IETF Logo Mail Archive

Re: [certid] [cabfman] fyi: newly revised version: draft-saintandre-tls-server-id-check

"Eddy Nigg (StartCom Ltd.)" <eddy_nigg@startcom.org> Wed, 20 October 2010 19:44 UTC

Return-Path: <eddy_nigg@startcom.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0C773A68A0 for <certid@core3.amsl.com>; Wed, 20 Oct 2010 12:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.343
X-Spam-Level:
X-Spam-Status: No, score=-2.343 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FU_ENDS_2_WRDS=0.255, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Tpd94Ckvr5z for <certid@core3.amsl.com>; Wed, 20 Oct 2010 12:44:48 -0700 (PDT)
Received: from mta1.internal.startcom.org (apache-7.startcom.org [192.116.242.7]) by core3.amsl.com (Postfix) with ESMTP id E06903A67DF for <certid@ietf.org>; Wed, 20 Oct 2010 12:44:47 -0700 (PDT)
Received: from apache-2.internal.startcom.org (apache-2.internal.startcom.org [192.168.0.2]) by mta1.internal.startcom.org (8.13.8/8.13.8) with ESMTP id o9KJkF4S014617 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Oct 2010 21:46:19 +0200
Message-ID: <4CBF4705.4040604@startcom.org>
Date: Wed, 20 Oct 2010 21:46:13 +0200
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@startcom.org>
Organization: StartCom Ltd.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2pre Thunderbird/3.1.4
MIME-Version: 1.0
To: "Hodges, Jeff" <jeff.hodges@paypal-inc.com>
References: <44D08E6900CFC84288DDB4F41852C87A858B53F20D@DEN-MEXMS-001.corp.ebay.com>
In-Reply-To: <44D08E6900CFC84288DDB4F41852C87A858B53F20D@DEN-MEXMS-001.corp.ebay.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060600040900070907080402"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (mta1.internal.startcom.org [192.168.0.15]); Wed, 20 Oct 2010 21:46:20 +0200 (IST)
X-Mailman-Approved-At: Wed, 20 Oct 2010 13:17:20 -0700
Cc: certid@ietf.org
Subject: Re: [certid] [cabfman] fyi: newly revised version: draft-saintandre-tls-server-id-check
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2010 19:59:20 -0000

On 10/20/2010 08:28 PM, From Hodges, Jeff:
>     o  Move away from including and checking strings that look like
>        domain names in the subject's Common Name.

I applaud this recommendation since this has never been part of the 
standard in first place and only was meant as a temporary bridge during 
moving from x.509 version 2 to version 3.

>     o  Move away from the issuance of so-called wildcard certificates
>        (e.g., a certificate containing an identifier for
>        "*.example.com").

However I'm not sure why wild cards should be prohibited, since this is 
perfectly standard compliant. There are valid use-cases for wild cards 
and in fact some of the biggest companies on the Internet are prevented 
from using EV certificates exactly because of this prohibition (to use 
wild cards with EV). I suggest to reconsider this recommendation.

Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom@startcom.org <xmpp:startcom@startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

v2.8.7 | Report a Bug | By Email