Re: [certid] [cabfman] fyi: newly revised version: draft-saintandre-tls-server-id-check
"Eddy Nigg (StartCom Ltd.)" <eddy_nigg@startcom.org> Tue, 23 November 2010 00:49 UTC
Return-Path: <eddy_nigg@startcom.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 9D80C28C0D8 for <certid@core3.amsl.com>;
Mon, 22 Nov 2010 16:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.343
X-Spam-Level:
X-Spam-Status: No, score=-2.343 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, FU_ENDS_2_WRDS=0.255, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xVPtxXOXpGq for
<certid@core3.amsl.com>; Mon, 22 Nov 2010 16:48:59 -0800 (PST)
Received: from mta1.internal.startcom.org (mta1.startcom.org [192.116.242.7])
by core3.amsl.com (Postfix) with ESMTP id C058A3A6B02 for <certid@ietf.org>;
Mon, 22 Nov 2010 16:48:58 -0800 (PST)
Received: from apache-2.internal.startcom.org (apache-2.internal.startcom.org
[192.168.0.2]) by mta1.internal.startcom.org (8.13.8/8.13.8) with ESMTP id
oAN0nopZ010864 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL);
Tue, 23 Nov 2010 02:49:53 +0200
Message-ID: <4CEB0FAC.1040400@startcom.org>
Date: Tue, 23 Nov 2010 02:49:48 +0200
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@startcom.org>
Organization: StartCom Ltd.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2pre Thunderbird/3.1.6
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <44D08E6900CFC84288DDB4F41852C87A858B53F20D@DEN-MEXMS-001.corp.ebay.com>
<4CBF4705.4040604@startcom.org> <4CD8AED0.6030207@stpeter.im>
In-Reply-To: <4CD8AED0.6030207@stpeter.im>
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms050706040108040003090203"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0
(mta1.internal.startcom.org [192.168.0.15]);
Tue, 23 Nov 2010 02:49:54 +0200 (IST)
Cc: certid@ietf.org, "Hodges, Jeff" <jeff.hodges@paypal-inc.com>
Subject: Re: [certid] [cabfman] fyi: newly revised
version: draft-saintandre-tls-server-id-check
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2010 00:49:00 -0000
Hi Peter, On 11/09/2010 04:15 AM, From Peter Saint-Andre: > Do you think that those justifications are not compelling? On the client > side we've moved from SHOULD NOT to MAY, and I would be open to saying > that wildcards are truly optional on the CA side as well, if we think > that (1) they are valuable and (2) they do not have undesirable security > properties. I apologize for the huge delay as I'm fighting a flu and a huge backlog. I believe the wording is still a bit strong since "SHOULD NOT" means you really should *not* except in very specific circumstances exceptionally. My opinion is, that with good constraints in place (that is contractual, proper validations of the applicant etc.) wild cards should be legitimate in every respect and there are many good examples for those (remember XMPP?). From the CA perspective, the CA really MUST have controls in place to prevent misuse, however if the CA will issue certificates for paypal.domain.com the argument against wild cards is obviously moot. Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. <http://www.startcom.org> XMPP: startcom@startcom.org <xmpp:startcom@startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Twitter: Follow Me <http://twitter.com/eddy_nigg>
- Re: [certid] [cabfman] fyi: newly revised version… Eddy Nigg (StartCom Ltd.)
- Re: [certid] [cabfman] fyi: newly revised version… Jeffrey A. Williams
- Re: [certid] [cabfman] fyi: newly revised version… Peter Saint-Andre
- Re: [certid] [cabfman] fyi: newly revised version… Eddy Nigg (StartCom Ltd.)