IETF Logo Mail Archive

Re: [certid] CN-ID and name constraints

"Jim Schaad" <ietf@augustcellars.com> Thu, 30 September 2010 19:48 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3350A3A6E80 for <certid@core3.amsl.com>; Thu, 30 Sep 2010 12:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOT99X90-w7A for <certid@core3.amsl.com>; Thu, 30 Sep 2010 12:48:07 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by core3.amsl.com (Postfix) with ESMTP id 228C23A6D2D for <certid@ietf.org>; Thu, 30 Sep 2010 12:48:07 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTP id 4A04F6EF39; Thu, 30 Sep 2010 12:48:53 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Peter Saint-Andre'" <stpeter@stpeter.im>
References: <201009250309.o8P39Sc7016343@fs4113.wdf.sap.corp> <1285450341.1940.79.camel@mattlaptop2.local> <4CA3B1B0.2040106@stpeter.im> <006901cb6024$97c85990$c7590cb0$@augustcellars.com> <4CA4E4D6.2020209@stpeter.im>
In-Reply-To: <4CA4E4D6.2020209@stpeter.im>
Date: Thu, 30 Sep 2010 12:56:36 -0700
Message-ID: <00a201cb60d9$972bc930$c5835b90$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQE5mp2IHf/sQTeACWXye7dK1f19xwGNyQZRAom+LdwCIxKAuwF2kqUGlBD0PxA=
Content-Language: en-us
Cc: certid@ietf.org
Subject: Re: [certid] CN-ID and name constraints
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 19:48:09 -0000

I would consider this to be an application specific behavior and not part of the general validity processing that would be part of 5280.  If it was to happen anyplace I think this is where it should be recommended.

I don't however believe that it should necessarily be recommended anywhere as a practice.

jim

> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter@stpeter.im]
> Sent: Thursday, September 30, 2010 12:28 PM
> To: Jim Schaad
> Cc: 'Matt McCutchen'; certid@ietf.org
> Subject: Re: [certid] CN-ID and name constraints
> 
> On 9/29/10 4:20 PM, Jim Schaad wrote:
> 
> > It was my understanding of this that the request was that the DNS name
> > constraints be applied to a CN-ID that is being treated as a DN.  This
> > would not be standard 5280 behavior.
> 
> That's a nice short summary of the issue. It seems to me that defining such
> behavior might be within scope for an update to RFC 5280, but not for the
> server-id-check document (since it is by no means intended to update RFC
> 5280!).
> 
> Peter
> 
> --
> Peter Saint-Andre
> https://stpeter.im/

v2.8.7 | Report a Bug | By Email