Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
"Henry B. Hotz" <hotz@jpl.nasa.gov> Tue, 01 June 2010 18:40 UTC
Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 1BC433A699C for <certid@core3.amsl.com>;
Tue, 1 Jun 2010 11:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.649
X-Spam-Level:
X-Spam-Status: No, score=-4.649 tagged_above=-999 required=5 tests=[AWL=-0.650,
BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afxlNU0D5O-X for
<certid@core3.amsl.com>; Tue, 1 Jun 2010 11:40:23 -0700 (PDT)
Received: from mail.jpl.nasa.gov (mailhost.jpl.nasa.gov [128.149.139.109]) by
core3.amsl.com (Postfix) with ESMTP id DC6753A696F for <certid@ietf.org>;
Tue, 1 Jun 2010 11:40:22 -0700 (PDT)
Received: from laphotz.jpl.nasa.gov (laphotz.jpl.nasa.gov [128.149.133.44]) by
smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.1) with ESMTP id o51IdiUD006392;
Tue, 1 Jun 2010 11:39:45 -0700
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset=us-ascii
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <20100531185813.GA32106@eltex.net>
Date: Tue, 1 Jun 2010 11:39:44 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <465A9C16-F5BF-47B5-A534-25C68CB2988F@jpl.nasa.gov>
References: <4C00FEC0.3080808@edelweb.fr>
<201005311518.o4VFIHAw022209@fs4113.wdf.sap.corp>
<20100531185813.GA32106@eltex.net>
To: ArkanoiD <ark@eltex.net>
X-Mailer: Apple Mail (2.1078)
X-Source-IP: laphotz.jpl.nasa.gov [128.149.133.44]
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
Cc: "certid@ietf.org" <certid@ietf.org>
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-04
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2010 18:40:27 -0000
This looks to me like a case of "violent agreement". On May 31, 2010, at 11:58 AM, ArkanoiD wrote: > On Mon, May 31, 2010 at 05:18:17PM +0200, Martin Rex wrote: >>> >>> example, you a Common Name attribute containing the server's name >>> and if the cert has a subjectAltName, have I 'represented' the >>> server's name in the Common Name or not? I have put it in, >>> I don't expect that someone verifies it there, but still, I have >>> can think I have represented it in two places. >> >> There is going to be software that will check the CN= RDName of the >> certificate subject name for a match, even when subjectAltName of >> type dNSName are present. Either because they're fully backwards >> compatible or because they do not check subjectAltNames at all. > > Actually it should not, though i do not see any harm in behaving that > way. His observation was not w.r.t. what SHOULD happen, but a pragmatic observation of what WILL happen in the real world. >> While there have been few implementations checking for multiple >> CN= parts, the guideline in rfc-2818 for subjectAltNames seems >> to be much clearer, that there can be more than one, and more >> than one needs to be checked. > > ..and multiple CNs are likely to be an error. I'd better reject this > certificate as invalid. He says there are "few" implementations that accept what you consider an error. Possibly there are zero, but I hope it's few enough we can ignore them. (Life's complex enough as it is.) >> Example: https://www.entrust.com >> >> It contains a CN=www.entrust.com and two subjectAltNames >> type dNSName with the values "www.entrust.com" and "secure.entrust.com" >> >> And a reasonable, fully backwards compatible approach to server endpoint >> identification would be to check all names for a match sequentially, >> and succeed when any one matches. > > But we may safely ignore CN in this case, and that's what we probably intend > to do. Agreed. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
- [certid] Comments on draft-saintandre-tls-server-… Nelson B Bolyard
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Nelson B Bolyard
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Sean Turner
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Love Hörnquist Åstrand
- Re: [certid] Comments on draft-saintandre-tls-ser… ArkanoiD
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… =JeffH
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… Love Hörnquist Åstrand
- Re: [certid] Comments on draft-saintandre-tls-ser… Joe Orton
- Re: [certid] Comments on draft-saintandre-tls-ser… Kaspar Brand
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Sylvester
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Sylvester
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Sylvester
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… ArkanoiD
- Re: [certid] Comments on draft-saintandre-tls-ser… Henry B. Hotz
- Re: [certid] Comments on draft-saintandre-tls-ser… Matt McCutchen
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Nelson B Bolyard
- Re: [certid] Comments on draft-saintandre-tls-ser… Sean Turner
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] Comments on draft-saintandre-tls-ser… Peter Sylvester
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… Nelson B Bolyard
- Re: [certid] Comments on draft-saintandre-tls-ser… Martin Rex
- Re: [certid] Comments on draft-saintandre-tls-ser… Nelson B Bolyard
- [certid] Moving RFC 2818 to Historic (was Comment… Alexey Melnikov
- Re: [certid] Moving RFC 2818 to Historic (was Com… Peter Saint-Andre
- Re: [certid] Moving RFC 2818 to Historic (was Com… Sean Turner
- Re: [certid] Moving RFC 2818 to Historic (was Com… Alexey Melnikov
- Re: [certid] Comments on draft-saintandre-tls-ser… Henry B. Hotz