[certid] wrt domain names vs hostnames (was: Re: DC should be MUST NOT)
=JeffH <Jeff.Hodges@KingsMountain.com> Sat, 03 July 2010 05:58 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 519EC3A67B3 for <certid@core3.amsl.com>;
Fri, 2 Jul 2010 22:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.16
X-Spam-Level:
X-Spam-Status: No, score=0.16 tagged_above=-999 required=5 tests=[AWL=-0.175,
BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s03LsUVIeXHh for
<certid@core3.amsl.com>; Fri, 2 Jul 2010 22:58:13 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com
[69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id CAEDF3A672E for
<certid@ietf.org>; Fri, 2 Jul 2010 22:58:13 -0700 (PDT)
Received: (qmail 25076 invoked by uid 0); 3 Jul 2010 05:58:26 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy1.bluehost.com with SMTP; 3 Jul 2010 05:58:26 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=fAYIvlfr5b3jZWqvrUqJeQALFNKvOex4XouUe+5Lyw/uMTezWaJgd5GSGiOPmjv9aG+J6SjCm6gnfsaYZvw7YgCmke7VJSZW2FY+YPq1/GNGgz/PSZkmsnSt6m93Tzee;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173]
helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa
(TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from
<Jeff.Hodges@KingsMountain.com>) id 1OUvkA-0003RK-5r for certid@ietf.org;
Fri, 02 Jul 2010 23:58:26 -0600
Message-ID: <4C2ED180.5080403@KingsMountain.com>
Date: Fri, 02 Jul 2010 22:58:24 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: [certid] wrt domain names vs hostnames (was: Re: DC should be MUST
NOT)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jul 2010 05:58:16 -0000
Martin Rex <mrex@sap.com> declared.. > > Paul Hoffman wrote: >> >> If you feel that way, fine. We have historically seen deployed PKIX >> implementations that got the order wrong because they had no certs >> to test with. I do not hold it against someone to get the order wrong, >> particularly because all of the text examples in RFC 5280 say >> "dc=example,dc=com". > > You're right on the spot -- all of the DC= examples in rfc-5280 are > purely about >>domain name<<. There is also a server mentioned > "ldap.example.com", but there is not a single example in rfc-5280 > that puts a >>hostname<< into a DC component. However, there is a explicit, and to-some-degree-formally acknowledged, disagreement over whether there are salient differences (today) between "hostnames" and "domain names". I just want to point this out because I only recently became aware of it while working on -server-id-check- and -strict-transport-sec- and I think it is something many of us should be aware of, however I don't think re-opening such a discussion is appropriate for the certid@ list. The acknowledged disagreement is buried in RFC3490 [1] in its terminology section (emphasis added).. [STD13] talks about "domain names" and "host names", but many people use the terms interchangeably. Further, because [STD13] was not terribly clear, >>> many people who are sure they know the exact <<< >>> definitions of each of these terms disagree on the definitions. <<< In this document the term "domain name" is used in general. This document explicitly cites [STD3] whenever referring to the host name syntax restrictions defined therein. A significant portion of the discussion that led to the above posture is documented in this thread <http://www.ops.ietf.org/lists/idn/idn.2001/threads.html#02989> (from back in 2001) rooted here... [idn] hostname history hell http://www.ops.ietf.org/lists/idn/idn.2001/msg02989.html And here's Patrik Fältström's contribution/statement to the thread which seems to presage the above-cited rfc3490 language.. http://www.ops.ietf.org/lists/idn/idn.2001/msg03048.html =JeffH [1] "Internationalizing Domain Names in Applications (IDNA)" RFC3490 http://www.ietf.org/rfc/rfc3490.txt