Re: [certid] CN fallback
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 05 April 2010 21:30 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 6FC593A6A79 for <certid@core3.amsl.com>;
Mon, 5 Apr 2010 14:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.927
X-Spam-Level:
X-Spam-Status: No, score=-0.927 tagged_above=-999 required=5 tests=[AWL=-0.928,
BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbZ1J1K00fho for
<certid@core3.amsl.com>; Mon, 5 Apr 2010 14:30:48 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by
core3.amsl.com (Postfix) with ESMTP id 1EC273A67E6 for <certid@ietf.org>;
Mon, 5 Apr 2010 14:30:46 -0700 (PDT)
Received: from [192.168.20.2] ((unknown) [212.183.140.53]) by rufus.isode.com
(submission channel) via TCP with ESMTPA id <S7pWfABHTmEf@rufus.isode.com>;
Mon, 5 Apr 2010 22:30:43 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4BBA5673.7020403@isode.com>
Date: Mon, 05 Apr 2010 22:30:27 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <201003231544.05651.ludwig.nussel@suse.de>
<4BB3C21E.90502@stpeter.im>
In-Reply-To: <4BB3C21E.90502@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] CN fallback
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2010 21:30:49 -0000
Hi Peter, Peter Saint-Andre wrote: >On 3/23/10 8:44 AM, Ludwig Nussel wrote: > >>Hi, >> >>| If and only if the identity set does not include subjectAltName >>| extensions of type dNSName, SRVName, uniformResourceIdentifier (or >>| other application-specific subjectAltName extensions), the client MAY >>| as a fallback check the value of the Common Name (CN) >> >>What about rewording that to the following? >> >>| If and only if the certificate does not include any subjectAltName >>| extensions, the client MAY as a fallback check the value of the >>| Common Name (CN) >> > >I don't see a strong reason to change that text. This specification is >about checking domain names, not IP addresses. > >As an aside, I must say that I'm tempted to move everything about CNs to >a separate section, > That would be Ok with me. >or to remove it entirely, because I don't think it's >a best current practice for secure authentication. > > Personally, I don't think removing it is going to be a service to the community, because this is the current practice, even if it is not the best one.
- [certid] CN fallback Ludwig Nussel
- Re: [certid] CN fallback Peter Saint-Andre
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback RL 'Bob' Morgan
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Ludwig Nussel
- [certid] open issue: iPAddress Peter Saint-Andre
- Re: [certid] CN fallback Michael Ströder
- Re: [certid] open issue: iPAddress Michael Ströder
- Re: [certid] CN fallback Michael Ströder