Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 08 June 2010 18:50 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5A55D3A67C1 for <certid@core3.amsl.com>;
Tue, 8 Jun 2010 11:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No,
score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001,
IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wYOYg75hm4T for
<certid@core3.amsl.com>; Tue, 8 Jun 2010 11:50:19 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com
[67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 1093B3A67BD for
<certid@ietf.org>; Tue, 8 Jun 2010 11:50:19 -0700 (PDT)
Received: (qmail 7940 invoked by uid 0); 8 Jun 2010 18:50:20 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy3.bluehost.com with SMTP; 8 Jun 2010 18:50:20 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=4ExFCcqBfdx/r1kQSBr2rBxZ8Jroid/D3zOTD+SZ3vc/qlV+qKTubFsY4WdjKrKLbVJokaPv8Xj0qsytkTokabyXIFXpNK09gbgbf0h32XIswPRBm/fdvpH9FN0WeBsW;
Received: from c-24-4-121-38.hsd1.ca.comcast.net ([24.4.121.38]
helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa
(TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from
<Jeff.Hodges@KingsMountain.com>) id 1OM3sS-0003do-0W;
Tue, 08 Jun 2010 12:50:20 -0600
Message-ID: <4C0E90E9.4050101@KingsMountain.com>
Date: Tue, 08 Jun 2010 11:50:17 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>,
Kaspar Brand <ietf-certid@velox.ch>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 24.4.121.38 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 18:50:20 -0000
Martin Rex <mrex@sap.com> noted on Wed, 12 May 2010 00:47:30 +0200 (MEST)... > > Further complicating the issue: While DER encoding leaves the ordering > of the contents of an ASN.1 SEQUENCE as is, the ordering of the contents > of an ASN.1 SET is "canonicalized" by DER encoding (based on the > numeric ordering of the final binary encoding of each element). > So the shorter elements will always end up first in RDNames > containing multiple attribute-value pairs in a SET. > > i.e. > > CN=Foo+2.5.4.5=123ABC,O=bar,C=ZZ > 2.5.4.5=227DEF+CN=LongName,O=bar,C=ZZ Nelson B Bolyard <nelson@bolyard.me> wrote on Fri, 04 Jun 2010 10:11:29 -0700 > > On 2010-06-04 02:35 PDT, Peter Sylvester wrote: >> >> You can have two AVAs of the same type in the on RDN, i.e. >> two common names in the same RDN. There the interpretation >> of most-significant is not clear. > > Agreed, in principle. In practice, I've never seen a certificate produced > by a real CA with multiple AVAs in a single RDN. I've seen them in certs > produced by test scripts, and by people playing with OpenSSL. :) And Kaspar Brand <ietf-certid@velox.ch> had pointed out on Thu, 13 May 2010 09:40:12 +0200 > > Here's some data. It's from a sample of about 90,000 non self-issued > certs (from commercial CAs, most likely reflecting shares like those in > http://news.netcraft.com/SSL-survey). The data are from the beginning > of 2009, but I don't think the situation has considerably changed > in between. > > The second colum shows the RDNs in the order they have in the > ASN.1 subject SEQUENCE, while the first colum gives the number of > occurences of such a cert (only the "top 15" are shown). > > 19464 C, O, OU, OU, OU, CN > 15657 C, ST, L, O, OU, CN > 6859 O, OU, CN > 5603 C, ST, L, O, OU, OU, CN > 4983 C, ST, L, O, OU, OU, OU, OU, CN > 4813 C, ST, L, O, CN <snip/> I personally seem to recall observing certs in the wild whose string-formatted DNames included the "+" notation as Martin illustrates above, and which denotes an RDN SET, although I don't recall whether such certs were produced by "real CAs" as Nelson terms a certain subclass of CAs. Kaspar -- would information wrt multi-valued RDNames be embodied in the sample you used to generate the above info you shared with the list? If so, are there any occurances, and if so what's the frequency? thanks, =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre