Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

Martin Rex <mrex@sap.com> Wed, 12 May 2010 23:22 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBCEF3A68F0 for <certid@core3.amsl.com>; Wed, 12 May 2010 16:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.749
X-Spam-Level:
X-Spam-Status: No, score=-7.749 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uX8gAvKMMPSo for <certid@core3.amsl.com>; Wed, 12 May 2010 16:22:19 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id E1E873A6853 for <certid@ietf.org>; Wed, 12 May 2010 16:22:18 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id o4CNM4SK008921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 May 2010 01:22:05 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201005122322.o4CNM4BH004747@fs4113.wdf.sap.corp>
To: turners@ieca.com (Sean Turner)
Date: Thu, 13 May 2010 01:22:04 +0200 (MEST)
In-Reply-To: <4BEB1F54.2060905@ieca.com> from "Sean Turner" at May 12, 10 05:36:20 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-03
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 23:22:21 -0000

Sean Turner wrote:
> 
> > So I'm not sure right now what to say about that. I suspect we can still 
> > stipulate that the only RDN having attr type of CN that we'll pay 
> > attention to is the one at the far end of the RDN sequence comprising 
> > the DN.
> 
> I think a lot of DNs got concocted because X.500 implementers assumed 
> the examples in X.501 were normative.  That is c=, o=, (4) ou=, cn=. 
> But, you're might be right about no descending ordering can be 
> assumed.  If you look at the subjectName in the datatracker 
> certificate it's:
> 
> CN = *.ietf.org
> OU = Terms of use at www.verisign.com/rpa (c)05
> OU = Internet Engineering Task Force
> O = IETF Trust
> L = Reston
> ST = Virginia
> C = US

When I received a request for help ~2 years ago doing a more complex
processing/mapping/evaluation of Subject(Alt)Names and IssuerNames
from X.509 certificates during logon at the application level,
we created an additional intermediate format between
ASN.1 DER and string representation.  It consists of a
(pre-sorted by OID) linked list of entries where each of
the list entries carries the attribute (or sAN) OID and
an UTF8 representation of the attribute value.
(plus side info, like the original position in
 the ASN.1 DER encoding, whether it was the first
 element of an RDName set, and some other stuff).

Basically the divide-and-conquer approach.  split one problem
into two smaller problems that are easier to solve.
 

So when looking for a CN in subject, the app requests the
subject name from a given cert an searches the resulting
list for all occurences of the 2.5.4.cn(3) OID aka {3, "\x55\x04\x03" }

Similarly, when looking for a server endpoint sAN match, the app requests
the subjectaltname from a given cert and searches the resulting list
for all occurrences of the dNSName pseudo-OID {4, "\x55\x1D\x11\x02" }
and iPAddress pseudo-OID {4, "\x55\x1D\x11\x07" } as described in rfc2818.

Concerning the list of sANs in the -04 draft, I came across
these two Microsoft "other" sANs while implementing this:

   "msUPN"  {10, "\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x03"}
   "msGUID" { 9, "\x2B\x06\x01\x04\x01\x82\x37\x19\x01"    }

   "msUPN"  = 1.3.6.1.4.1.311.20.2.3
   "msGUID" = 1.3.6.1.4.1.311.25.1

Which is also mention at the bottom of this page
  http://technet.microsoft.com/en-us/library/cc736326%28WS.10,printer%29.aspx



-Martin