[certid] Please explicitly disallow unvetted info in subject names
Nelson B Bolyard <nelson@bolyard.me> Tue, 08 June 2010 17:50 UTC
Return-Path: <nelson@bolyard.me>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5528F3A6813 for <certid@core3.amsl.com>;
Tue, 8 Jun 2010 10:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.866
X-Spam-Level:
X-Spam-Status: No, score=-0.866 tagged_above=-999 required=5 tests=[AWL=-0.867,
BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1psJUkYD1fC for
<certid@core3.amsl.com>; Tue, 8 Jun 2010 10:50:14 -0700 (PDT)
Received: from smtpauth17.prod.mesa1.secureserver.net
(smtpauth17.prod.mesa1.secureserver.net [64.202.165.29]) by core3.amsl.com
(Postfix) with SMTP id 009933A6767 for <certid@ietf.org>;
Tue, 8 Jun 2010 10:50:13 -0700 (PDT)
Received: (qmail 25020 invoked from network); 8 Jun 2010 17:50:14 -0000
Received: from unknown (24.5.142.42) by smtpauth17.prod.mesa1.secureserver.net
(64.202.165.29) with ESMTP; 08 Jun 2010 17:50:14 -0000
Message-ID: <4C0E826B.3050904@bolyard.me>
Date: Tue, 08 Jun 2010 10:48:27 -0700
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: certid@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: [certid] Please explicitly disallow unvetted info in subject names
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 17:50:16 -0000
There are a large number of CAs that follow the practice of vetting SOME of the information they put into cert subject names, but not all, and in fact deliberately making no attempt to vet certain attributes at all. Examples known to me include: OU names: typically not vetted at all CNs other than the last (most specific) one, if it is a DNS name. Maybe it's pointless to try, but can we write into this RFC that conforming certs contain NO unvetted attributes in the subject name nor in any Subject Alt Name attributes? Since CAs seem to have such a strong desire to do so, maybe we should invent a new extension: unvetted subject alt names, where they can put whatever nonsense they want, and apps that care to use only vetted info can ignore. It MUST NOT be a critical extension. On the other hand, the correct processing of that extension should be defined to ignore it (:-) so that all apps may claim to properly handle it, even if it is critical.
- [certid] Please explicitly disallow unvetted info… Nelson B Bolyard
- Re: [certid] Please explicitly disallow unvetted … Paul Hoffman
- Re: [certid] Please explicitly disallow unvetted … Sean Turner
- Re: [certid] Please explicitly disallow unvetted … Martin Rex
- Re: [certid] Please explicitly disallow unvetted … Nelson B Bolyard
- Re: [certid] Please explicitly disallow unvetted … Bruno Harbulot
- Re: [certid] Please explicitly disallow unvetted … Martin Rex
- Re: [certid] Please explicitly disallow unvetted … Scott Cantor
- Re: [certid] Please explicitly disallow unvetted … Nelson B Bolyard
- Re: [certid] Please explicitly disallow unvetted … Moudrick M. Dadashov
- Re: [certid] Please explicitly disallow unvetted … Peter Saint-Andre