Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
Kaspar Brand <ietf-certid@velox.ch> Wed, 09 June 2010 07:12 UTC
Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 203BC3A6903 for <certid@core3.amsl.com>;
Wed, 9 Jun 2010 00:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No,
score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXZ3K+hqJ9Lb for
<certid@core3.amsl.com>; Wed, 9 Jun 2010 00:12:06 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by
core3.amsl.com (Postfix) with ESMTP id EFBCD3A68FD for <certid@ietf.org>;
Wed, 9 Jun 2010 00:12:05 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch
[84.75.163.235]) (authenticated bits=0) by appendix.velox.ch
(8.14.4/8.14.4/2.0) with ESMTP id o597C1IG026602 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>;
Wed, 9 Jun 2010 09:12:04 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f;
t=1276067524; bh=/SGmyQ7B5MdKcahssh5mbN4N+DJy+zJRmmZ1ODZMSlA=;
h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=j9WT/0alzGaK3AcwRhlbnR8/3G5OeiwkyjJ7+3rY2qS/YYce7qpQCftQt1UsrPg9p
zf35Y8b5VuyaRWMRxKERcYV4aLOYLLx47807RFFmZ0SYF7eH3jPIwo2Ojl4r32yFO4
clgJ3xTQ4DGIEQuqlQCe+Y9A7AACbc13AhBBaHSIRuDmgys97khuFHzgTif9YpsY9j
7HHAspqoWtbmZXabcpEsjEcKzJ/QJzrSikTwhCTokd1dvb3RVEQQLK8j2yAjcczbPo
UhUq0sKENCwZ8ZfhG68TxHGtG3XE4b9/bfY7z/VNR93R8S4N6lGmrFIOYmXwnJl7FR
Ob3LHN6oldsFg==
Message-ID: <4C0F3EBC.9000902@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58;
t=1276067521; bh=/SGmyQ7B5MdKcahssh5mbN4N+DJy+zJRmmZ1ODZMSlA=;
h=Date:From:MIME-Version:To:CC:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding;
b=MFtYonSc4PyJN6COfRcElK6SOwTUSoAy6TIMnh/4+oZ5ZisAQavBvbY6D8uUIeuOq
7Ag1yH8OQzbikO4bRR05w+Dq53q5BP/VmOKmdRmYJ7oIiqlvZBSMZt0La15GfTigrr
1xfWVoOwEKz07O5R/LDnyx/v8Hfvj4zH+x7up33D+/X9TxnBfGVoBq51AL3cIjBs4A
T6tcOHeg3Q2Y4WgjbsOvZsnlsU7KRGN+LNE2x/HgRPW4kbxdT2szFzXyqeKUf+QLGE
auwwpySJcVddMb13snbYSNvNaF1ZT/h6vqIxdf3lMGKzVhGaWmrGLf+MxdhZ1JoM/d
FPdGWpbs/o43w==
Date: Wed, 09 Jun 2010 09:11:56 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.0
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
References: <4C0E90E9.4050101@KingsMountain.com>
In-Reply-To: <4C0E90E9.4050101@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2010 07:12:08 -0000
On 08.06.2010 20:50, =JeffH wrote: > I personally seem to recall observing certs in the wild whose string-formatted > DNames included the "+" notation as Martin illustrates above, and which denotes > an RDN SET, although I don't recall whether such certs were produced by "real > CAs" as Nelson terms a certain subclass of CAs. > > > Kaspar -- would information wrt multi-valued RDNames be embodied in the sample > you used to generate the above info you shared with the list? If so, are there > any occurances, and if so what's the frequency? There are 38 occurrences (out of ~90,000), originating from three "real CAs". The vast majority (34) are EV SSL certs from a CA which apparently likes to stuff the CN (2.5.4.3) and the serialNumber (2.5.4.5) attributes into a single RDN. [Not so surprisingly, the remaining 4 certs were issued by two CAs which apparently run their infrastructure with software from that other "real CA" - which is the reason for seeing the same peculiar encoding in their certs.] In the context of this BCP, I consider the discussion about "multi-valued RDNs" an academic thing, mostly. I would not mind, however, to change the last sentence in section 2.2, item 6 to something like "Furthermore, the certificate's subject Distinguished Name SHOULD NOT contain more than one Common Name attribute, and MUST NOT contain RDNs which consist of multiple Common Name attributes" (provided that this wording pleases the ASN.1 terminology experts in the audience here). The definition of "CN-ID" in section 1.3 should probably also be adapted (i.e., it should explicitly forbid multi-CN RDNs). Kaspar
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre