IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Peter Saint-Andre <stpeter@stpeter.im> Tue, 29 June 2010 21:29 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68B3F3A69E5 for <certid@core3.amsl.com>; Tue, 29 Jun 2010 14:29:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.418
X-Spam-Level:
X-Spam-Status: No, score=-2.418 tagged_above=-999 required=5 tests=[AWL=0.181, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zakmQW4riVf1 for <certid@core3.amsl.com>; Tue, 29 Jun 2010 14:29:16 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 3D7663A67F3 for <certid@ietf.org>; Tue, 29 Jun 2010 14:29:16 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 9495A40E4D for <certid@ietf.org>; Tue, 29 Jun 2010 15:29:26 -0600 (MDT)
Message-ID: <4C2A65B5.4080209@stpeter.im>
Date: Tue, 29 Jun 2010 15:29:25 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <p062408bbc8388055fb6d@[10.20.30.158]> <20100612013249.GA4782@isc.upenn.edu>
In-Reply-To: <20100612013249.GA4782@isc.upenn.edu>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030002010403050803000801"
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 21:29:17 -0000

On 6/11/10 7:32 PM, Shumon Huque wrote:
> On Fri, Jun 11, 2010 at 05:07:50PM -0700, Paul Hoffman wrote:
>>    1.  The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
>>        identifier of type dNSName).
>>
>>    2.  If the service using the certificate deploys a technology in
>>        which a server is discovered by means of DNS SRV records
>>        [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate
>>        SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form
>>        of otherName from the GeneralName structure in the subjectAltName
>>        as specified in [SRVNAME]).
>>
>> If 2 is true, what is the value of the required DNS-ID?
> 
> I don't think (1) is correct. If someone intends to deploy a 
> certificate with an application specific name form such as SRV-ID 
> or URI-ID, then they typically would not want to have a dNSName 
> in the certificate, to make sure that the cert can't be (mis)used 
> for unrelated application services at that domain name. 
> 
> Of course one might decide to include dNSName too for transition
> or backwards compatibility reasons. But I don't think that saying 
> the certificate MUST include a dNSName is correct.

Shumon, I think you are correct here, and that DNS-ID needs to be
"SHOULD" instead of "MUST".

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email