Re: [certid] version -04 of CertID draft
Peter Saint-Andre <stpeter@stpeter.im> Fri, 04 June 2010 17:18 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 79B723A6874 for <certid@core3.amsl.com>;
Fri, 4 Jun 2010 10:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.873
X-Spam-Level:
X-Spam-Status: No, score=-0.873 tagged_above=-999 required=5 tests=[AWL=-0.874,
BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BubwRgl6UW9A for
<certid@core3.amsl.com>; Fri, 4 Jun 2010 10:18:25 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id AEC9A3A6934 for <certid@ietf.org>;
Fri, 4 Jun 2010 10:18:24 -0700 (PDT)
Received: from squire.local (dsl-205-108.dynamic-dsl.frii.net
[216.17.205.108]) (Authenticated sender: stpeter) by stpeter.im (Postfix)
with ESMTPSA id BD04A40E60 for <certid@ietf.org>;
Fri, 4 Jun 2010 11:18:09 -0600 (MDT)
Message-ID: <4C093550.6050708@stpeter.im>
Date: Fri, 04 Jun 2010 11:18:08 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <4BDB1F71.2050207@stpeter.im> <4BEBB843.6020600@velox.ch>
In-Reply-To: <4BEBB843.6020600@velox.ch>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms040703030808080806000604"
Subject: Re: [certid] version -04 of CertID draft
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2010 17:18:29 -0000
On 5/13/10 2:28 AM, Kaspar Brand wrote: > A few more comments about draft -04: My apologies, I missed this post while making our edits for -05. (Nits skipped in what follows.) >> 2.1. Subject Naming in PKIX Certificates >> [...] >> "string representation" of a DN before being rendered. Often such a >> DN string representation is ordered from left-to-right, most specific >> to most general. See [LDAP-AUTH] for details. > > I would suggest to replace this with a reference to RFC 4514 (not 4513). Corrected. >> 2.2. PKIX Certificate Name Rules >> >> The following rules apply to the representation of application server >> identities in PKIX certificates issued by certification authorities. >> >> 1. The certification authority MUST issue the certificate based on >> the DNS domain name (not an IP address) at which the server will >> provide the relevant service. > > With the current draft, "relative" domain names (such as "www", "mail" > etc.) are also permitted as DNS-IDs or CN-IDs, from what I understand. > Is this a deliberate decision, or should domain names possibly be > required to be fully qualified (or "absolute", in RFC-1034 speak)? If > the latter, then it would probably make sense to add an entry for "DNS > domain name" to section 1.3 and explicitly state that it's required to > be absolute / fully qualified. Our intent was to cover only absolute domain names. Fixed in our working copy. >> Note: A client MUST NOT seek a match for a reference identifier of >> CN-ID if the presented identifiers include an SRV-ID, URI-ID, >> DNS-ID, or any application-specific subjectAltName extensions, and >> MUST NOT check a Common Name in the certificate if it is other >> than the last Relative Distinguished Name (RDN) in within the >> sequence of RDNs making up the Distinguished Name within the >> certificate's subjectName. > > As already mentioned elsewhere, this requirement is probably too strict. > I suggest changing to something like "must only check against the last > Common Name RDN in the sequence of RDNs making up the Distinguished Name > within the certificate's subjectName". That wording does seem better. Thanks for the text. >> 3.4.4. Checking of DNS Domain Names in Common Names >> >> As noted, a client MUST NOT seek a match for a reference identifier >> of CN-ID if the presented identifiers include an SRV-ID, URI-ID, >> DNS-ID, or any application-specific subjectAltName extensions. >> >> Therefore, if and only if the identity set does not include >> subjectAltName extensions of type dNSName, SRVName, or >> uniformResourceIdentifier (or any application-specific subjectAltName >> extensions), the client MAY as a fallback check for a DNS domain name >> in the value of the last Relative Distinguished Name (RDN), if it is >> of type Common Name (CN), within the sequence of RDNs making up the >> Distinguished Name within the certificate's subjectName. (Note: The >> term "last" refers to the DER order, which is often not the string >> order presented to a user; the order that is applied here MUST be the >> DER order.) > > See above - should be adapted accordingly. Done in our working copy. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] version -04 of CertID draft Peter Saint-Andre
- Re: [certid] version -04 of CertID draft Kaspar Brand
- Re: [certid] version -04 of CertID draft ArkanoiD
- Re: [certid] version -04 of CertID draft Peter Saint-Andre