Re: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
Peter Saint-Andre <stpeter@stpeter.im> Wed, 10 November 2010 09:41 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5ADD83A6A94 for <certid@core3.amsl.com>;
Wed, 10 Nov 2010 01:41:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.534
X-Spam-Level:
X-Spam-Status: No, score=-102.534 tagged_above=-999 required=5 tests=[AWL=0.065,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycf9mXVYn5wh for
<certid@core3.amsl.com>; Wed, 10 Nov 2010 01:40:57 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id CFA833A6A6A for <certid@ietf.org>;
Wed, 10 Nov 2010 01:40:55 -0800 (PST)
Received: from dhcp-8662.meeting.ietf.org (dhcp-8662.meeting.ietf.org
[130.129.134.98]) (Authenticated sender: stpeter) by stpeter.im (Postfix)
with ESMTPSA id 476B740BB9; Wed, 10 Nov 2010 02:50:39 -0700 (MST)
Message-ID: <4CDA68BE.6040308@stpeter.im>
Date: Wed, 10 Nov 2010 17:41:18 +0800
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>
References: <4CBF1A75.4010205@stpeter.im>
<001801cb77e6$03edf160$0bc9d420$@augustcellars.com>
In-Reply-To: <001801cb77e6$03edf160$0bc9d420$@augustcellars.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms040705040207000701010000"
Cc: 'IETF cert-based identity' <certid@ietf.org>
Subject: Re: [certid] Fwd: I-D
Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 09:41:07 -0000
On 10/30/10 11:53 AM, Jim Schaad wrote: > Peter, > > 1. I had an email problem so probably missed the discussion, however > I do not understand the current text for the example of a delegated > domain. I would suggest text, but as I am running on I don't > understand that is not possible. Is this supposed to be some type of > mapping that says the domain X is really the domain Y? One example might be that juliet@example.com configures her email client to connect to mailhost.example.com instead of just example.com. Another example might be connecting to isp.example.net for example.com. Again, these would be explicitly configured in an email client. > 2. In the definition of reference identifier > s/optionally/optionally/ Fixed. > 3. In section 2.1 you have the sentence "This dimension matters > most for certificate verification." Would this be more appropriate > as s/verification/consumption/ ? The process of certificate > verification does not really care, but the name matching does. Done. > 4. In the definitions you might want to add one for "automated > client" to match "interactive client" I think we already have that in version -10: automated client: A software agent or device that is not directly controlled by a human user. > 5. On page 20, the following text exists: For an interactive client, > it is strongly encouraged that each reference identifier SHOULD be > based on the source domain provided by the user and SHOULD NOT be > based on a derived domain (e.g., a host name or domain name > discovered through DNS resolution of the source domain). > > I am not clear why this is important for interactive clients and not > for automated clients. Good point. Changed in my working copy to: It is strongly encouraged that each reference identifier in the list SHOULD... > 6. In section 4.6.2 - I am disappointed that the concept of checking > that the context is either the same or similar is not also included > in this check. I think this is an important concept. Agreed. I propose adding the clause "including the context as described under Section 5.1", as follows: If the client does not find a presented identifier matching any of the reference identifiers but the client has previously pinned the application service's certificate to one of the reference identifiers in the list it constructed for this connection attempt (as "pinning" is explained under Section 1.5), and the presented certificate matches the pinned certificate (including the context as described under Section 5.1), then the service identity check succeeds. Thanks for your feedback. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] Fwd: I-D Action:draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Jim Schaad
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… =JeffH