IETF Logo Mail Archive

Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Ben Campbell <ben@nostrum.com> Wed, 08 December 2010 22:17 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E548F3A69A7; Wed, 8 Dec 2010 14:17:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.386
X-Spam-Level:
X-Spam-Status: No, score=-102.386 tagged_above=-999 required=5 tests=[AWL=0.214, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6aEWaq0CJD2J; Wed, 8 Dec 2010 14:17:52 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 095CF3A6999; Wed, 8 Dec 2010 14:17:51 -0800 (PST)
Received: from dn3-174.estacado.net (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id oB8MJG5p079947 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Dec 2010 16:19:16 -0600 (CST) (envelope-from ben@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <4D000298.20002@stpeter.im>
Date: Wed, 08 Dec 2010 16:19:16 -0600
Content-Transfer-Encoding: 7bit
Message-Id: <7CDA6BC3-50D9-48B1-8BF6-638BAEF63891@nostrum.com>
References: <4CFFF2D8.4070408@KingsMountain.com> <4D000298.20002@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 22:17:54 -0000

WFM

On Dec 8, 2010, at 4:11 PM, Peter Saint-Andre wrote:

> On 12/8/10 2:04 PM, =JeffH wrote:
>> stpete replied..
>>> 
>>> On 12/7/10 8:01 AM, Paul Hoffman wrote:
>>>> [[ Much abbreviated ]]
>>>> 
>>>> At 9:10 PM -0700 12/6/10, Peter Saint-Andre wrote:
>>>>>>>> -- 3.1, rule 6:
>>>>>>>> 
>>>>>>>> Can you motivate why this is not a MUST NOT?
>>>>>> The reason for allowing this wiggle-room is that (for better or
>> worse)..
>>>>>> 
>>>>>>  1. the CA/Browser Forum Extended Validation (EV) Certificate
>> Guidelines
>>>>>>     explicitly allow for multiple CN-IDs
>>>>>> 
>>>>>>  2. It's a not-totally-uncommon current practice to have certs
>> that do
>>>>>> have
>>>>>>     mutiple CN-IDs, eg from Comodo (whether EV or DV (domain
>> valivdated)).
>>>>>> 
>>>>>>  3. Virtual hosting multiple distinct-domain TLS servers on one
>> entity is
>>>>>>     difficult today if one desires wide desktop client support
>> because
>>>>>>     a certain vendor's older-but-still-widely-deployed-OS does not
>> (yet?)
>>>>>>     support the TLS Server Name Indication extension. Thus having one
>>>>>>     cert with all the domains jammed in it (as either/both CN-IDs
>> or/and
>>>>>>     DNS-IDs) is a workaround (eg Content Delivery Networks use this).
>>>>>> 
>>>>>> 
>>>>>> So some argue that if we MUST NOT multiple CN-IDs at this point, it is
>>>>>> flying in the face of present reality and might contribute to
>> acquiring
>>>>>> an attained reputation for this BCP that is lower than we desire.
>>>>>> 
>>>>>> There is also concern on the part of CA folk about client-side TLS
>> libs
>>>>>> and their support for name matching (ie some (old?) one(s) will only
>>>>>> match on CN-ID).
>>>>>> 
>>>>>> For a CA perspective on all the above, see...
>>>>>> 
>>>>>> Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
>>>>>> http://www.ietf.org/mail-archive/web/certid/current/msg00502.html
>>>>> 
>>>>> +1 to all that.
>>>> 
>>>> Putting an explanation such as the above in the document will help
>> future
>>>> IETFs to decide when to make this a MUST NOT. It might also help the
>> CA/Browser
>>>> Forum and specific CAs see that they should stop doing this ASAP, and
>> maybe
>>>> even convince a particular legacy OS vendor to support TLS SNI.
>>> 
>>> Sigh. I don't particularly want to add a long informational note that
>>> qualifies eight words in the spec, but you're right. :)
>> 
>> agreed.
> 
> Possible text for the Security Considerations:
> 
> ###
> 
> 5.4.  Multiple Identifiers
> 
>   This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a
>   certificate, but discourages multiple CN-IDs.  The inclusion in the
>   Common Name of multiple strings whose form matches that of a fully-
>   qualified DNS domain name (e.g., "www.example.com") makes it more
>   difficult to parse the Common Name and increases the likelihood of
>   false positives in the identity verification process.  Although it
>   would be preferable to forbid multiple CN-IDs entirely, there are
>   several reasons why this specification states that they SHOULD NOT
>   (instead of MUST NOT) be included:
> 
>   o  At least one significant technology community of interest
>      explicitly allows multiple CN-IDs [EV-CERTS].
> 
>   o  At least one significant certification authority is known to issue
>      certificates containing multiple CN-IDs.
> 
>   o  Many service providers often deem inclusion of multiple CN-IDs
>      necessary in "virtual hosting" environments because at least one
>      widely-deployed operating system does not yet support the Server
>      Name Indication extension [TLS-EXT]
> 
>   It is hoped that the recommendation in this specification can be
>   further tightened in the future.
> 
> ###
> 
> To be referenced from bullet #6 in Section 3.1:
> 
>   6.  The certificate MAY contain more than one DNS-ID, SRV-ID, or
>       URI-ID (but SHOULD NOT contain more than one CN-ID, as further
>       explained under Section 5.4).
> 
> /psa
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email