Re: [certid] What DNS-ID if also using a DNS-SRV?

Shumon Huque <shuque@isc.upenn.edu> Sat, 12 June 2010 01:32 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33ACD3A6802 for <certid@core3.amsl.com>; Fri, 11 Jun 2010 18:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.74
X-Spam-Level:
X-Spam-Status: No, score=-0.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6+p5+5qnOnZ for <certid@core3.amsl.com>; Fri, 11 Jun 2010 18:32:47 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 412F73A67EC for <certid@ietf.org>; Fri, 11 Jun 2010 18:32:47 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 7FB3D2E5D; Fri, 11 Jun 2010 21:32:49 -0400 (EDT)
Date: Fri, 11 Jun 2010 21:32:49 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20100612013249.GA4782@isc.upenn.edu>
References: <p062408bbc8388055fb6d@[10.20.30.158]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p062408bbc8388055fb6d@[10.20.30.158]>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2010 01:32:48 -0000

On Fri, Jun 11, 2010 at 05:07:50PM -0700, Paul Hoffman wrote:
>    1.  The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
>        identifier of type dNSName).
> 
>    2.  If the service using the certificate deploys a technology in
>        which a server is discovered by means of DNS SRV records
>        [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate
>        SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form
>        of otherName from the GeneralName structure in the subjectAltName
>        as specified in [SRVNAME]).
> 
> If 2 is true, what is the value of the required DNS-ID?

I don't think (1) is correct. If someone intends to deploy a 
certificate with an application specific name form such as SRV-ID 
or URI-ID, then they typically would not want to have a dNSName 
in the certificate, to make sure that the cert can't be (mis)used 
for unrelated application services at that domain name. 

Of course one might decide to include dNSName too for transition
or backwards compatibility reasons. But I don't think that saying 
the certificate MUST include a dNSName is correct.

--Shumon.