Re: [certid] It is not always a good idea to enforce CN check as leaf RDN only
Joe Orton <jorton@redhat.com> Thu, 18 March 2010 10:10 UTC
Return-Path: <jorton@redhat.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id B34113A6B63 for <certid@core3.amsl.com>;
Thu, 18 Mar 2010 03:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.569
X-Spam-Level:
X-Spam-Status: No, score=-104.569 tagged_above=-999 required=5
tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, MANGLED_CASH=2.3,
RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cb8dDa3veO4z for
<certid@core3.amsl.com>; Thu, 18 Mar 2010 03:10:32 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
core3.amsl.com (Postfix) with ESMTP id B11013A683E for <certid@ietf.org>;
Thu, 18 Mar 2010 03:10:17 -0700 (PDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by mx1.redhat.com
(8.13.8/8.13.8) with ESMTP id o2IAAS6b021219 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>;
Thu, 18 Mar 2010 06:10:28 -0400
Received: from turnip.manyfish.co.uk (vpn-9-252.rdu.redhat.com [10.11.9.252])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id
o2IAAQK6005203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=NO) for <certid@ietf.org>; Thu, 18 Mar 2010 06:10:28 -0400
Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69)
(envelope-from <jorton@redhat.com>) id 1NsCgL-0003te-S3 for certid@ietf.org;
Thu, 18 Mar 2010 10:10:25 +0000
Date: Thu, 18 Mar 2010 10:10:25 +0000
From: Joe Orton <jorton@redhat.com>
To: certid@ietf.org
Message-ID: <20100318101025.GA2537@redhat.com>
References: <20100317134327.GA14163@eltex.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20100317134327.GA14163@eltex.net>
User-Agent: Mutt/1.5.20 (2009-08-17)
Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor,
Berkshire, SL4 1TE,
United Kingdom. Registered in UK and Wales under Company Registration No.
03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland),
Matt Parson (USA), Charlie Peters (USA)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
Subject: Re: [certid] It is not always a good idea to enforce CN check as leaf
RDN only
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2010 10:10:35 -0000
On Wed, Mar 17, 2010 at 04:43:27PM +0300, ArkanoiD wrote: > Many self-signed certificates seem to have an email address as leaf > RDN. I guess that's because openssl's CA.sh asks for the mail > address. So with that additional constraint the scary warning > dialogs for self-signed certs are going to be even more confusing in > the future. I agree with this; I can't think of any motivation for restricting the CN to only the most specific RDN. To quantify whether or not it happens "in the wild", I looked at Johnathan Nightingale's database of SSL certs: http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/ The "top 10K sites" database has 2986 certs from public servers. Breaking down the tag of the most specific ("leaf") RDN in the Subject of each cert gives: TAG COUNT % of TOTAL C 9 0% CN 2333 78% emailAddress 596 19% O 1 0% OU 31 1% serialNumber 10 0% ST 6 0% The draft looks good otherwise, BTW. Regards, Joe
- [certid] It is not always a good idea to enforce … ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… ArkanoiD
- Re: [certid] It is not always a good idea to enfo… Joe Orton
- Re: [certid] It is not always a good idea to enfo… Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Bil Corry
- Re: [certid] It is not always a good idea to enfo… Peter Saint-Andre
- Re: [certid] It is not always a good idea to enfo… Alexey Melnikov
- [certid] open issue: self-signed certs Peter Saint-Andre
- Re: [certid] open issue: self-signed certs Bil Corry
- Re: [certid] open issue: self-signed certs Kurt Zeilenga
- Re: [certid] open issue: self-signed certs Bruno Harbulot
- Re: [certid] It is not always a good idea to enfo… Michael Ströder