Re: [certid] What DNS-ID if also using a DNS-SRV?

[Shumon Huque <shuque@isc.upenn.edu>]

On Tue, Jun 29, 2010 at 05:18:47PM -0700, Paul Hoffman wrote:
> At 3:29 PM -0600 6/29/10, Peter Saint-Andre wrote:
> >Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030002010403050803000801"
> >
> >On 6/11/10 7:32 PM, Shumon Huque wrote:
> >>
> >> I don't think (1) is correct. If someone intends to deploy a
> >> certificate with an application specific name form such as SRV-ID
> >> or URI-ID, then they typically would not want to have a dNSName
> >> in the certificate, to make sure that the cert can't be (mis)used
> >> for unrelated application services at that domain name.
> >>
> >> Of course one might decide to include dNSName too for transition
> >> or backwards compatibility reasons. But I don't think that saying
> >> the certificate MUST include a dNSName is correct.
> >
> >Shumon, I think you are correct here, and that DNS-ID needs to be
> >"SHOULD" instead of "MUST".
> 
> This is a very significant change to the document. Please give us all a chance to see all the edits in the next round before you consider the doc read for Last Call.
> 
> Personally, no MUST but a pile of orthogonal SHOULDs seems like a bad idea if you are wanting this doc to cause more interoperability.
> 
> At 4:16 PM -0600 6/29/10, Peter Saint-Andre wrote:
> >I think this list is leaning toward saying that DNS-ID is a SHOULD, not
> >a MUST, so the quoted text would be appropriate.
> 
> Only "appropriate" if you want no MUSTs. Some us would prefer MUSTs to mush.
> 
> --Paul Hoffman, Director
> --VPN Consortium

Let's concentrate on the MUST/SHOULD applicability for the four
identity types discussed in this document:

      *  CN-ID = a Relative Distinguished Name (RDN) of type Common Name
         (CN)

      *  DNS-ID = a subjectAltName identifier of type dNSName

      *  SRV-ID = the SRVName form of otherName from the GeneralName
         structure in SubjectAltName

      *  URI-ID = a subjectAltName identifier of type
         uniformResourceName

I don't think any of them are a MUST. It depends upon the details
of the application service.

If a service deployer is using SRV-ID or URI-ID, then presumably
they want to restrict the use of the certificate to a specific
application at a domain name. In that case SHOULD is not appropriate 
for DNS-ID or CN-ID. In fact, you can argue that they SHOULD NOT 
use either of those more generic forms (unless it is for backwards
compatibility).

For folks who are using straight domain names rather than the
application specific forms (probably the vast majority, at least
initially), and we want to deprecate CN-ID and steer them towards
DNS-ID, then I agree that DNS-ID can be a SHOULD. I don't think 
it can be a MUST today -- there are probably many certificate
issuers that can't deal with anything other than CN.

So, if we want to attach a SHOULD to DNS-ID, it should be a 
conditional one (the condition being that application specific 
name forms like SRV and URI aren't being used).

-- 
Shumon Huque
University of Pennsylvania.