IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Tue, 12 October 2010 13:04 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31BA63A695A for <certid@core3.amsl.com>; Tue, 12 Oct 2010 06:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.535
X-Spam-Level:
X-Spam-Status: No, score=-102.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 244p0Xlvsj0I for <certid@core3.amsl.com>; Tue, 12 Oct 2010 06:04:01 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id CF4203A67AE for <certid@ietf.org>; Tue, 12 Oct 2010 06:04:01 -0700 (PDT)
Received: from squire.local (dsl-140-58.dynamic-dsl.frii.net [216.17.140.58]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2B47E40337; Tue, 12 Oct 2010 07:11:57 -0600 (MDT)
Message-ID: <4CB45D0A.40305@stpeter.im>
Date: Tue, 12 Oct 2010 07:05:14 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: Matt McCutchen <matt@mattmccutchen.net>
References: <201010112031.o9BKVQML008586@fs4113.wdf.sap.corp> <4CB37EB0.9020602@stpeter.im> <1286888587.1922.11.camel@mattlaptop2.local>
In-Reply-To: <1286888587.1922.11.camel@mattlaptop2.local>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 13:04:03 -0000

On 10/12/10 7:03 AM, Matt McCutchen wrote:
> On Mon, 2010-10-11 at 15:16 -0600, Peter Saint-Andre wrote:
>> On 10/11/10 2:31 PM, Martin Rex wrote:
>>> I strongly disagree. the -09 wording:
>>>
>>>    The client MUST fail to match a presented identifier
>>>    in which the wildcard character is contained within a label fragment
>>>    (e.g., baz*.example.net is not allowed and MUST NOT be taken to match
>>>    baz1.example.net and baz2.example.net)
>>>
>>> attempts to invalidate rfc-2818 through the use of "MUST NOT".
>>
>> The next version (-10) will make it abundantly clear that this I-D does
>> not (and does not intend to) override, supersede, update, or obsolete
>> the rules for verifying server identity provided in specifications for
>> existing application protocols. On this point, Jeff and I have added an
>> applicability statement to our working copy, which we hope to release in
>> the next day or two once we've checked it against all the issues that
>> were raised during IETF Last Call.
> 
> This seems possibly disingenuous to me.  The tls-server-id-check
> document may not itself update RFC 2818, but do you really intend that
> RFC 2818 never be updated in the future to use the tls-server-id-check
> rules?  In view of the likelihood of such an update, it seems unhelpful
> to claim now that compatibility with RFC 2818 isn't our problem.

Shall I quote the text in our working copy?

###

1.3.  Applicability and Audience

   This document does not supersede the rules for certificate issuance
   or validation provided in [PKIX], which governs any certificate-
   related topic on which this document is silent (e.g., certificate
   syntax, certificate extensions such as name constraints and extended
   key usage, and handling of certification paths).  Specifically, in
   order to ensure proper authentication, application clients need to
   verify the entire certification path, because this document addresses
   only name forms in the leaf server certificate, not any name forms in
   the chain of certificates used to validate the server certificate.

   This document also does not supersede the rules for verifying service
   identity provided in specifications for existing application
   protocols, such as those mentioned under Appendix A.  However, it is
   the intent of the authors that the best current practices described
   here can be referenced by future specifications, including updates to
   specifications for the aforementioned existing application protocols
   as collected under Appendix A, if the relevant technology communities
   agree to do so.  It is also expected that this document will be
   updated or obsoleted in the future as best practices for issuance and
   verification of PKIX certificates continue to evolve through more
   widespread implementation and deployment of TLS-protected application
   services over the Internet.

   The primary audience for this document consists of application
   protocol designers, who might reference this document instead of
   defining their own rules for the representation and verification of
   application service identity.  Secondarily, the audience consists of
   certification authorities, client developers, service providers, and
   other members of technology communities that might re-use or
   "profile" the recommendations in this document when defining
   certificate issuance policies, writing software algorithms for
   identity matching, generating certificate signing requests, etc.

###

v2.8.7 | Report a Bug | By Email