Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
Ben Campbell <ben@nostrum.com> Wed, 08 December 2010 22:17 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E548F3A69A7; Wed, 8 Dec 2010 14:17:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.386
X-Spam-Level:
X-Spam-Status: No, score=-102.386 tagged_above=-999 required=5 tests=[AWL=0.214, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6aEWaq0CJD2J; Wed, 8 Dec 2010 14:17:52 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 095CF3A6999; Wed, 8 Dec 2010 14:17:51 -0800 (PST)
Received: from dn3-174.estacado.net (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id oB8MJG5p079947 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Dec 2010 16:19:16 -0600 (CST) (envelope-from ben@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <4D000298.20002@stpeter.im>
Date: Wed, 08 Dec 2010 16:19:16 -0600
Content-Transfer-Encoding: 7bit
Message-Id: <7CDA6BC3-50D9-48B1-8BF6-638BAEF63891@nostrum.com>
References: <4CFFF2D8.4070408@KingsMountain.com> <4D000298.20002@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 22:17:54 -0000
WFM On Dec 8, 2010, at 4:11 PM, Peter Saint-Andre wrote: > On 12/8/10 2:04 PM, =JeffH wrote: >> stpete replied.. >>> >>> On 12/7/10 8:01 AM, Paul Hoffman wrote: >>>> [[ Much abbreviated ]] >>>> >>>> At 9:10 PM -0700 12/6/10, Peter Saint-Andre wrote: >>>>>>>> -- 3.1, rule 6: >>>>>>>> >>>>>>>> Can you motivate why this is not a MUST NOT? >>>>>> The reason for allowing this wiggle-room is that (for better or >> worse).. >>>>>> >>>>>> 1. the CA/Browser Forum Extended Validation (EV) Certificate >> Guidelines >>>>>> explicitly allow for multiple CN-IDs >>>>>> >>>>>> 2. It's a not-totally-uncommon current practice to have certs >> that do >>>>>> have >>>>>> mutiple CN-IDs, eg from Comodo (whether EV or DV (domain >> valivdated)). >>>>>> >>>>>> 3. Virtual hosting multiple distinct-domain TLS servers on one >> entity is >>>>>> difficult today if one desires wide desktop client support >> because >>>>>> a certain vendor's older-but-still-widely-deployed-OS does not >> (yet?) >>>>>> support the TLS Server Name Indication extension. Thus having one >>>>>> cert with all the domains jammed in it (as either/both CN-IDs >> or/and >>>>>> DNS-IDs) is a workaround (eg Content Delivery Networks use this). >>>>>> >>>>>> >>>>>> So some argue that if we MUST NOT multiple CN-IDs at this point, it is >>>>>> flying in the face of present reality and might contribute to >> acquiring >>>>>> an attained reputation for this BCP that is lower than we desire. >>>>>> >>>>>> There is also concern on the part of CA folk about client-side TLS >> libs >>>>>> and their support for name matching (ie some (old?) one(s) will only >>>>>> match on CN-ID). >>>>>> >>>>>> For a CA perspective on all the above, see... >>>>>> >>>>>> Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data >>>>>> http://www.ietf.org/mail-archive/web/certid/current/msg00502.html >>>>> >>>>> +1 to all that. >>>> >>>> Putting an explanation such as the above in the document will help >> future >>>> IETFs to decide when to make this a MUST NOT. It might also help the >> CA/Browser >>>> Forum and specific CAs see that they should stop doing this ASAP, and >> maybe >>>> even convince a particular legacy OS vendor to support TLS SNI. >>> >>> Sigh. I don't particularly want to add a long informational note that >>> qualifies eight words in the spec, but you're right. :) >> >> agreed. > > Possible text for the Security Considerations: > > ### > > 5.4. Multiple Identifiers > > This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a > certificate, but discourages multiple CN-IDs. The inclusion in the > Common Name of multiple strings whose form matches that of a fully- > qualified DNS domain name (e.g., "www.example.com") makes it more > difficult to parse the Common Name and increases the likelihood of > false positives in the identity verification process. Although it > would be preferable to forbid multiple CN-IDs entirely, there are > several reasons why this specification states that they SHOULD NOT > (instead of MUST NOT) be included: > > o At least one significant technology community of interest > explicitly allows multiple CN-IDs [EV-CERTS]. > > o At least one significant certification authority is known to issue > certificates containing multiple CN-IDs. > > o Many service providers often deem inclusion of multiple CN-IDs > necessary in "virtual hosting" environments because at least one > widely-deployed operating system does not yet support the Server > Name Indication extension [TLS-EXT] > > It is hoped that the recommendation in this specification can be > further tightened in the future. > > ### > > To be referenced from bullet #6 in Section 3.1: > > 6. The certificate MAY contain more than one DNS-ID, SRV-ID, or > URI-ID (but SHOULD NOT contain more than one CN-ID, as further > explained under Section 5.4). > > /psa > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- [certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH