IETF Logo Mail Archive

Re: [certid] Need to define "most specific RDN"

Kaspar Brand <ietf-certid@velox.ch> Tue, 13 July 2010 18:24 UTC

Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 589DF3A6B52 for <certid@core3.amsl.com>; Tue, 13 Jul 2010 11:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.463
X-Spam-Level:
X-Spam-Status: No, score=-1.463 tagged_above=-999 required=5 tests=[AWL=1.137, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3AC+mEBAn6k for <certid@core3.amsl.com>; Tue, 13 Jul 2010 11:24:32 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by core3.amsl.com (Postfix) with ESMTP id 0748E3A6B29 for <certid@ietf.org>; Tue, 13 Jul 2010 11:24:31 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch [84.75.163.235]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.0) with ESMTP id o6DIOabg022312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>; Tue, 13 Jul 2010 20:24:40 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1279045480; bh=zKDRRYDdl/apvB4v4LAnYCHUlVHzGTctn2JtlGIaffA=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PCeRVDWIyVT1zDfKmLvtdXjWgI8NsydZD5NGUBsYkRTpi8D4bDXElFB+VGaStOKzk ja5ghSGgZoYP+I6ZnNq0XULRLQBnNFXYoh8Ri+BJ/b9J7mlcT9fUUW0Xev2nKsRWlA DLTImA5tS63ESYwdpQ6Dht6gsrjIG3qS5d3/MBucp330m4ajK6qgQXypx6uaR6nvWk ffDJDLuZ2QAzCTEmqPt9UnKz8VxOCDi+l87laixg9M/fL+TInUqzp3hS13y5N94llO 8lkOXbRdkaRnbWprug03ifMNty7VfHgjurBHm2D+c3NYI+Yyg/++x43RJAwu3VpuCU lXCX2RTz9TiRw==
Message-ID: <4C3CAF64.3050303@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1279045476; bh=zKDRRYDdl/apvB4v4LAnYCHUlVHzGTctn2JtlGIaffA=; h=Date:From:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding; b=BdiQnJRaq2EPigSPUxEeP2wmemYT3hj/a64KhzWoNBlgO/xknlh2Dg7MBze3Rt6Pl 3z8bSHurQUQ+FjyPbp/ZSzb4GrJyitGFXsawBp1RSJQKQ4tHpYATlQ/IqMfVkNm1cz NJ3m6635NaNKanJIcqw3wkX1JdceyHUn+qTFBKKd7PaTcwhhDCV1XXCmPllwdXPMRN D5WrRYr2Xs6HgvrO1LVJQJ9G1KY+MUVjWudBgohWnQknCZ18vgVe7wN1V7XIaBnE0i xldPvTfvHwCG/Ime7JJUQSP7OFMpLkIgwBgBvqJMgXkBi6oFQ4WteaFRJY+qqlaMdJ yOeoHMr2/DANw==
Date: Tue, 13 Jul 2010 20:24:36 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.x
MIME-Version: 1.0
To: certid@ietf.org
References: <201006301746.o5UHkIsE019133@fs4113.wdf.sap.corp> <4C2B843A.5010206@stpeter.im> <4C305B93.9090001@velox.ch> <201007061435.29786.ludwig.nussel@suse.de> <4C335CE5.1090608@edelweb.fr> <4C3421B3.3070404@velox.ch> <4C3B4F6E.80903@stpeter.im> <4C3BF51E.4030802@velox.ch> <p06240815c8624516831c@[10.20.30.158]>
In-Reply-To: <p06240815c8624516831c@[10.20.30.158]>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 18:24:36 -0000

On 13.07.2010 18:32, Paul Hoffman wrote:
> At 7:09 AM +0200 7/13/10, Kaspar Brand wrote:
>> -08 looks good to me, generally speaking, but in addition to the 
>> implementation note at the end of 2.2 I would add some wording to
>> 4.4.4 which states that a) if multiple CN-IDs are found in the
>> subject, all of them should be checked
> 
> Wait, wait. The spec says in a few places that there must only be a
> single CN. If you add that (which was taken out of -08), you have to
> change all of them.

I'm not sure I'm following you. Add what "which was taken out of -08"?
Section 3 currently says:

       If a CN-ID is included, the
       certificate's subject field SHOULD NOT contain more than one
       CN-ID, and MUST NOT contain RDNs which consist of multiple Common
       Name attributes.

and CN-ID is defined as

      *  CN-ID = a Relative Distinguished Name (RDN) in the certificate
         subject that contains one and only one attribute-type-and-value
         pair of type Common Name (CN); see [PKIX] and also
         [LDAP-SCHEMA]

What's underspecified in 4.4.4 is how CN checking should be done if
multiple CN-IDs are present, but that's the only place where it needs to
be covered, I think.

> I propose that we stay with the current MUST for a single CN.

But this wouldn't really address the issue of how to handle a
certificate with multiple CNs in the subject... and they do occur in the
wild, so they shouldn't simply be ignored in this document - let's use
the opportunity to specify this explicitly.

>> (Finally, let me add that browsers such as MSIE, Opera or Safari
>> already implement this kind of multi-CN checking - if there is no
>> subjectAltName extension, they will go through all CNs and look for
>> a match [1]).
> 
> That doesn't make it a best current practice.

Not in the literal sense, because currently there's no real consensus on
the meaning of the "(most specific) Common Name field" statement from
RFC 2818, so implementations differ in their behavior right now. I would
at least consider it "best future practice", however, given that you
would no longer have to argue about most specific vs. least specific etc.

Kaspar

v2.8.7 | Report a Bug | By Email