IETF Logo Mail Archive

Re: [certid] DC should be MUST NOT

Martin Rex <mrex@sap.com> Wed, 30 June 2010 13:19 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 911813A6A24 for <certid@core3.amsl.com>; Wed, 30 Jun 2010 06:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.914
X-Spam-Level:
X-Spam-Status: No, score=-6.914 tagged_above=-999 required=5 tests=[AWL=-1.065, BAYES_50=0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_27=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edYBkZ7j5ELI for <certid@core3.amsl.com>; Wed, 30 Jun 2010 06:19:26 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 433C23A6830 for <certid@ietf.org>; Wed, 30 Jun 2010 06:19:26 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o5UDJaFS004726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 30 Jun 2010 15:19:36 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006301319.o5UDJZQj029339@fs4113.wdf.sap.corp>
To: stpeter@stpeter.im (Peter Saint-Andre)
Date: Wed, 30 Jun 2010 15:19:35 +0200 (MEST)
In-Reply-To: <4C2A7062.2070207@stpeter.im> from "Peter Saint-Andre" at Jun 29, 10 04:14:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] DC should be MUST NOT
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 13:19:27 -0000

Peter Saint-Andre wrote:
> 
> In version -05 we had the following text:
> 
>    Domain Components (DCs) are unordered.  Therefore the following two
>    sets of DCs would be equivalent:
> 
>    dc=com, dc=example, dc=cn
> 
>    dc=cn, dc=example, dc=com
> 
>    Because com.example.cn is presumably different from cn.example.com,
>    representing or verifying an application server's DNS domain name
>    based on domain components would open a serious security hole.  As a
>    result, certificate issuers and application clients MUST NOT use DCs.
> 
> Someone objected that in fact domain components are not unordered, only
> that they can be misinterpreted (as everything else can, see ongoing
> discussion of RDNs and AVAs). Therefore we pulled out the quoted text.


I'm sorry, but this example is completely bogus.

* If you look at the examples of DC= usage in rfc-5280, they contain
  only >>domain<< names.  There is never a mentioning of a hostname,
  and therefore the server endpoint identification does not apply. 

* Some of the examples in rfc-5280 clearly combine DC= componentes
  with a CN= of a regular user !  It would be a terribly bad idea
  to newly introduce a concept of matching server endpoint identities
  that were supposed to be used for informational purposes in regular
  user certificates.

I would really appreciate a "MUST not use DC-ID for server endpoint
identification", which also happens to be the current practice and
what had previously been specified.  rfc-2818 doesn't mention DC= at all.

-Martin

v2.8.7 | Report a Bug | By Email