Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Fri, 30 July 2010 16:24 UTC
Return-Path: <prvs=58279e90b8=uri@ll.mit.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 7B6433A68F2 for <certid@core3.amsl.com>;
Fri, 30 Jul 2010 09:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.087
X-Spam-Level:
X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[AWL=-0.240,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751,
UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YTiQTORn89R for
<certid@core3.amsl.com>; Fri, 30 Jul 2010 09:24:28 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by
core3.amsl.com (Postfix) with ESMTP id 2B31A3A6845 for <certid@ietf.org>;
Fri, 30 Jul 2010 09:24:28 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by
mx1.ll.mit.edu (unknown) with ESMTP id o6UGOnj5008643 for <certid@ietf.org>;
Fri, 30 Jul 2010 12:24:49 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "certid@ietf.org" <certid@ietf.org>
Date: Fri, 30 Jul 2010 12:24:51 -0400
Thread-Topic: [certid] Last Call: draft-saintandre-tls-server-id-check
(Representation and Verification of Domain-Based Application Service
Identity in Certificates Used with Transport Layer Security) to Proposed
Standard
Thread-Index: AcswA7y/mPwh6YbQThKAKlLkLcMZ2w==
Message-ID: <B9A9A166-170B-4FC2-9DAF-FE5968DC4F3B@ll.mit.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com>
<4C49B477.80700@stpeter.im> <20100730034415.GA28022@isc.upenn.edu>
<4C5267FF.2090701@edelweb.fr> <20100730162031.GA15319@isc.upenn.edu>
In-Reply-To: <20100730162031.GA15319@isc.upenn.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.0.10011, 1.0.148,
0.0.0000 definitions=2010-07-30_04:2010-07-30, 2010-07-30,
1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-1005130000 definitions=main-1007300089
Subject: Re: [certid] Last
Call: draft-saintandre-tls-server-id-check (Representation and Verification
of Domain-Based Application Service Identity in Certificates Used with
Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2010 16:24:29 -0000
Certs (and issues related to them) probably is the one area where there should be absolutely no difference between TLS and DTLS, rule-wise. -- Regards, Uri uri@ll.mit.edu On Jul 30, 2010, at 12:20 PM, Shumon Huque wrote: > On Fri, Jul 30, 2010 at 07:49:51AM +0200, Peter Sylvester wrote: >> >> You seems to say there that the text basically nails down to two >> different id types, the dns based one (which is used in a very >> prominent uri using application, i.e. https), and URI-id types. > > Well that, and SRVName. There are many other custom types > defined by specific applications but those aren't the focus > of this document. > >> It is a little bit difficult to have several certificates with >> different URI ids sharing the same ipaddress+port. > > I agree .. > >> tls servername indication has not provision for this. > > Yeah, it's too bad the current SNI spec only supports "hostnames". > Maybe we should look into updating that to support alternative > name forms. > >> If one cannot have ids with different paths, what's the >> beef having a path in an identifier?. > > One can't have them in SNI extensions (actually they can't > even have URIs at all, with or without paths). But if they > appear in a URI SAN, what should be done, as a general rule? > That was my question. If we're intending to only focus on > authenticating an application server rather than a specific > resource located at that server, then it would be simpler > to declare this topic out of scope. > >> What also seems missing is a paragraph on what >> happens before the server presents its certificate, i.e. >> what means does have the client to direct the server, >> ip-address:port to connect and fqdn in the servername >> indication at least. >> >> ah, I forgot dtls? > > I'm not sure that we have to deal with differences between > DTLS and TLS. The certificate identity matching rules > described in this document apply equally to both. The > connection establishment details differ, but that's currently > not a subject of this document. Do you disagree? > > -- > Shumon Huque > University of Pennsylvania. > _______________________________________________ > certid mailing list > certid@ietf.org > https://www.ietf.org/mailman/listinfo/certid
- [certid] [Fwd: Last Call: draft-saintandre-tls-se… Alexey Melnikov
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Sylvester
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Blumenthal, Uri - 0668 - MITLL
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre