Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
Shumon Huque <shuque@isc.upenn.edu> Fri, 30 July 2010 16:20 UTC
Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 393D43A6969 for <certid@core3.amsl.com>;
Fri, 30 Jul 2010 09:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.26
X-Spam-Level:
X-Spam-Status: No, score=-4.26 tagged_above=-999 required=5 tests=[AWL=-1.661,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mymm7qLNYS2d for
<certid@core3.amsl.com>; Fri, 30 Jul 2010 09:20:07 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu
[128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 2A62F3A6845 for
<certid@ietf.org>; Fri, 30 Jul 2010 09:20:07 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id
C4C23241E; Fri, 30 Jul 2010 12:20:31 -0400 (EDT)
Date: Fri, 30 Jul 2010 12:20:31 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Peter Sylvester <peter.sylvester@edelweb.fr>
Message-ID: <20100730162031.GA15319@isc.upenn.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com>
<4C49B477.80700@stpeter.im> <20100730034415.GA28022@isc.upenn.edu>
<4C5267FF.2090701@edelweb.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4C5267FF.2090701@edelweb.fr>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] Last Call:
draft-saintandre-tls-server-id-check (Representation and Verification of
Domain-Based Application Service Identity in Certificates Used with Transport
Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2010 16:20:08 -0000
On Fri, Jul 30, 2010 at 07:49:51AM +0200, Peter Sylvester wrote: > > You seems to say there that the text basically nails down to two > different id types, the dns based one (which is used in a very > prominent uri using application, i.e. https), and URI-id types. Well that, and SRVName. There are many other custom types defined by specific applications but those aren't the focus of this document. > It is a little bit difficult to have several certificates with > different URI ids sharing the same ipaddress+port. I agree .. > tls servername indication has not provision for this. Yeah, it's too bad the current SNI spec only supports "hostnames". Maybe we should look into updating that to support alternative name forms. > If one cannot have ids with different paths, what's the > beef having a path in an identifier?. One can't have them in SNI extensions (actually they can't even have URIs at all, with or without paths). But if they appear in a URI SAN, what should be done, as a general rule? That was my question. If we're intending to only focus on authenticating an application server rather than a specific resource located at that server, then it would be simpler to declare this topic out of scope. > What also seems missing is a paragraph on what > happens before the server presents its certificate, i.e. > what means does have the client to direct the server, > ip-address:port to connect and fqdn in the servername > indication at least. > > ah, I forgot dtls? I'm not sure that we have to deal with differences between DTLS and TLS. The certificate identity matching rules described in this document apply equally to both. The connection establishment details differ, but that's currently not a subject of this document. Do you disagree? -- Shumon Huque University of Pennsylvania.
- [certid] [Fwd: Last Call: draft-saintandre-tls-se… Alexey Melnikov
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Sylvester
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Blumenthal, Uri - 0668 - MITLL
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre