Re: [certid] DC should be MUST NOT
Martin Rex <mrex@sap.com> Wed, 30 June 2010 15:21 UTC
Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 39AE93A6A15 for <certid@core3.amsl.com>;
Wed, 30 Jun 2010 08:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.193
X-Spam-Level:
X-Spam-Status: No, score=-8.193 tagged_above=-999 required=5 tests=[AWL=0.256,
BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6,
J_CHICKENPOX_27=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvpmgVgE-RIe for
<certid@core3.amsl.com>; Wed, 30 Jun 2010 08:21:00 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by
core3.amsl.com (Postfix) with ESMTP id B0C763A6834 for <certid@ietf.org>;
Wed, 30 Jun 2010 08:20:59 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id
o5UFL9Il010186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=OK); Wed, 30 Jun 2010 17:21:09 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006301521.o5UFL8q8006323@fs4113.wdf.sap.corp>
To: stpeter@stpeter.im (Peter Saint-Andre)
Date: Wed, 30 Jun 2010 17:21:08 +0200 (MEST)
In-Reply-To: <4C2A7062.2070207@stpeter.im> from "Peter Saint-Andre" at Jun 29,
10 04:14:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] DC should be MUST NOT
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 15:21:02 -0000
Peter Saint-Andre wrote: > > In version -05 we had the following text: > > Domain Components (DCs) are unordered. Therefore the following two > sets of DCs would be equivalent: > > dc=com, dc=example, dc=cn > > dc=cn, dc=example, dc=com > > Because com.example.cn is presumably different from cn.example.com, > representing or verifying an application server's DNS domain name > based on domain components would open a serious security hole. As a > result, certificate issuers and application clients MUST NOT use DCs. Slightly OT: adding DC= AVAs to a DName would be fairly unreasonable if they did _not_ have a defined order. I assume that the order is as much defined as it is for the regular "hierarchical directory tree". Although my PKIX & LDAP exposure is at the homeopathic level, I assume the idea of the DC= components could be to establish something like a hierarchical LDAP directory model based on DNS rather than assuming a single global X.500 directory hierarchy and full-fledged DAP. -Martin
- [certid] DC should be MUST NOT Paul Hoffman
- Re: [certid] DC should be MUST NOT Bruno Harbulot
- Re: [certid] DC should be MUST NOT Peter Saint-Andre
- Re: [certid] DC should be MUST NOT Martin Rex
- Re: [certid] DC should be MUST NOT Scott Cantor
- Re: [certid] DC should be MUST NOT Peter Saint-Andre
- Re: [certid] DC should be MUST NOT Paul Hoffman
- Re: [certid] DC should be MUST NOT Martin Rex
- Re: [certid] DC should be MUST NOT Peter Sylvester
- Re: [certid] DC should be MUST NOT =JeffH