Re: [certid] Review of draft-saintandre-tls-server-id-check

[Stefan Santesson <stefan@aaa-sec.com>]

Shumon,

On 10-09-09 10:08 PM, "Shumon Huque" <shuque@isc.upenn.edu> wrote:

>> PKI enabled clients in general are used to check numerous of name forms and
>> attributes in order to determine a match.
> 
> Can you give us some examples of such applications, and where
> their subject identity matching rules are specified? Appendix
> A ("Prior Art") probably should consider them.


Right now I have none that is applicable to the listed protocols. So I don't
think I have an example that is suitable for this annex.
But in general many government services using PKI are comparing multiple
attributes. Many national PKIs in Europe have banned single identifiers in
their certs, so the applications are forced to do multiple attribute
comparisons.

The thing is that name comparison is often done on an application level
according to local policy and even on the user level and the only thing I
have learned after spending 18 years with PKI is to expect almost anything
:)

In this context, EKUs are often also an important part of certificate
acceptance. A dimension that I miss in the current spec.

I don't think it is particularly useful to specify in generic documents what
constitutes a positive identification of the subject in terms or required
matching name forms.
It becomes useful mostly only when you want to achieve interoperability
within a reasonably narrow context.

/Stefan