IETF Logo Mail Archive

Re: [certid] Domain Components

Paul Hoffman <phoffman@imc.org> Fri, 11 June 2010 22:53 UTC

Return-Path: <phoffman@imc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4313B28C0FA for <certid@core3.amsl.com>; Fri, 11 Jun 2010 15:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.554
X-Spam-Level:
X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd2r9Z2SkIiP for <certid@core3.amsl.com>; Fri, 11 Jun 2010 15:53:48 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id C087A28C0ED for <certid@ietf.org>; Fri, 11 Jun 2010 15:53:48 -0700 (PDT)
Received: from [10.20.30.158] (sn81.proper.com [75.101.18.81]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o5BMrn2e082731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2010 15:53:50 -0700 (MST) (envelope-from phoffman@imc.org)
Mime-Version: 1.0
Message-Id: <p0624086ac8386db66483@[10.20.30.158]>
In-Reply-To: <4C12A27D.3070308@stpeter.im>
References: <4C12A27D.3070308@stpeter.im>
Date: Fri, 11 Jun 2010 15:53:48 -0700
To: Peter Saint-Andre <stpeter@stpeter.im>, IETF cert-based identity <certid@ietf.org>
From: Paul Hoffman <phoffman@imc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [certid] Domain Components
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 22:53:50 -0000

At 2:54 PM -0600 6/11/10, Peter Saint-Andre wrote:
>Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020609010501090708040406"
>
>Version -05 of draft-saintandre-tls-server-id-check has some warning
>text about Domain Components (DCs). However, the more I delve the matter
>the less I think that we need to warn people away from using DCs from a
>security perspective. The problem with them would arise from confusion
>about the order of DCs based on the string representation, however that
>kind of confusion is possible for any RDNs and is not limited to DCs (so
>follow the DER order, not the string order). There might be other
>reasons to discourage DCs, but so far I have not heard them, so I'm
>inclined to remove the warnings from -06.
>
>Do speak up if you're concerned about this proposal.

Finally decloaking after being off this topic for a while.

I am *quite* concerned about this. The DC ordering problem is not "based on the string representation": it is because the set of DCs can be read *by the program* in two directions. For example, think about  a cert with "dc=com dc=net". Both net.com and com.net exist today. For different applications, that one cert could apply to two completely different domains.

v2.8.7 | Report a Bug | By Email