IETF Logo Mail Archive

Re: [certid] Please explicitly disallow unvetted info in subject

Peter Saint-Andre <stpeter@stpeter.im> Tue, 29 June 2010 20:34 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 284663A6930 for <certid@core3.amsl.com>; Tue, 29 Jun 2010 13:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.676
X-Spam-Level:
X-Spam-Status: No, score=-1.676 tagged_above=-999 required=5 tests=[AWL=-0.566, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZvYlsTH8ZbZ for <certid@core3.amsl.com>; Tue, 29 Jun 2010 13:34:26 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 5B4733A6873 for <certid@ietf.org>; Tue, 29 Jun 2010 13:34:26 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 51FE240E4D for <certid@ietf.org>; Tue, 29 Jun 2010 14:34:36 -0600 (MDT)
Message-ID: <4C2A58D8.50700@stpeter.im>
Date: Tue, 29 Jun 2010 14:34:32 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <4C112371.3000104@bolyard.me> <201006101745.o5AHjn7N022071@fs4113.wdf.sap.corp> <025901cb08c6$248bf550$6da3dff0$@osu.edu>
In-Reply-To: <025901cb08c6$248bf550$6da3dff0$@osu.edu>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040308040202010407060405"
Subject: Re: [certid] Please explicitly disallow unvetted info in subject
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 20:34:30 -0000

My apologies for the delay, I'm just catching up on list traffic here.

On 6/10/10 11:55 AM, Scott Cantor wrote:
> These are all good arguments (which I subscribe to) for why treating
> commercial X.509 as a "successful" trust infrastructure that other identity
> standards should be leveraging in place of new approaches is a really,
> really stupid idea.
> 
> But I don't think they're relevant to a document describing how one should
> verify server identity against X.509 certificate content, particularly with
> respect to anything that isn't a CN RDN or a sAN.
> 
> By all means rail against the idiocy of this stuff, and I'll join in since
> there are still people pushing it constantly and belittling those who
> disagree, but I don't think it needs to be part of this draft.

Agreed. Once again, this draft is not the sole repository for all wisdom
regarding certificates, TLS, Internet identifiers, and security
protocols in general. I'd love to see more general specifications
regarding those topics, but in this draft we're trying to boil just a
small harbor, not the entire ocean.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email