IETF Logo Mail Archive

Re: [certid] It is not always a good idea to enforce CN check as leaf RDN only

Michael Ströder <michael@stroeder.com> Mon, 19 April 2010 08:37 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 71BBB3A68A2 for <certid@core3.amsl.com>; Mon, 19 Apr 2010 01:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.345
X-Spam-Level:
X-Spam-Status: No, score=0.345 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DATE_IN_PAST_03_06=0.044, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGqRRwJ72COE for <certid@core3.amsl.com>; Mon, 19 Apr 2010 01:37:54 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by core3.amsl.com (Postfix) with ESMTP id 3E7603A6838 for <certid@ietf.org>; Mon, 19 Apr 2010 01:37:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id E76054E0E9 for <certid@ietf.org>; Mon, 19 Apr 2010 10:37:39 +0200 (CEST)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv1.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqnRf-2DN+mt for <certid@ietf.org>; Mon, 19 Apr 2010 10:37:37 +0200 (CEST)
Received: from [10.1.0.2] (unknown [10.1.0.2]) by srv1.stroeder.com (Postfix) with ESMTP id B5D164E0DA for <certid@ietf.org>; Mon, 19 Apr 2010 10:37:34 +0200 (CEST)
Message-ID: <4BCBE694.1090009@stroeder.com>
Date: Mon, 19 Apr 2010 07:13:56 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 SeaMonkey/2.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <20100317134327.GA14163@eltex.net> <4BA1A532.9090107@stpeter.im> <20100318045825.GA14076@eltex.net> <4BB3C447.7000505@stpeter.im> <4BBA575C.9040902@isode.com>
In-Reply-To: <4BBA575C.9040902@isode.com>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] It is not always a good idea to enforce CN check as leaf RDN only
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 08:37:55 -0000

Alexey Melnikov wrote:
> Peter Saint-Andre wrote:
> 
>> On 3/17/10 10:58 PM, ArkanoiD wrote:
>>  
>>
>>> Well, when it comes to implementation we get *two* matching
>>> algorithms then,
>>> which is definitely no good ;-).   
>> Given that a self-signed certificate can say *anything*, I don't know
>> that it's helpful to enforce any rules about issuance and checking of
>> self-signed certs. It's not as if any "certification" has taken place in
>> this situation.
>>  
>>
> +1.

Personally I don't want to endorse the use of self-signed certificates but I
fail to see why self-signed certificates should be treated differently
regarding name checking. Self-signed certificate are just treated differently
regarding path validation (e.g. with a fingerprint transferred out-of-band)
but the server name check should be the same.

Ciao, Michael.

v2.8.7 | Report a Bug | By Email