IETF Logo Mail Archive

Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

Peter Saint-Andre <stpeter@stpeter.im> Fri, 09 April 2010 17:39 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6FBC3A6810 for <certid@core3.amsl.com>; Fri, 9 Apr 2010 10:39:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.336
X-Spam-Level:
X-Spam-Status: No, score=-2.336 tagged_above=-999 required=5 tests=[AWL=0.263, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6VmcugSZ6p1M for <certid@core3.amsl.com>; Fri, 9 Apr 2010 10:39:27 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 979883A67AD for <certid@ietf.org>; Fri, 9 Apr 2010 10:39:27 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com [64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 123A440E15 for <certid@ietf.org>; Fri, 9 Apr 2010 11:39:22 -0600 (MDT)
Message-ID: <4BBF6648.4050506@stpeter.im>
Date: Fri, 09 Apr 2010 11:39:20 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <4BB78081.3050504@bolyard.me>
In-Reply-To: <4BB78081.3050504@bolyard.me>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040200010701060907000700"
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-03
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 17:39:29 -0000

On 4/3/10 11:53 AM, Nelson B Bolyard wrote:
> Hello certid,
> 
> In sections 3.8, 4.2.4, and in Appendix A.3 section 3.1.3 , reference is
> made to
>> the "leaf" (left-most) position within the Relative Distinguished Names
>> (RDNs) of the subjectName
> I would like to comment on that terminology, and suggest different
> terminology.
> 
> I am the chief SSL developer for NSS, the crypto libraries used in Mozilla
> products (Firefox, Thunderbird), and before that, Netscape products.  I have
> been an NSS SSL developer for 13 years.  In that time I have seen numerous
> problems with CAs issuing certs with RDNs in the "wrong order".
> 
> There are (or have been, during my career) MANY CAs that do not understand
> that RDNs describe a path through a hierarchy, and that the order of the
> RDNs, AS ENCODED IN THE CERTIFICATE, is from "most general" to "most
> specific".  The various standards for translating a DER encoded Name into
> a string call for the RDNs to be ordered, left to right, from most specific
> to most general, the reverse of the order in which they appear in the
> DER encoded certificate.  But sadly there are a number of popularly used
> programs that do not conform, and translate between DER and string form
> (in both directions) without reversing the order.  This contributes to the
> problem of CAs putting CNs in the wrong places or wrong orders.
> 
> So, I suggest that this document not specify the CN's position among the
> RDNs by its position in the string form, but rather by its position in the
> DER encoded form in the certificate.  I suggest that the document state
> that it must be the LAST of the CNs within the RDNs, as those RDNs are found
> in the DER encoded Name in the certificate.
> 
> It may be useful for the document to explain, in an appendix, that the order
> in which the RDNs appear in string form is supposed to be the reverse of the
> order in which they are found in the DER encoded Name form in the
> certificate, and that consequently, when seen in string form, the CN should
> be the first (left-most) CN found in the RDNs.  But I'd add that as
> informative text, not normative.

Done in my working copy.

> Also, Please add an additional sentence to section 4.2.4 saying:
> 
> A client MUST NOT check the Common Name if the identity set includes any
> subjectAltName extension of type dNSName, SRVName, uniformResourceIdentifier
> (or other application-specific subjectAltName extensions).
> 
> This may seem redundant, given the first sentence of 4.2.4, but there are
> many developers who will ignore any statement that does not say MUST or
> MUST NOT.  Hopefully, the sentence I suggest above makes it clear.

Added in my working copy.

Thanks for the feedback.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email