IETF Logo Mail Archive

Re: [certid] Need to define "most specific RDN"

Shumon Huque <shuque@isc.upenn.edu> Thu, 22 July 2010 02:57 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E7DA3A68F5 for <certid@core3.amsl.com>; Wed, 21 Jul 2010 19:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.713
X-Spam-Level:
X-Spam-Status: No, score=-4.713 tagged_above=-999 required=5 tests=[AWL=-2.114, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4dUL78Q+WKD for <certid@core3.amsl.com>; Wed, 21 Jul 2010 19:57:21 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 1C4D63A6892 for <certid@ietf.org>; Wed, 21 Jul 2010 19:57:21 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id A48092138; Wed, 21 Jul 2010 22:57:37 -0400 (EDT)
Date: Wed, 21 Jul 2010 22:57:37 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Martin Rex <mrex@sap.com>
Message-ID: <20100722025737.GA5345@isc.upenn.edu>
References: <4C3DDC18.4020808@bolyard.me> <201007212312.o6LNCi8Y017372@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201007212312.o6LNCi8Y017372@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 02:57:22 -0000

On Thu, Jul 22, 2010 at 01:12:44AM +0200, Martin Rex wrote:
> Nelson B Bolyard wrote:
> > 
> > SANs solve this whole problem.  They have a component that may ONLY contain
> > DNS names, and therefore is easily constrained.  DNS name constraints would
> > be effective if certs ONLY put DNS names into SANs.  But putting DNS names
> > into SANs effectively bypasses name constraints (at least, in
> > implementations I tested last year).
> 
> Look at the server certificate here(*):
> 
>    https://edgecastcdn.net/
> 
> and SANs in it.  The Server cert is from a 3-level CA hierarchy
> (Entrust on top, two intermediate CAs from DigiCert).
> 
> How exactly are name constraints going to make issuing such certs
> easier or safer, and can you actually come up with a meaningful
> name constraints for such a cert?
> 
> -Martin

This certificate has a whole bunch of SAN-dNSNames that are all
over the DNS name space. So, no, there is no useful name constraint
extension that the issuing cert(s) can have for this.

Name constraints would be more useful if the Internet PKI was
hierarchically constructed _with_ hierarchical authority of
the name space. That would have been great, but it isn't the case
(any CA that gets into the club can issue certs for any name).

Maybe Nelson is thinking about an alternative Internet PKI or
some private/enterprise PKI, where they could be useful.

At this point, the best hope for a namespace-constrained Internet
PKI might be with DNSSEC. I think there's a BOF on this topic at 
IETF next week.

-- 
Shumon Huque
University of Pennsylvania.

v2.8.7 | Report a Bug | By Email