IETF Logo Mail Archive

Re: [certid] [Spam] Re: URI match

Peter Saint-Andre <stpeter@stpeter.im> Thu, 01 April 2010 17:52 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 532713A680D for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKOcJ72Oib8Y for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:52:43 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 45A903A66B4 for <certid@ietf.org>; Thu, 1 Apr 2010 10:52:43 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2540C40D3A for <certid@ietf.org>; Thu, 1 Apr 2010 11:53:15 -0600 (MDT)
Message-ID: <4BB4DD8A.1040803@stpeter.im>
Date: Thu, 01 Apr 2010 11:53:14 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <201003231500.05187.ludwig.nussel@suse.de> <4BB3C8D6.5030402@stpeter.im> <022c01cad12c$747102d0$5d530870$%2@osu.edu> <002401cad17f$60048080$200d8180$@eu> <025501cad1bc$a6d6eb00$f484c100$@2@osu.edu> <20100401172321.GB29240@isc.upenn.edu>
In-Reply-To: <20100401172321.GB29240@isc.upenn.edu>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070009040801060609010507"
Subject: Re: [certid] [Spam] Re: URI match
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 17:52:44 -0000

On 4/1/10 11:23 AM, Shumon Huque wrote:
> On Thu, Apr 01, 2010 at 12:59:11PM -0400, Scott Cantor wrote:
>>> It seems that there is general requirement for URI matching. URIs are not
>>> only used in subjectAltName, but are used in X.500 in general, i.e., for
>>> RFID support. Defining uniformResourceIdentifier as just an IA5String may
>>> also be a simplification.
>>
>> However, matching on URI makes a lot more sense as a certificate constraint
>> if you also stop at that point rather than continuing to DNS or CN-based
>> matching. If you just keep going, it's not worth much.
> 
> Right. Most current software relies on being able to match any one
> identity in the certificate. If there are multiple identities, then
> the algorithm that should be used is to match more specific identities
> first (eg. URI/SRVName before dNSName etc). I forget whether the
> draft says that or not, but we discussed it.

Yes, it's in the draft.

> Another way around this is to use URI/SRVName, but also have a 
> dNSName that includes an "application specific server name" which
> might need to be locally configured in the client. See:
> 
>   http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00935.html

Shumon, including SRV query names in dNSName seems novel to me. Is that
specified or recommended anywhere? Why not use SRVName instead and leave
dNSName as a pure domain name?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email