Re: [certid] Need to define "most specific RDN"

Martin Rex <mrex@sap.com> Mon, 19 July 2010 16:57 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D11453A6B37 for <certid@core3.amsl.com>; Mon, 19 Jul 2010 09:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.393
X-Spam-Level:
X-Spam-Status: No, score=-9.393 tagged_above=-999 required=5 tests=[AWL=0.856, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzPoistm-obE for <certid@core3.amsl.com>; Mon, 19 Jul 2010 09:57:37 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 81BC83A6B00 for <certid@ietf.org>; Mon, 19 Jul 2010 09:57:37 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o6JGvowa000180 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Jul 2010 18:57:51 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007191657.o6JGvoFU011620@fs4113.wdf.sap.corp>
To: ietf-certid@velox.ch (Kaspar Brand)
Date: Mon, 19 Jul 2010 18:57:50 +0200 (MEST)
In-Reply-To: <4C43E3B9.6040004@velox.ch> from "Kaspar Brand" at Jul 19, 10 07:33:45 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2010 16:57:39 -0000

Kaspar Brand wrote:
> 
> In section 4 ("Verification of Server Identity"), however, I think we
> should expressly put an end to the debate of what "(most specific)" in
> RFC 2818 really means, otherwise the confusion is perpetuated.

I would prefer to stick with the _exact_ description of rfc-2818.
After all, this method has been deprecated back then and is intended
to remain deprecated.

> Of the two solutions - either explain at great length how it is to be
> understood DER-encoding-wise, or just go loop over all CNs -, the latter
> definitely seems preferrable to me.

RFC2818 is likely a specification looking backwards, trying to describe
the current practice and the behaviour of existing implementations.

A lot of TLS clients and most web browsers had been checking only
one single CN-ID when RFC-2818 was written (and still do), and
the "most specific" is likely the attempt to indicate which
CN-ID they are checking.

To me it sounds like the first match on a string search based on the
reversed ordering in "String Representation of Distinguished Names"
(rfc2253 as far as rfc2818 is concerned, which has since been
 obsoleted by rfc-4514).

But frankly, I do no see much value in trying to describe all possible
interpretation of a fairly vague wording, that itself was an attempt
to characterize, NOT specify, what kind of behaviour there is in the
installed base.  Leaving the vague description of rfc-2818 as is,
and pointing out more prominently that it is really deprecated
should be perfectly sufficient.

-Martin