[certid] Domain Components

Peter Saint-Andre <stpeter@stpeter.im> Fri, 11 June 2010 20:54 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F301C28C0F8 for <certid@core3.amsl.com>; Fri, 11 Jun 2010 13:54:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.186
X-Spam-Level:
X-Spam-Status: No, score=-2.186 tagged_above=-999 required=5 tests=[AWL=0.413, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRWu2j41vTcv for <certid@core3.amsl.com>; Fri, 11 Jun 2010 13:54:20 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id C437E3A6A59 for <certid@ietf.org>; Fri, 11 Jun 2010 13:54:20 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 09ACB40E14 for <certid@ietf.org>; Fri, 11 Jun 2010 14:54:22 -0600 (MDT)
Message-ID: <4C12A27D.3070308@stpeter.im>
Date: Fri, 11 Jun 2010 14:54:21 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020609010501090708040406"
Subject: [certid] Domain Components
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 20:54:22 -0000

Version -05 of draft-saintandre-tls-server-id-check has some warning
text about Domain Components (DCs). However, the more I delve the matter
the less I think that we need to warn people away from using DCs from a
security perspective. The problem with them would arise from confusion
about the order of DCs based on the string representation, however that
kind of confusion is possible for any RDNs and is not limited to DCs (so
follow the DER order, not the string order). There might be other
reasons to discourage DCs, but so far I have not heard them, so I'm
inclined to remove the warnings from -06.

Do speak up if you're concerned about this proposal.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/