Re: [certid] CN fallback
Peter Saint-Andre <stpeter@stpeter.im> Wed, 31 March 2010 21:43 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 910E23A6853 for <certid@core3.amsl.com>;
Wed, 31 Mar 2010 14:43:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.34
X-Spam-Level:
X-Spam-Status: No, score=-1.34 tagged_above=-999 required=5 tests=[AWL=0.129,
BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJJByLvgwytB for
<certid@core3.amsl.com>; Wed, 31 Mar 2010 14:43:29 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 0B0D93A6807 for <certid@ietf.org>;
Wed, 31 Mar 2010 14:43:29 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com
[64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with
ESMTPSA id 05F4240D3A for <certid@ietf.org>;
Wed, 31 Mar 2010 15:43:59 -0600 (MDT)
Message-ID: <4BB3C21E.90502@stpeter.im>
Date: Wed, 31 Mar 2010 15:43:58 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: certid@ietf.org
References: <201003231544.05651.ludwig.nussel@suse.de>
In-Reply-To: <201003231544.05651.ludwig.nussel@suse.de>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms040700020904050602070409"
Subject: Re: [certid] CN fallback
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 21:43:30 -0000
On 3/23/10 8:44 AM, Ludwig Nussel wrote: > Hi, > > | If and only if the identity set does not include subjectAltName > | extensions of type dNSName, SRVName, uniformResourceIdentifier (or > | other application-specific subjectAltName extensions), the client MAY > | as a fallback check the value of the Common Name (CN) > > What about rewording that to the following? > > | If and only if the certificate does not include any subjectAltName > | extensions, the client MAY as a fallback check the value of the > | Common Name (CN) I don't see a strong reason to change that text. This specification is about checking domain names, not IP addresses. As an aside, I must say that I'm tempted to move everything about CNs to a separate section, or to remove it entirely, because I don't think it's a best current practice for secure authentication. > That would avoid having generic implementations look into the CN as > fallback when it doesn't make sense. iPAddress for example isn't > specified by the I-D (why anyways?). 1. Do certification authorities issue certificates to IP addresses? The ones I work with don't (probably because they base their certification decision on control over the whois data or reserved email addresses for a domain name). 2. If so, is that a best current practice for secure authentication? I don't think so. 3. Users don't expect to connect to "192.0.2.7", they expect to connect to "example.com". That, at least, is one assumption of this I-D. You are free to write an I-D that specifies rules for representation and verification of IP addresses in certificates, but that's out of scope for this I-D. > So a conforming implementation > could use the CN when looking for a hostname even if a > subjectAltName of type iPAddress is present. Right. But I don't think that is consistent with your proposed text. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] CN fallback Ludwig Nussel
- Re: [certid] CN fallback Peter Saint-Andre
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback RL 'Bob' Morgan
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Ludwig Nussel
- [certid] open issue: iPAddress Peter Saint-Andre
- Re: [certid] CN fallback Michael Ströder
- Re: [certid] open issue: iPAddress Michael Ströder
- Re: [certid] CN fallback Michael Ströder