IETF Logo Mail Archive

Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

Shumon Huque <shuque@isc.upenn.edu> Fri, 30 July 2010 16:29 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C2F63A6A11 for <certid@core3.amsl.com>; Fri, 30 Jul 2010 09:29:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.774
X-Spam-Level:
X-Spam-Status: No, score=-3.774 tagged_above=-999 required=5 tests=[AWL=-1.926, BAYES_00=-2.599, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGatGxKD6RNc for <certid@core3.amsl.com>; Fri, 30 Jul 2010 09:29:39 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id CB5923A6845 for <certid@ietf.org>; Fri, 30 Jul 2010 09:29:38 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id ADB002466; Fri, 30 Jul 2010 12:30:03 -0400 (EDT)
Date: Fri, 30 Jul 2010 12:30:03 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
Message-ID: <20100730163003.GA15676@isc.upenn.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com> <4C49B477.80700@stpeter.im> <20100730034415.GA28022@isc.upenn.edu> <4C5267FF.2090701@edelweb.fr> <20100730162031.GA15319@isc.upenn.edu> <B9A9A166-170B-4FC2-9DAF-FE5968DC4F3B@ll.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B9A9A166-170B-4FC2-9DAF-FE5968DC4F3B@ll.mit.edu>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: "certid@ietf.org" <certid@ietf.org>
Subject: Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2010 16:29:40 -0000

Yup, agreed. I think that's what I tried to say.

--Shumon.

On Fri, Jul 30, 2010 at 12:24:51PM -0400, Blumenthal, Uri - 0668 - MITLL wrote:
> Certs (and issues related to them) probably is the one area where there should be absolutely no difference between TLS and DTLS, rule-wise.
> --
> Regards,
> Uri          uri@ll.mit.edu
> 
> 
> 
> On Jul 30, 2010, at 12:20 PM, Shumon Huque wrote:
> 
> > On Fri, Jul 30, 2010 at 07:49:51AM +0200, Peter Sylvester wrote:
> >> 
> >> You seems to say there that the text basically nails down to two
> >> different id types, the dns based one (which is used in a very
> >> prominent uri using application, i.e. https), and URI-id types.
> > 
> > Well that, and SRVName. There are many other custom types
> > defined by specific applications but those aren't the focus
> > of this document.
> > 
> >> It is a little bit difficult to have several certificates with
> >> different URI ids sharing the same ipaddress+port.
> > 
> > I agree ..
> > 
> >> tls servername indication has not provision for this.
> > 
> > Yeah, it's too bad the current SNI spec only supports "hostnames".
> > Maybe we should look into updating that to support alternative
> > name forms.
> > 
> >> If one cannot have ids with different paths, what's the
> >> beef having a path in an identifier?.
> > 
> > One can't have them in SNI extensions (actually they can't
> > even have URIs at all, with or without paths). But if they
> > appear in a URI SAN, what should be done, as a general rule?
> > That was my question. If we're intending to only focus on
> > authenticating an application server rather than a specific
> > resource located at that server, then it would be simpler
> > to declare this topic out of scope.
> > 
> >> What also seems missing is a paragraph on what
> >> happens before the server presents its certificate, i.e.
> >> what means does have the client to direct the server,
> >> ip-address:port to connect and fqdn in the servername
> >> indication at least.
> >> 
> >> ah, I forgot dtls?
> > 
> > I'm not sure that we have to deal with differences between 
> > DTLS and TLS. The certificate identity matching rules 
> > described in this document apply equally to both. The 
> > connection establishment details differ, but that's currently
> > not a subject of this document. Do you disagree?
> > 
> > -- 
> > Shumon Huque
> > University of Pennsylvania.
> > _______________________________________________
> > certid mailing list
> > certid@ietf.org
> > https://www.ietf.org/mailman/listinfo/certid
> 
> _______________________________________________
> certid mailing list
> certid@ietf.org
> https://www.ietf.org/mailman/listinfo/certid

-- 
Shumon Huque
University of Pennsylvania.

v2.8.7 | Report a Bug | By Email