Re: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 12 November 2010 02:13 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 9030228C158 for <certid@core3.amsl.com>;
Thu, 11 Nov 2010 18:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.037
X-Spam-Level:
X-Spam-Status: No, score=-100.037 tagged_above=-999 required=5 tests=[AWL=2.228,
BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ7De+L61el0 for
<certid@core3.amsl.com>; Thu, 11 Nov 2010 18:13:54 -0800 (PST)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com
[69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 42A2E28C14B for
<certid@ietf.org>; Thu, 11 Nov 2010 18:13:54 -0800 (PST)
Received: (qmail 13749 invoked by uid 0); 12 Nov 2010 02:14:25 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy1.bluehost.com with SMTP; 12 Nov 2010 02:14:25 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=NlfSWUgdl/gOEye76eqVJfMh6gQri6A0F0VCIFSzJXow18PmWuYecBOErnn8bf4fPcPbkuGKIBg6zB4lGzHF16SezHJI2DVHPJkonchcJzvtZEoOvsH3141FtVDsEIoy;
Received: from dhcp-4d0d.meeting.ietf.org ([130.129.77.13]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PGj9l-00045O-6q for
certid@ietf.org; Thu, 11 Nov 2010 19:14:25 -0700
Message-ID: <4CDCA2FD.6040609@KingsMountain.com>
Date: Thu, 11 Nov 2010 18:14:21 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 130.129.77.13 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] Fwd: I-D
Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2010 02:13:56 -0000
>> 5. On page 20, the following text exists: For an interactive client, >> it is strongly encouraged that each reference identifier SHOULD be >> based on the source domain provided by the user and SHOULD NOT be >> based on a derived domain (e.g., a host name or domain name >> discovered through DNS resolution of the source domain). >> >> I am not clear why this is important for interactive clients and not >> for automated clients. > > Good point. Changed in my working copy to: > > It is strongly encouraged that each reference identifier > in the list SHOULD... > >> 6. In section 4.6.2 - I am disappointed that the concept of checking >> that the context is either the same or similar is not also included >> in this check. I think this is an important concept. > > Agreed. I propose adding the clause "including the context as described > under Section 5.1", as follows: > > If the client does not find a presented identifier matching any of > the reference identifiers but the client has previously pinned the > application service's certificate to one of the reference identifiers > in the list it constructed for this connection attempt (as "pinning" > is explained under Section 1.5), and the presented certificate > matches the pinned certificate (including the context as described > under Section 5.1), then the service identity check succeeds. Agreed, good catches Jim, thanks for your review. I concur with PeterSA's fixes. =JeffH
- [certid] Fwd: I-D Action:draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Jim Schaad
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… =JeffH