IETF Logo Mail Archive

Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

Kaspar Brand <ietf-certid@velox.ch> Thu, 13 May 2010 07:40 UTC

Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A408C3A6936 for <certid@core3.amsl.com>; Thu, 13 May 2010 00:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIcRrYfi6VKH for <certid@core3.amsl.com>; Thu, 13 May 2010 00:40:26 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by core3.amsl.com (Postfix) with ESMTP id BFFAE3A6AA2 for <certid@ietf.org>; Thu, 13 May 2010 00:40:23 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch [84.75.163.235]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.0) with ESMTP id o4D7eBJj008017 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>; Thu, 13 May 2010 09:40:12 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1273736412; bh=WREX92+kOh3+JqvofROvTvWX5fghv0lkuXpQtbnNl5w=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=n/NpJE4IhLZTr88oM1wqfZtp8DVfubZWwRkXT7OCiLcTR9pkWBy73ss1bpGS5gGMl msMYvj6Kf+LePKGxCLlTbcPGW9GoB/S5eRAM/L9wlLv1mzyyV458KpDHCBHdAMfE3C a1eD2yqICHYGVjhgPaxXqGs/O26lS6BWAQq/JDs4cDzSfZ/xfOnpvaWQn57rB6WeL9 9DWlgPqp13DeozyENja7QGoY2aJE0FDfMeXrK5uISLSuMq8ZOc1Bx9hon1R59RLJ/b gClf22QA0M+wsLqLV/EJuby8oHbDps4miKmATh6JMgFVyX7nAbYDxSOcpynuJLhSYY Zb1gTnJa2KFfw==
Message-ID: <4BEBACDC.60903@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1273736411; bh=WREX92+kOh3+JqvofROvTvWX5fghv0lkuXpQtbnNl5w=; h=Date:From:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding; b=m/X/rHF9cw25QMVRt8J7eElixrpAFrq//Qk7u0PlgRjAujocXQZsY1PG8VK4CSZRh ZWUgCByozkULCz4E6tz5z1LX4Q2f+uXGwgU2Y5xywiBSNN9lvefiPZuVfMwtJwkixu YVADoBYfzOSdBvW85t1OFQAHMI5aNCF8nzpQDSouUzFLLqLODC7C9LRAMak33sc2p/ x2UeRLJNwfh4Hcr7jmNdZMLk6DoQ3dcGAVdQHWS1h+Pt2PvvlYzgSkspWtHaG2lbdB Ew9lf+2bzNa5jSttD7YMMLmEM+inJE3qYF5YbiqRIO+QNQSmwjckGOumCDufg7tgpP mr4gj4AldPxUA==
Date: Thu, 13 May 2010 09:40:12 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.0
MIME-Version: 1.0
To: certid@ietf.org
References: <4BEB0FBF.5070502@KingsMountain.com> <4BEB2DC7.5020409@stpeter.im> <B6E22FEA-57C7-46D9-B820-DA51936C6E71@apple.com> <20100512230238.GA22246@eltex.net>
In-Reply-To: <20100512230238.GA22246@eltex.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-03
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 07:40:27 -0000

On 13.05.2010 01:02, ArkanoiD wrote:
> It does not really answer the question, we should analyse certificates seen
> "in the wild" ;-)

Here's some data. It's from a sample of about 90,000 non self-issued
certs (from commercial CAs, most likely reflecting shares like those in
http://news.netcraft.com/SSL-survey). The data are from the beginning
of 2009, but I don't think the situation has considerably changed
in between.

The second colum shows the RDNs in the order they have in the
ASN.1 subject SEQUENCE, while the first colum gives the number of
occurences of such a cert (only the "top 15" are shown).

  19464 C, O, OU, OU, OU, CN
  15657 C, ST, L, O, OU, CN
   6859 O, OU, CN
   5603 C, ST, L, O, OU, OU, CN
   4983 C, ST, L, O, OU, OU, OU, OU, CN
   4813 C, ST, L, O, CN
   4746 O, OU, OU, OU, CN
   3915 C, postalCode, ST, L, streetAddress, O, OU, OU, OU, CN
   3884 C, postalCode, ST, L, streetAddress, O, OU, OU, CN
   2820 O, CN, OU
   2726 C, ST, L, O, OU, CN, emailAddress
   1565 C, OU, O, CN
   1401 OU, OU, CN
   1311 C, postalCode, ST, L, streetAddress, O, OU, CN
   1212 C, ST, L, O, OU, OU, OU, CN
  [...]

>> 12 maj 2010 kl. 15:37 skrev Peter Saint-Andre:
>>
>>>> So I'm not sure right now what to say about that. I suspect we can still
>>>> stipulate that the only RDN having attr type of CN that we'll pay
>>>> attention to is the one at the far end of the RDN sequence comprising
>>>> the DN.
>>>
>>> We can stipulate that, but is it realistic?

Note that "the one at the far end of the RDN sequence" should not imply
that the CN should necessarily be the very last element of the subject.
Looking at cases like

   2820 O, CN, OU
   2726 C, ST, L, O, OU, CN, emailAddress

I would only stipulate that if multiple CNs occur in the subject
(and they can be found in that sample, btw), only the last one
is taken into account.

Kaspar

v2.8.7 | Report a Bug | By Email