IETF Logo Mail Archive

Re: [certid] False choice for CN

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 15 June 2010 02:55 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 04D6E3A6A1B for <certid@core3.amsl.com>; Mon, 14 Jun 2010 19:55:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nV8GRB6Fqwad for <certid@core3.amsl.com>; Mon, 14 Jun 2010 19:55:27 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 495CD3A6994 for <certid@ietf.org>; Mon, 14 Jun 2010 19:55:27 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o5F2tTlK097440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Jun 2010 19:55:30 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624080dc83c9b9b8066@[10.20.30.158]>
In-Reply-To: <201006141412.o5EECbvx026607@fs4113.wdf.sap.corp>
References: <201006141412.o5EECbvx026607@fs4113.wdf.sap.corp>
Date: Mon, 14 Jun 2010 19:55:27 -0700
To: mrex@sap.com
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: certid@ietf.org
Subject: Re: [certid] False choice for CN
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 02:55:28 -0000

At 4:12 PM +0200 6/14/10, Martin Rex wrote:
>Paul Hoffman wrote:
>>
>> >   1.  The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
>> >       identifier of type dNSName).
>>
>> . . .
>>
>> >   Therefore, if and only if the identity set does not include
>> >   subjectAltName extensions of type dNSName, SRVName, or
>> >   uniformResourceIdentifier (or any application-specific subjectAltName
>> >   extensions supported by the client), the client MAY as a fallback
>> >   check for a fully-qualified DNS domain name in the last Common Name
>> >   RDN in the sequence of RDNs making up the Distinguished Name within
>> >   the certificate's subjectName (where the term "last" refers to the
>> >   DER order, which is often not the string order presented to a user;
>> >   the order that is applied here MUST be the DER order).
>>
>> Bzzzzzt! All of 3.4.4 is bogus, given that DNS-ID is required. Please remove it.
>
>I think this needs to stay.
>
>The document under discussion is supposed to be a BCP (Best current practice)
>document, and it will have to describe how clients should deal with
>server certificates that do no have subjectAltNames.  It does so by
>describing the common practice that has been in use for certs that
>do not have subjectAltNames.

That goes counter to the MUST-level statements in the document. You either need to downgrade the MUST-level requirements, or get rid of the sections that say, in essence, "if this MUST-level requirement is not met, then do this".

The fact that this is a BCP is irrelevant. BCPs are standards-track documents. Being a BCP doesn't make it OK to have conflicting requirements.

--Paul Hoffman, Director
--VPN Consortium

v2.8.7 | Report a Bug | By Email