IETF Logo Mail Archive

Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Fri, 30 July 2010 16:24 UTC

Return-Path: <prvs=58279e90b8=uri@ll.mit.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B6433A68F2 for <certid@core3.amsl.com>; Fri, 30 Jul 2010 09:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.087
X-Spam-Level:
X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YTiQTORn89R for <certid@core3.amsl.com>; Fri, 30 Jul 2010 09:24:28 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by core3.amsl.com (Postfix) with ESMTP id 2B31A3A6845 for <certid@ietf.org>; Fri, 30 Jul 2010 09:24:28 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id o6UGOnj5008643 for <certid@ietf.org>; Fri, 30 Jul 2010 12:24:49 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "certid@ietf.org" <certid@ietf.org>
Date: Fri, 30 Jul 2010 12:24:51 -0400
Thread-Topic: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
Thread-Index: AcswA7y/mPwh6YbQThKAKlLkLcMZ2w==
Message-ID: <B9A9A166-170B-4FC2-9DAF-FE5968DC4F3B@ll.mit.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com> <4C49B477.80700@stpeter.im> <20100730034415.GA28022@isc.upenn.edu> <4C5267FF.2090701@edelweb.fr> <20100730162031.GA15319@isc.upenn.edu>
In-Reply-To: <20100730162031.GA15319@isc.upenn.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.0.10011, 1.0.148, 0.0.0000 definitions=2010-07-30_04:2010-07-30, 2010-07-30, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-1005130000 definitions=main-1007300089
Subject: Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2010 16:24:29 -0000

Certs (and issues related to them) probably is the one area where there should be absolutely no difference between TLS and DTLS, rule-wise.
--
Regards,
Uri          uri@ll.mit.edu



On Jul 30, 2010, at 12:20 PM, Shumon Huque wrote:

> On Fri, Jul 30, 2010 at 07:49:51AM +0200, Peter Sylvester wrote:
>> 
>> You seems to say there that the text basically nails down to two
>> different id types, the dns based one (which is used in a very
>> prominent uri using application, i.e. https), and URI-id types.
> 
> Well that, and SRVName. There are many other custom types
> defined by specific applications but those aren't the focus
> of this document.
> 
>> It is a little bit difficult to have several certificates with
>> different URI ids sharing the same ipaddress+port.
> 
> I agree ..
> 
>> tls servername indication has not provision for this.
> 
> Yeah, it's too bad the current SNI spec only supports "hostnames".
> Maybe we should look into updating that to support alternative
> name forms.
> 
>> If one cannot have ids with different paths, what's the
>> beef having a path in an identifier?.
> 
> One can't have them in SNI extensions (actually they can't
> even have URIs at all, with or without paths). But if they
> appear in a URI SAN, what should be done, as a general rule?
> That was my question. If we're intending to only focus on
> authenticating an application server rather than a specific
> resource located at that server, then it would be simpler
> to declare this topic out of scope.
> 
>> What also seems missing is a paragraph on what
>> happens before the server presents its certificate, i.e.
>> what means does have the client to direct the server,
>> ip-address:port to connect and fqdn in the servername
>> indication at least.
>> 
>> ah, I forgot dtls?
> 
> I'm not sure that we have to deal with differences between 
> DTLS and TLS. The certificate identity matching rules 
> described in this document apply equally to both. The 
> connection establishment details differ, but that's currently
> not a subject of this document. Do you disagree?
> 
> -- 
> Shumon Huque
> University of Pennsylvania.
> _______________________________________________
> certid mailing list
> certid@ietf.org
> https://www.ietf.org/mailman/listinfo/certid

v2.8.7 | Report a Bug | By Email