IETF Logo Mail Archive

Re: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt

"Jim Schaad" <ietf@augustcellars.com> Sat, 30 October 2010 03:41 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F79F3A6767 for <certid@core3.amsl.com>; Fri, 29 Oct 2010 20:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.594
X-Spam-Level:
X-Spam-Status: No, score=-1.594 tagged_above=-999 required=5 tests=[AWL=1.005, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEDlQLFnfOzF for <certid@core3.amsl.com>; Fri, 29 Oct 2010 20:41:38 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by core3.amsl.com (Postfix) with ESMTP id 38AB53A63D2 for <certid@ietf.org>; Fri, 29 Oct 2010 20:41:38 -0700 (PDT)
Received: from TITUS (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTP id E18E36EF0C; Fri, 29 Oct 2010 20:43:33 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Peter Saint-Andre'" <stpeter@stpeter.im>, "'IETF cert-based identity'" <certid@ietf.org>
References: <4CBF1A75.4010205@stpeter.im>
In-Reply-To: <4CBF1A75.4010205@stpeter.im>
Date: Fri, 29 Oct 2010 20:53:20 -0700
Message-ID: <001801cb77e6$03edf160$0bc9d420$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-index: AQENnyH/QQIN+7/nBPHD7DIwWmd4l5TUidnQ
Subject: Re: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Oct 2010 03:41:39 -0000

Peter,

1.  I had an email problem so probably missed the discussion, however I do not understand the current text for the example of a delegated domain.  I would suggest text, but as I am running on I don't understand that is not possible.  Is this supposed to be some type of mapping that says the domain X is really the domain Y?

2.   In the definition of reference identifier s/optionally/optionally/

3.   In section 2.1 you have the sentence "This dimension matters most for certificate verification."  Would this be more appropriate as s/verification/consumption/ ?  The process of certificate verification does not really care, but the name matching does.

4.  In the definitions you might want to add one for "automated client" to match "interactive client"

5.  On page 20, the following text exists:
For an interactive client, it is strongly encouraged that each
   reference identifier SHOULD be based on the source domain provided by
   the user and SHOULD NOT be based on a derived domain (e.g., a host
   name or domain name discovered through DNS resolution of the source
   domain).

I am not clear why this is important for interactive clients and not for automated clients.

6.  In section 4.6.2 - I am disappointed that the concept of checking that the context is either the same or similar is not also included in this check.  I think this is an important concept.


Jim



> -----Original Message-----
> From: certid-bounces@ietf.org [mailto:certid-bounces@ietf.org] On Behalf Of
> Peter Saint-Andre
> Sent: Wednesday, October 20, 2010 9:36 AM
> To: IETF cert-based identity
> Subject: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
> 
> Finally! The diff is here:
> 
> http://tools.ietf.org/rfcdiff?url2=draft-saintandre-tls-server-id-check-10
> 
> -------- Original Message --------
> Subject: I-D Action:draft-saintandre-tls-server-id-check-10.txt
> Date: Wed, 20 Oct 2010 09:30:02 -0700 (PDT)
> From: Internet-Drafts@ietf.org
> Reply-To: internet-drafts@ietf.org
> To: i-d-announce@ietf.org
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 	Title           : Representation and Verification of Domain-Based
> Application Service Identity within Internet Public Key Infrastructure Using
> X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
> 	Author(s)       : P. Saint-Andre, J. Hodges
> 	Filename        : draft-saintandre-tls-server-id-check-10.txt
> 	Pages           : 46
> 	Date            : 2010-10-20
> 
> Many application technologies enable a secure connection between two
> entities by means of Internet Public Key Infrastructure Using X.509
> (PKIX) certificates in the context of Transport Layer Security (TLS).
> This document specifies best current practices for representing and verifying
> the identity of application services in such interactions.
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-saintandre-tls-server-id-check-10.txt
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the Internet-
> Draft.

v2.8.7 | Report a Bug | By Email