IETF Logo Mail Archive

Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 08 December 2010 21:03 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 862263A697D for <certid@core3.amsl.com>; Wed, 8 Dec 2010 13:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.222
X-Spam-Level:
X-Spam-Status: No, score=-102.222 tagged_above=-999 required=5 tests=[AWL=0.377, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGtE6uVOe4uM for <certid@core3.amsl.com>; Wed, 8 Dec 2010 13:02:59 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id 27C8B3A686A for <certid@ietf.org>; Wed, 8 Dec 2010 13:02:59 -0800 (PST)
Received: (qmail 22622 invoked by uid 0); 8 Dec 2010 21:04:27 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 8 Dec 2010 21:04:27 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=NyP9SDtynWklwWFqSgw4aktNflIT1Wwcu690afnMboFUh70PIz4/h3x6pWUdDhDnqJN6cp3daK60hm3yeh8ueatjFX76B2+c2Wi4VJ0aUtj4jpDG8mKfL4Ayxaf/28lh;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PQRBa-00027A-LE; Wed, 08 Dec 2010 14:04:26 -0700
Message-ID: <4CFFF2D8.4070408@KingsMountain.com>
Date: Wed, 08 Dec 2010 13:04:24 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: Ben Campbell <ben@nostrum.com>, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, =JeffH <Jeff.Hodges@KingsMountain.com>, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Subject: Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 21:03:00 -0000

stpete replied..
 >
 > On 12/7/10 8:01 AM, Paul Hoffman wrote:
 >> [[ Much abbreviated ]]
 >>
 >> At 9:10 PM -0700 12/6/10, Peter Saint-Andre wrote:
 >>>>>> -- 3.1, rule 6:
 >>>>>>
 >>>>>> Can you motivate why this is not a MUST NOT?
 >>>> The reason for allowing this wiggle-room is that (for better or worse)..
 >>>>
 >>>>   1. the CA/Browser Forum Extended Validation (EV) Certificate Guidelines
 >>>>      explicitly allow for multiple CN-IDs
 >>>>
 >>>>   2. It's a not-totally-uncommon current practice to have certs that do
 >>>> have
 >>>>      mutiple CN-IDs, eg from Comodo (whether EV or DV (domain valivdated)).
 >>>>
 >>>>   3. Virtual hosting multiple distinct-domain TLS servers on one entity is
 >>>>      difficult today if one desires wide desktop client support because
 >>>>      a certain vendor's older-but-still-widely-deployed-OS does not (yet?)
 >>>>      support the TLS Server Name Indication extension. Thus having one
 >>>>      cert with all the domains jammed in it (as either/both CN-IDs or/and
 >>>>      DNS-IDs) is a workaround (eg Content Delivery Networks use this).
 >>>>
 >>>>
 >>>> So some argue that if we MUST NOT multiple CN-IDs at this point, it is
 >>>> flying in the face of present reality and might contribute to acquiring
 >>>> an attained reputation for this BCP that is lower than we desire.
 >>>>
 >>>> There is also concern on the part of CA folk about client-side TLS libs
 >>>> and their support for name matching (ie some (old?) one(s) will only
 >>>> match on CN-ID).
 >>>>
 >>>> For a CA perspective on all the above, see...
 >>>>
 >>>> Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
 >>>> http://www.ietf.org/mail-archive/web/certid/current/msg00502.html
 >>>
 >>> +1 to all that.
 >>
 >> Putting an explanation such as the above in the document will help future
 >> IETFs to decide when to make this a MUST NOT. It might also help the CA/Browser
 >> Forum and specific CAs see that they should stop doing this ASAP, and maybe
 >> even convince a particular legacy OS vendor to support TLS SNI.
 >
 > Sigh. I don't particularly want to add a long informational note that
 > qualifies eight words in the spec, but you're right. :)

agreed.

=JeffH

v2.23.0 | Report a Bug | By Email