IETF Logo Mail Archive

Re: [certid] It is not always a good idea to enforce CN check as leaf RDN only

Bil Corry <bil@corry.biz> Thu, 18 March 2010 19:21 UTC

Return-Path: <bil@corry.biz>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD4A13A6A48 for <certid@core3.amsl.com>; Thu, 18 Mar 2010 12:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.983
X-Spam-Level:
X-Spam-Status: No, score=-4.983 tagged_above=-999 required=5 tests=[AWL=-4.997, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqiJRPJb6iOJ for <certid@core3.amsl.com>; Thu, 18 Mar 2010 12:21:07 -0700 (PDT)
Received: from mail.mindio.com (app1.bc.anu.net [193.189.141.126]) by core3.amsl.com (Postfix) with ESMTP id 3D8863A692D for <certid@ietf.org>; Thu, 18 Mar 2010 12:21:03 -0700 (PDT)
Received: from [127.0.0.1] (c-69-181-67-65.hsd1.ca.comcast.net [69.181.67.65]) by mail.mindio.com (Postfix) with ESMTP id A65E6FCFDA; Thu, 18 Mar 2010 14:21:11 -0500 (CDT)
Message-ID: <4BA27D23.6000009@corry.biz>
Date: Thu, 18 Mar 2010 12:21:07 -0700
From: Bil Corry <bil@corry.biz>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3
MIME-Version: 1.0
To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
References: <20100317134327.GA14163@eltex.net> <4BA1A532.9090107@stpeter.im> <4BA20973.90204@manchester.ac.uk>
In-Reply-To: <4BA20973.90204@manchester.ac.uk>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] It is not always a good idea to enforce CN check as leaf RDN only
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2010 19:21:07 -0000

Bruno Harbulot wrote on 3/18/2010 4:07 AM: 
> On 18/03/2010 03:59, Peter Saint-Andre wrote:
>> On 3/17/10 7:43 AM, ArkanoiD wrote:
>>
>>> Many self-signed certificates seem to have an email address as leaf
>>> RDN.
>>
>> This I-D does not cover self-signed certs, only CA-issued certs.
> 
> I'm not sure this I-D should treat self-signed certs completely
> differently from CA-issued certs. Self-signed certs could be considered
> as a special case of CA-issued certs.
> I think the logic of verifying the identity of the server ought to be
> separate from the logic of verifying trust in a certificate (although
> the latter could impose constraints on the former depending on policies).

I agree.  Isn't the distinction between CA-issued certs and self-signed certs more-or-less which CAs you choose to trust?


- Bil

v2.8.7 | Report a Bug | By Email