IETF Logo Mail Archive

Re: [certid] Please explicitly disallow unvetted info in subject

"Scott Cantor" <cantor.2@osu.edu> Thu, 10 June 2010 17:55 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32C6D28C15D for <certid@core3.amsl.com>; Thu, 10 Jun 2010 10:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4RkfgTDu3g1 for <certid@core3.amsl.com>; Thu, 10 Jun 2010 10:55:37 -0700 (PDT)
Received: from defang2.it.ohio-state.edu (defang2.it.ohio-state.edu [128.146.216.82]) by core3.amsl.com (Postfix) with ESMTP id 4915728C13C for <certid@ietf.org>; Thu, 10 Jun 2010 10:55:37 -0700 (PDT)
Received: from defang10.it.ohio-state.edu (defang10.it.ohio-state.edu [128.146.216.79]) by defang2.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id o5AHtcK2014227; Thu, 10 Jun 2010 13:55:38 -0400
Received: from SNOWDOG (SNOWDOG.dyn.cio.osu.edu [164.107.161.86]) by defang10.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id o5AHtcXS009180; Thu, 10 Jun 2010 13:55:38 -0400
From: "Scott Cantor" <cantor.2@osu.edu>
To: <mrex@sap.com>
References: <4C112371.3000104@bolyard.me> <201006101745.o5AHjn7N022071@fs4113.wdf.sap.corp>
In-Reply-To: <201006101745.o5AHjn7N022071@fs4113.wdf.sap.corp>
Date: Thu, 10 Jun 2010 13:55:41 -0400
Organization: The Ohio State University
Message-ID: <025901cb08c6$248bf550$6da3dff0$@osu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQF9lWAyYiKT5YAmI9ykzci3g37NP5MWYGww
Content-language: en-us
X-CanIt-Geo: ip=128.146.216.79; country=US; region=OH; city=Columbus; latitude=39.9968; longitude=-82.9882; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9968,-82.9882&z=6
X-CanItPRO-Stream: outbound
X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.82
Cc: certid@ietf.org
Subject: Re: [certid] Please explicitly disallow unvetted info in subject
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 17:55:38 -0000

These are all good arguments (which I subscribe to) for why treating
commercial X.509 as a "successful" trust infrastructure that other identity
standards should be leveraging in place of new approaches is a really,
really stupid idea.

But I don't think they're relevant to a document describing how one should
verify server identity against X.509 certificate content, particularly with
respect to anything that isn't a CN RDN or a sAN.

By all means rail against the idiocy of this stuff, and I'll join in since
there are still people pushing it constantly and belittling those who
disagree, but I don't think it needs to be part of this draft.

-- Scott

v2.8.7 | Report a Bug | By Email