Re: [certid] Need to define "most specific RDN"
Kaspar Brand <ietf-certid@velox.ch> Tue, 13 July 2010 05:09 UTC
Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id C60D63A67E1 for <certid@core3.amsl.com>;
Mon, 12 Jul 2010 22:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.653
X-Spam-Level:
X-Spam-Status: No, score=-0.653 tagged_above=-999 required=5 tests=[AWL=0.654,
BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpfVoMDaDWH3 for
<certid@core3.amsl.com>; Mon, 12 Jul 2010 22:09:45 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by
core3.amsl.com (Postfix) with ESMTP id D9C0C3A67C0 for <certid@ietf.org>;
Mon, 12 Jul 2010 22:09:44 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch
[84.75.163.235]) (authenticated bits=0) by appendix.velox.ch
(8.14.4/8.14.4/2.0) with ESMTP id o6D59pYO005455 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>;
Tue, 13 Jul 2010 07:09:52 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f;
t=1278997792; bh=84ehyrh3DQWI3+4moQYStbIaWF16RlVwPMekQ7I0gr4=;
h=Message-ID:Date:From:MIME-Version:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=MPyCrSKZ/p8wCXfe56sJYxg/eJwgYyWZGTsk9rSQe/KBGBrdn9zrvizg5hMn7OgLp
nPN4qENFPj8SpKFppWfxQi86MlN/pnpiG1WWYi1tevimoBVW7UUp8Dpyt3z4xd3NKi
7H9uZh6Kf4QzeMf4jHU4Van69Q/u1Xwc3g4xjE1qFj0d3CeAbghOzhOIp+WZ3BpkqD
6aczidXnHLFC+vh4pC9kWY5kJ1vKhmJI7lT5CSiiVg5dxZZK5OyRAhHGVewIHdiRPd
YYNAunxQDqbhx5B7Dd/EYR2AefPAFyxHEWzf9OUJ3JU+J/QG6Q2iTDxh7H63/L6nrX
KMIb4dkTVancg==
Message-ID: <4C3BF51E.4030802@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58;
t=1278997790; bh=84ehyrh3DQWI3+4moQYStbIaWF16RlVwPMekQ7I0gr4=;
h=Date:From:MIME-Version:CC:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding;
b=M2xEUJ1l5QvAcnSpbsjEhgxIYkVUlQOcmk4z5vqHQ5Wx1oPAdKjh4kbuoONsHClH3
vhWjxtrJzhJGyx2xM/jkDhU7p6zFZT1GDrlhb/okm14nUsVoACXKvmQmFnWRDDhu9C
aWuE8P8Ao4reNsQL23NWRHT+c1o/qakP9VpiZvyV5NbJ3VWTtDyUuN3xkErSTLDoqX
lAE4GTekpJppHU2Onb9/q2b27vZ6ng1b42fRqP4oXClnS7/V9Yn/yEsoOIm2TfZdxQ
Hi0AQZ0Nv6u+xFGq+FyUDWsxeUEJx0L8KOIlkl9/9ceewItsHlojjZ93pEsV4lCKD8
YSYcU87y3W9cQ==
Date: Tue, 13 Jul 2010 07:09:50 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.x
MIME-Version: 1.0
CC: certid@ietf.org
References: <201006301746.o5UHkIsE019133@fs4113.wdf.sap.corp> <4C2B843A.5010206@stpeter.im> <4C305B93.9090001@velox.ch> <201007061435.29786.ludwig.nussel@suse.de> <4C335CE5.1090608@edelweb.fr> <4C3421B3.3070404@velox.ch>
<4C3B4F6E.80903@stpeter.im>
In-Reply-To: <4C3B4F6E.80903@stpeter.im>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 05:09:47 -0000
On 12.07.2010 19:22, Peter Saint-Andre wrote: > On 7/7/10 12:41 AM, Kaspar Brand wrote: >> Clarifying/fixing that blurry "(most specific)" statement from RFC 2818 >> would be highly desirable for the new BCP, IMO. If by this we can get >> away with a term whose meaning isn't intuitively clear (compare this >> e.g. to "left-most DNS label"), then I would definitely consider that a >> plus. > > Would removing all mention of "(most specific)" qualify as clarification? -08 looks good to me, generally speaking, but in addition to the implementation note at the end of 2.2 I would add some wording to 4.4.4 which states that a) if multiple CN-IDs are found in the subject, all of them should be checked and b) this deliberately allows broader matching than the one originally "specified" in [HTTP-TLS] and [GIST]. (Finally, let me add that browsers such as MSIE, Opera or Safari already implement this kind of multi-CN checking - if there is no subjectAltName extension, they will go through all CNs and look for a match [1]). Kaspar [1] E.g., cf. this discussion from 2004 on apple-cdsa: http://lists.apple.com/archives/apple-cdsa/2004/Apr/msg00012.html
- [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Bruno Harbulot
- Re: [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Kurt Zeilenga
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Love Hörnquist Åstrand
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" =JeffH
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Ludwig Nussel
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Ludwig Nussel
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Paul Tiemann
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Shumon Huque
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Shumon Huque
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Name constraints and legacy clients Matt McCutchen
- Re: [certid] Name constraints and legacy clients Matt McCutchen
- Re: [certid] Name constraints and legacy clients Paul Tiemann