Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
Kaspar Brand <ietf-certid@velox.ch> Thu, 10 June 2010 05:52 UTC
Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id BFEEF28C120 for <certid@core3.amsl.com>;
Wed, 9 Jun 2010 22:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No,
score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfY4kfQJyfEW for
<certid@core3.amsl.com>; Wed, 9 Jun 2010 22:52:25 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by
core3.amsl.com (Postfix) with ESMTP id 7853A28C11A for <certid@ietf.org>;
Wed, 9 Jun 2010 22:52:25 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch
[84.75.163.235]) (authenticated bits=0) by appendix.velox.ch
(8.14.4/8.14.4/2.0) with ESMTP id o5A5qPSY015822 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>;
Thu, 10 Jun 2010 07:52:26 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f;
t=1276149146; bh=7vixxP4jQ6VqJvgKZND1SlgoqNzbqi9kwPvDKw8kbpY=;
h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=mgy2qOjjZ72KOG6NRxeiMwJgFtd/wP/Wp57u8WewHtgVsHOWZaeaFVR/+2teifvwv
+0RF204Q2jvxZlaUvX8lUZbH5EkzNtEBPJrKn/S0G1sAfssMX1RwxoYFRRYuD5kMdO
eRAI851oyyUxeV3sBe5jTbwodMwUja8Ccrd5zJOuDpU4b0wphIxi2D8KjBghMYICpT
uwKkU15CXHFOxF4twGKgqOZ8ELFbawM/WcB6+yhyYfaCqL+QgNAg54rynu+FtN3A9R
cVpqJqAk8E6I1WycfsHWFcV3vVfbCPlS5KoqyCRPllOuCCcUNiA3s6LbagcBlf/5kt
MCoxlHfHqstTw==
Message-ID: <4C107D97.5080501@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58;
t=1276149144; bh=7vixxP4jQ6VqJvgKZND1SlgoqNzbqi9kwPvDKw8kbpY=;
h=Date:From:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding;
b=HzGkGgQWlO2WQGQxjnAww7lj2efawGw7dkqxiyHadqZZhbHRWFH7p+qJIQUdqP1pZ
7w5VoYdWUDbzDlL3I3SR5OvbyuD5yszH1v1Gs0RvUCxQaQZ+7j4kdEnESrQ1sW8B4W
l4LLc0L/qCwVNLmZss0NeGmMQEk1UHIVshsaslbud31xBjE2vHftEfoJ+ULgZ3k+7b
AwiLH7AZJHp1KXuKlTzZ//o5Cfu9/2kZT+uL1wlTQczBB39DBUo//rAEo+9+WSyiWL
GVvOg+q+llKzZn57bkBv6VI5aGA3ttB+sJqUipyUxUuhWBsDfOiYaYJKQoHOlSNtUt
HohS9JZuGaEBw==
Date: Thu, 10 Jun 2010 07:52:23 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.0
MIME-Version: 1.0
To: certid@ietf.org
References: <4C0E90E9.4050101@KingsMountain.com> <4C0F3EBC.9000902@velox.ch>
<4C104B88.1070307@stpeter.im>
In-Reply-To: <4C104B88.1070307@stpeter.im>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 05:52:26 -0000
On 10.06.2010 04:18, Peter Saint-Andre wrote:
>> The definition of "CN-ID" in section 1.3 should probably also be adapted
>> (i.e., it should explicitly forbid multi-CN RDNs).
>
> Is this a more accurate definition?
>
> * CN-ID = a subject Distinguished Name (DN) whose constituent
> sequence of Relative Distinguished Names (RDNs) contains one
> and only one attribute value assertion (AVA) whose attribute
> type is Common Name (CN)
I think it's better to refer to it at the RDN level (as is the case for
-05):
* CN-ID = a Relative Distinguished Name (RDN) in the certificate
subject which contains one and only one attribute value
assertion (AVA) whose attribute type is Common Name (CN)
When talking about CN-ID in the text, you would then say that only the
(DER-sequence-wise) last CN-ID is to be used for verification purposes.
Alternatively, the above definition could be changed to include this
"last" property as well, but this really depends on what text you
currently have in the working copy.
Kaspar
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre