[certid] It is not always a good idea to enforce CN check as leaf RDN only
ArkanoiD <ark@eltex.net> Wed, 17 March 2010 13:43 UTC
Return-Path: <ark@eltex.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 219583A6BE6 for <certid@core3.amsl.com>;
Wed, 17 Mar 2010 06:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.929
X-Spam-Level: ****
X-Spam-Status: No, score=4.929 tagged_above=-999 required=5 tests=[AWL=-0.606,
BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451,
HELO_MISMATCH_COM=0.553, MANGLED_CASH=2.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRRJEe-8S56X for
<certid@core3.amsl.com>; Wed, 17 Mar 2010 06:43:35 -0700 (PDT)
Received: from lebedev-225.itcwin.com (unknown [88.201.200.225]) by
core3.amsl.com (Postfix) with ESMTP id 398A33A6998 for <certid@ietf.org>;
Wed, 17 Mar 2010 06:43:21 -0700 (PDT)
Received: from lebedev-225.itcwin.com (ark@localhost.my.domain [127.0.0.1]) by
lebedev-225.itcwin.com (8.14.3/8.14.3) with ESMTP id o2HDhS85007408 for
<certid@ietf.org>; Wed, 17 Mar 2010 16:43:28 +0300 (MSK)
Received: (from ark@localhost) by lebedev-225.itcwin.com
(8.14.3/8.14.3/Submit) id o2HDhRaq024606 for certid@ietf.org;
Wed, 17 Mar 2010 16:43:27 +0300 (MSK)
X-Authentication-Warning: lebedev-225.itcwin.com: ark set sender to
ark@eltex.net using -f
Date: Wed, 17 Mar 2010 16:43:27 +0300
From: ArkanoiD <ark@eltex.net>
To: certid@ietf.org
Message-ID: <20100317134327.GA14163@eltex.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="k+w/mQv8wyuph6w0"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: [certid] It is not always a good idea to enforce CN check as leaf RDN
only
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2010 13:43:36 -0000
--- Begin Message ---ArkanoiD wrote: > And according to the draft we MUST ignore non-leaf value even if > it is the only one CN, just incorrectly placed. Many self-signed certificates seem to have an email address as leaf RDN. I guess that's because openssl's CA.sh asks for the mail address. So with that additional constraint the scary warning dialogs for self-signed certs are going to be even more confusing in the future. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com--- End Message ---
- [certid] It is not always a good idea to enforce … ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Joe Orton
- Re: [certid] It is not always a good idea to enfo… Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Bil Corry
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… Alexey Melnikov
- [certid] open issue: self-signed certs Peter Saint-Andre
- Re: [certid] open issue: self-signed certs Bil Corry
- Re: [certid] open issue: self-signed certs Kurt Zeilenga
- Re: [certid] open issue: self-signed certs Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Michael Ströder