oct 2010 15:16:32 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: mrex@sap.com
References: <201010112031.o9BKVQML008586@fs4113.wdf.sap.corp>
In-Reply-To: <201010112031.o9BKVQML008586@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 21:15:40 -0000

On 10/11/10 2:31 PM, Martin Rex wrote:
> Peter Saint-Andre wrote:
>>
>>>
>>> I did issue server certs for wildcard substring matching when I
>>> implemented rfc-2818, though -- and I consider it likely that other
>>> implementors did this as well.
>>
>> That's nice, but not directly relevant to the current discussion because
>> the I-D that Jeff and I have worked on does not override, supersede, or
>> obsolete RFC 2818 or any other prior art about matching rules for
>> application server identity.
> 
> I strongly disagree. the -09 wording:
> 
>    The client MUST fail to match a presented identifier
>    in which the wildcard character is contained within a label fragment
>    (e.g., baz*.example.net is not allowed and MUST NOT be taken to match
>    baz1.example.net and baz2.example.net)
> 
> attempts to invalidate rfc-2818 through the use of "MUST NOT".

The next version (-10) will make it abundantly clear that this I-D does
not (and does not intend to) override, supersede, update, or obsolete
the rules for verifying server identity provided in specifications for
existing application protocols. On this point, Jeff and I have added an
applicability statement to our working copy, which we hope to release in
the next day or two once we've checked it against all the issues that
were raised during IETF Last Call.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email