Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
Peter Saint-Andre <stpeter@stpeter.im> Thu, 05 August 2010 20:10 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 9B9A13A6998 for <certid@core3.amsl.com>;
Thu, 5 Aug 2010 13:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.438
X-Spam-Level:
X-Spam-Status: No, score=-102.438 tagged_above=-999 required=5 tests=[AWL=0.161,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rN8CBK8puYcs for
<certid@core3.amsl.com>; Thu, 5 Aug 2010 13:10:30 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id B9C053A69E5 for <certid@ietf.org>;
Thu, 5 Aug 2010 13:10:30 -0700 (PDT)
Received: from squire.local (ip-216-17-182-116.rev.frii.com [216.17.182.116])
(Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id
6A85540074; Thu, 5 Aug 2010 14:11:36 -0600 (MDT)
Message-ID: <4C5B1AD3.2050204@stpeter.im>
Date: Thu, 05 Aug 2010 14:10:59 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
References: <20100715230822.5B1583A6B94@core3.amsl.com> <4C49B477.80700@stpeter.im>
<20100730034415.GA28022@isc.upenn.edu> <4C5267FF.2090701@edelweb.fr> <20100730162031.GA15319@isc.upenn.edu> <4C569260.7070602@restena.lu> <20100804025753.GA16078@isc.upenn.edu>
<4C58FEBF.3080807@restena.lu>
In-Reply-To: <4C58FEBF.3080807@restena.lu>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] Last
Call: draft-saintandre-tls-server-id-check (Representation and Verification
of Domain-Based Application Service Identity in Certificates Used with
Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 20:10:40 -0000
On 8/3/10 11:46 PM, Stefan Winter wrote: > Hi, > >> Besides DNSSEC, or some other secure mapping service, I can't think >> of an obvious one. You'd need to figure out how to encode the service >> identity in the DNS query name, which is precisely the thing the >> S-NAPTR lookup is trying to find. >> > > Thanks for giving this some thought! > >>> And do you consider disususing this issue in your draft? >>> >>> >> Are you proposing to just discuss this issue, or that we should >> try to find a solution to the problem? >> > > I wouldn't mind if you try to solve it, of course :-) But since there is > apparently no trivial "fix" to server id validation, I'd be just as > happy with a simple paragraph stating that validation of > (S-)NAPTR-derived identities doesn't work in a trusted manner without > DNSSEC. > > (But that's just me, since I don't mind prescribing DNSSEC in my draft; > but my working group chair already expressed that he'd prefer something > else) I've added a note about this to our working copy (Jeff and I are working to push out -09 today). Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] [Fwd: Last Call: draft-saintandre-tls-se… Alexey Melnikov
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Sylvester
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Blumenthal, Uri - 0668 - MITLL
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre