IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Thu, 14 October 2010 21:57 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D9BB3A6BFE for <certid@core3.amsl.com>; Thu, 14 Oct 2010 14:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.554
X-Spam-Level:
X-Spam-Status: No, score=-102.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqMc-Mu7-1LM for <certid@core3.amsl.com>; Thu, 14 Oct 2010 14:57:57 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E4E103A6A09 for <certid@ietf.org>; Thu, 14 Oct 2010 14:57:56 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 89F6C40337; Thu, 14 Oct 2010 16:06:10 -0600 (MDT)
Message-ID: <4CB77D32.1080406@stpeter.im>
Date: Thu, 14 Oct 2010 15:59:14 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: mrex@sap.com
References: <201010132220.o9DMKTjG024980@fs4113.wdf.sap.corp>
In-Reply-To: <201010132220.o9DMKTjG024980@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms090207070103030200090806"
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2010 21:57:58 -0000

On 10/13/10 4:20 PM, Martin Rex wrote:
> Peter Saint-Andre wrote:
>>
>> Jeff and I have been thinking about this independently today, and it
>> seems we're going in the same direction. Following Martin Rex's argument
>> to its logical conclusion has led me to believe that wildcards deserve
>> to be NOT RECOMMENDED in a best current practice document.
> 
> I'm certainly in favor of NOT RECOMMENDING the use of any wildcards
> to server admins (and to a lesser extent app protocol designers)
> in the security considerations section of the server-id-check
> document.
> 
> I'm less inclined about recommending to implementations to
> not implement it at all (which is about utility functions of the
> TLS implementation for use by the application).

After further reflection, I agree with you. I think Jeff is on board
with that, as well.

We should be able to publish -10 real soon now.

> Rather than leaving the issue of wildcards as underspecified as
> rfc-2818, I would appreciate a few words of what is commonly
> available in current web browsers and could be implemented with
> minor effort and low complexity.

Proposed text is always welcome.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email