IETF Logo Mail Archive

Re: [certid] CN fallback

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 06 April 2010 06:55 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CAD2F3A6783 for <certid@core3.amsl.com>; Mon, 5 Apr 2010 23:55:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.051
X-Spam-Level:
X-Spam-Status: No, score=-1.051 tagged_above=-999 required=5 tests=[AWL=-0.311, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NvF-EG1BnAf for <certid@core3.amsl.com>; Mon, 5 Apr 2010 23:55:20 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id C04063A679F for <certid@ietf.org>; Mon, 5 Apr 2010 23:55:19 -0700 (PDT)
Received: from [192.168.20.2] ((unknown) [212.183.140.53]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <S7ra0wBHTpNC@rufus.isode.com>; Tue, 6 Apr 2010 07:55:16 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4BBADACF.9090201@isode.com>
Date: Tue, 06 Apr 2010 07:55:11 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Scott Cantor <cantor.2@osu.edu>
References: <201003231544.05651.ludwig.nussel@suse.de> <4BB3C21E.90502@stpeter.im> <4BBA5673.7020403@isode.com> <00d401cad517$7ee680c0$7cb38240$@2@osu.edu>
In-Reply-To: <00d401cad517$7ee680c0$7cb38240$@2@osu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] CN fallback
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 06:55:21 -0000

Scott Cantor wrote:

>>>or to remove it entirely, because I don't think it's
>>>a best current practice for secure authentication.
>>>      
>>>
>>Personally, I don't think removing it is going to be a service to the
>>community, because this is the current practice, even if it is not the
>>best one.
>>    
>>
>Since nothing's referencing this specification yet anyway, why not outline
>what people should do, rather than what they are doing?
>  
>
Personally I am hoping that updated versions of documents referenced in 
the Appendix will point to this document. Such updated protocols will 
either have a backward compatibility issue (if text about use of CN is 
removed), or will have to copy the text about use of CN. The latter kind 
of defeats the purpose of having a document that serves as a cookbook 
for TLS server identity verification in protocols.

This is not to say that I am against discouraging use of CN in 
certificates. I am against discouraging by omission.

>A previous note mentioned the fact that DNs are hierarchical paths into a
>directory. This, of course, is not true;
>
This part is actually true, by definition of a DN.

>X.500 does not exist as a
>global/going concern, so DNs are in fact misleading in this context.
>
X.509 is using X.500 constructs such as DNs. So lack of global X.500 
infrastructure is irrelevant in this case.

As a side note: some CAs use X.500 Directories internally, so DNs 
specified in certificates they issue correspond to DNs in their Directories.

>Let's stop pretending otherwise.
>  
>

v2.8.7 | Report a Bug | By Email