Re: [certid] CN-ID and name constraints
"Jim Schaad" <ietf@augustcellars.com> Wed, 29 September 2010 22:12 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 27CC13A6A9A for <certid@core3.amsl.com>;
Wed, 29 Sep 2010 15:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v3pqWAqxVTh5 for
<certid@core3.amsl.com>; Wed, 29 Sep 2010 15:12:15 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by
core3.amsl.com (Postfix) with ESMTP id 42A793A6A29 for <certid@ietf.org>;
Wed, 29 Sep 2010 15:12:15 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher
AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated
sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTP id
590646EF7A; Wed, 29 Sep 2010 15:12:59 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Peter Saint-Andre'" <stpeter@stpeter.im>,
"'Matt McCutchen'" <matt@mattmccutchen.net>
References: <201009250309.o8P39Sc7016343@fs4113.wdf.sap.corp> <1285450341.1940.79.camel@mattlaptop2.local>
<4CA3B1B0.2040106@stpeter.im>
In-Reply-To: <4CA3B1B0.2040106@stpeter.im>
Date: Wed, 29 Sep 2010 15:20:58 -0700
Message-ID: <006901cb6024$97c85990$c7590cb0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQE5mp2IHf/sQTeACWXye7dK1f19xwGNyQZRAom+LdyULFeLEA==
Content-Language: en-us
Cc: certid@ietf.org
Subject: Re: [certid] CN-ID and name constraints
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 22:12:18 -0000
Peter, It was my understanding of this that the request was that the DNS name constraints be applied to a CN-ID that is being treated as a DN. This would not be standard 5280 behavior. Jim > -----Original Message----- > From: certid-bounces@ietf.org [mailto:certid-bounces@ietf.org] On Behalf Of > Peter Saint-Andre > Sent: Wednesday, September 29, 2010 2:38 PM > To: Matt McCutchen > Cc: certid@ietf.org > Subject: Re: [certid] CN-ID and name constraints > > On 9/25/10 3:32 PM, Matt McCutchen wrote: > > Cutting to the chase... > > > I propose that section 4.4.4 be changed as follows: > > > > Old: "...the client MAY as a fallback check for a string whose form > > matches that of a fully-qualified DNS domain name in the CN-ID." > > > > New: "...the client MAY as a fallback check for a string whose form > > matches that of a fully-qualified DNS domain name in the CN-ID, > > provided that this domain name satisfies any name constraints on the > > certification path as defined by [PKIX] section 4.2.1.10." > > Thank you for proposing text. > > Given that the server-id-check document is downstream from RFC 5280, it's not > clear to me why we need to mention that name constraints apply. > I'm especially wondering why this spec would mention name constraints with > respect to CN-IDs but not with respect to DNS-IDs, URI-IDs, or SRV-IDs, given > that Section 4.2.1.10 of RFC 5280 states in part: > > The name constraints extension, which MUST be used only in a CA > certificate, indicates a name space within which all subject names in > subsequent certificates in a certification path MUST be located. > Restrictions apply to the subject distinguished name and apply to > subject alternative names. > > RFC 4985 explicitly mentions name constraints with respect to SRVNames, but > that makes sense because it is defining a new name form for the > subjectAltName extension of type otherName, which is not mentioned in RFC > 3280 / RFC 5280, as mentioned in RFC 5280: > > The syntax and semantics for name constraints for otherName, > ediPartyName, and registeredID are not defined by this specification, > however, syntax and semantics for name constraints for other name > forms may be specified in other documents. > > Thus I think this is out of scope for the server-id-check document, but I'm open > to being convinced otherwise (and I'm not yet sure whether my co-author > agrees with me). > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > _______________________________________________ > certid mailing list > certid@ietf.org > https://www.ietf.org/mailman/listinfo/certid
- [certid] Fwd: Review of draft-saintandre-tls-serv… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Bernard Aboba
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… James Schaad
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Martin Rex
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] [TLS] Review of draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] [TLS] Review of draft-saintandre-tls… James Schaad
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- [certid] Why require EKU for certid? Paul Hoffman
- Re: [certid] Why require EKU for certid? Peter Saint-Andre
- Re: [certid] [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Martin Rex
- Re: [certid] Why require EKU for certid? Henry B. Hotz
- [certid] CN-ID and name constraints Matt McCutchen
- Re: [certid] CN-ID and name constraints Martin Rex
- Re: [certid] CN-ID and name constraints Matt McCutchen
- Re: [certid] CN-ID and name constraints Martin Rex
- Re: [certid] CN-ID and name constraints Matt McCutchen
- Re: [certid] CN-ID and name constraints (oops) Matt McCutchen
- Re: [certid] CN-ID and name constraints Matt McCutchen
- Re: [certid] Why require EKU for certid? Peter Saint-Andre
- Re: [certid] CN-ID and name constraints Peter Saint-Andre
- Re: [certid] CN-ID and name constraints Jim Schaad
- Re: [certid] Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Paul Hoffman
- Re: [certid] Why require EKU for certid? Stefan Santesson
- Re: [certid] Why require EKU for certid? Paul Hoffman
- Re: [certid] Why require EKU for certid? Martin Rex
- Re: [certid] Why require EKU for certid? Stefan Santesson
- Re: [certid] Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Peter Saint-Andre
- Re: [certid] CN-ID and name constraints Peter Saint-Andre
- Re: [certid] CN-ID and name constraints Jim Schaad
- Re: [certid] CN-ID and name constraints Carl Wallace