Re: [certid] CN fallback
Ludwig Nussel <ludwig.nussel@suse.de> Fri, 09 April 2010 12:44 UTC
Return-Path: <ludwig.nussel@suse.de>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 8E8C53A67FC for <certid@core3.amsl.com>;
Fri, 9 Apr 2010 05:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.649
X-Spam-Level:
X-Spam-Status: No, score=-107.649 tagged_above=-999 required=5
tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ykBMk1HtBdtD for
<certid@core3.amsl.com>; Fri, 9 Apr 2010 05:44:07 -0700 (PDT)
Received: from mx1.suse.de (cantor.suse.de [195.135.220.2]) by core3.amsl.com
(Postfix) with ESMTP id 8394E3A69EF for <certid@ietf.org>;
Fri, 9 Apr 2010 05:44:00 -0700 (PDT)
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) by mx1.suse.de (Postfix) with ESMTP id AEE088FEA2 for
<certid@ietf.org>; Fri, 9 Apr 2010 14:43:55 +0200 (CEST)
From: Ludwig Nussel <ludwig.nussel@suse.de>
To: certid@ietf.org
Date: Fri, 9 Apr 2010 14:43:51 +0200
User-Agent: KMail/1.12.4 (Linux/2.6.31.12-0.1-default; KDE/4.3.5; x86_64; ; )
References: <201003231544.05651.ludwig.nussel@suse.de>
<4BB3C21E.90502@stpeter.im>
In-Reply-To: <4BB3C21E.90502@stpeter.im>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Message-Id: <201004091443.52205.ludwig.nussel@suse.de>
Subject: Re: [certid] CN fallback
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 12:44:08 -0000
Peter Saint-Andre wrote: > On 3/23/10 8:44 AM, Ludwig Nussel wrote: > > | If and only if the identity set does not include subjectAltName > > | extensions of type dNSName, SRVName, uniformResourceIdentifier (or > > | other application-specific subjectAltName extensions), the client MAY > > | as a fallback check the value of the Common Name (CN) > > > > What about rewording that to the following? > > > > | If and only if the certificate does not include any subjectAltName > > | extensions, the client MAY as a fallback check the value of the > > | Common Name (CN) > > I don't see a strong reason to change that text. This specification is > about checking domain names, not IP addresses. > > As an aside, I must say that I'm tempted to move everything about CNs to > a separate section, or to remove it entirely, because I don't think it's > a best current practice for secure authentication. > > > That would avoid having generic implementations look into the CN as > > fallback when it doesn't make sense. iPAddress for example isn't > > specified by the I-D (why anyways?). > > 1. Do certification authorities issue certificates to IP addresses? The > ones I work with don't (probably because they base their certification > decision on control over the whois data or reserved email addresses for > a domain name). I don't know. Think of private CA's used internally by companies. Software that implements the I-D isn't used exclusively on the Internet after all. > 2. If so, is that a best current practice for secure authentication? I > don't think so. > > 3. Users don't expect to connect to "192.0.2.7", they expect to connect > to "example.com". That, at least, is one assumption of this I-D. You are > free to write an I-D that specifies rules for representation and > verification of IP addresses in certificates, but that's out of scope > for this I-D. The problem is that someone actually implementing the identity checks for a program will come across iPAddress sooner or later. Generic implementations like gnutls' gnutls_x509_crt_check_hostname() also have to deal with IP addresses somehow. That RFC you are drafting is such a wonderful chance to have this clarified as well :-) > > So a conforming implementation > > could use the CN when looking for a hostname even if a > > subjectAltName of type iPAddress is present. > > Right. But I don't think that is consistent with your proposed text. Confusing wording, sorry. The above cited sentence refers to the current I-D. My proposal was meant to change that so a conforming implentation must not fall back to CN checking if any subjectAltName is present. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
- [certid] CN fallback Ludwig Nussel
- Re: [certid] CN fallback Peter Saint-Andre
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback RL 'Bob' Morgan
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Ludwig Nussel
- [certid] open issue: iPAddress Peter Saint-Andre
- Re: [certid] CN fallback Michael Ströder
- Re: [certid] open issue: iPAddress Michael Ströder
- Re: [certid] CN fallback Michael Ströder