IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Matt McCutchen <matt@mattmccutchen.net> Wed, 13 October 2010 01:08 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C87BA3A6832 for <certid@core3.amsl.com>; Tue, 12 Oct 2010 18:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.57
X-Spam-Level:
X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1Ueqq2eQZDA for <certid@core3.amsl.com>; Tue, 12 Oct 2010 18:08:55 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by core3.amsl.com (Postfix) with ESMTP id B068B3A689A for <certid@ietf.org>; Tue, 12 Oct 2010 18:08:55 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id 18AF251C069; Tue, 12 Oct 2010 18:10:11 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=dokFtAxD1Awp7VC+yZPjHjj/O+B95w4HRPlKeasLgAq qRN7v9wx78nXI6vpCzUj78reaKoQkjXLcIYFIXOeHG1spCNZSk3+DsVI/z+WgbM2 lXymC0VaSAkExlCcBYuLJI3e+9yjfVOMpB24ow8ppvsDZEMrG3/ItanThRABPOj4 =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=7ymW1+J5mTdtIK3M0w1BecAjtr8=; b=nt5+6Sop0j D5+dVSzvJc+nuUEzLmTsf7Odyit/o5HoNp8XJQcAOuYrsaQ5ZGM0ESDpeJ7iQvOo wkXBNJqAmRokrPOOXBEoivT6UFT7l6lEY7WhGv3DZhxmneObM3XxfBS3+5R/cjDS wCbWXjWBy0UM38VSk/FrYZiJZbHkv3tT4=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPA id B0D7251C063; Tue, 12 Oct 2010 18:10:10 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <4CB4FEAE.3090700@stpeter.im>
References: <201010122334.o9CNYLVL008766@fs4113.wdf.sap.corp> <1286927514.1979.13.camel@mattlaptop2.local> <4CB4FEAE.3090700@stpeter.im>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 12 Oct 2010 21:10:09 -0400
Message-ID: <1286932209.1979.22.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 01:08:56 -0000

On Tue, 2010-10-12 at 18:34 -0600, Peter Saint-Andre wrote:
> On 10/12/10 5:51 PM, Matt McCutchen wrote:
> > On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote:
> >> I consider the conservative approach of MSIE/SChannel and Firefox to
> >> allow a tail wildcard on the leftmost DNS label, in addition to a
> >> full wildcard, sensitive risk management combined with minimal complexity.
> > 
> > As I said before, I don't think this "risk management" argument is real.
> > CAs are responsible for not giving an entity a certificate that matches
> > names the entity does not own.  Why should we believe they are any more
> > likely to mess up via wildcards than, e.g., by setting the basic
> > constraint "CA: true"?
> 
> Matt, what conclusion do you draw from your statement? IMHO it might
> lead to the conclusion that it doesn't matter what we put in the
> left-most label -- or even the conclusion that we don't need to restrict
> the location of the wildcard (e.g., foo.*.example.com or even
> *.*.example.com is fine) -- as long as the CA issues a certificate that
> matches a name the entity owns.

That's right from the perspective of "risk management".  All I wanted to
do was put that argument aside.  There are other arguments to consider,
e.g., "simpler" algorithms are easier to implement and more likely to be
implemented correctly, and compatibility with specifications that might
want to update to reference tls-server-id-check.

-- 
Matt

v2.8.7 | Report a Bug | By Email