[certid] fwd: Re: Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 08 December 2010 18:01 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBC823A696E for <certid@core3.amsl.com>; Wed, 8 Dec 2010 10:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.397
X-Spam-Level:
X-Spam-Status: No, score=-101.397 tagged_above=-999 required=5 tests=[AWL=0.868, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2zBLFrDIiD5 for <certid@core3.amsl.com>; Wed, 8 Dec 2010 10:01:41 -0800 (PST)
Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by core3.amsl.com (Postfix) with SMTP id 167903A6961 for <certid@ietf.org>; Wed, 8 Dec 2010 10:01:40 -0800 (PST)
Received: (qmail 31176 invoked by uid 0); 8 Dec 2010 18:02:56 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 8 Dec 2010 18:02:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=3xfbKShdkwLp3zhDOubq/mmr8ZDyw/1nhdt4l8ieYlS1xiXNfeZEXZ9Cwgu9lccVX9L6CRk8BYEuGz4rvyMWHaKveHMOzDlsVELsRfMIsOCI4Wt2Loi9Exxt12Ln+SOX;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PQOLv-00022C-MY for certid@ietf.org; Wed, 08 Dec 2010 11:02:55 -0700
Message-ID: <4CFFC84D.3060707@KingsMountain.com>
Date: Wed, 08 Dec 2010 10:02:53 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: [certid] fwd: Re: Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 18:01:43 -0000
Subject: Re: Second Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)) to BCP From: SM <sm@resistor.net> Date: Tue, 07 Dec 2010 13:36:43 -0800 To: ietf@ietf.org Cc: Peter Saint-Andre <psaintan@cisco.com>, Jeff Hodges <Jeff.Hodges@PayPal.com> At 04:36 18-11-10, The IESG wrote: >The IESG has received a request from an individual submitter to consider >the following document: > >- 'Representation and Verification of Domain-Based Application Service > Identity within Internet Public Key Infrastructure Using X.509 (PKIX) > Certificates in the Context of Transport Layer Security (TLS) ' > <draft-saintandre-tls-server-id-check-11.txt> as a BCP > >The IESG plans to make a decision in the next few weeks, and solicits >final comments on this action. Please send substantive comments to the In Section 2.2: 'A "traditional domain name", i.e., a fully-qualified domain name or "FQDN" (see [DNS-CONCEPTS]) all of whose labels are "LDH labels" as defined in [IDNA-DEFS].' It would be better to reference RFC 1123 for LDH labels instead of RFC 5890 unless the authors would like to adopt a terminology that is specific to IDNA. In Section 3.1: "Unless a profile of this specification allows continued support for the wildcard character '*', the fully-qualified DNS domain name portion of a presented identifier SHOULD NOT contain the wildcard character, whether as the complete left-most label within the identifier (following the definition of "label" from [DNS], e.g., "*.example.com") or as a fragment thereof (e.g., *oo.example.com, f*o.example.com, or foo*.example.com)." If the presented identifier is a fully-qualified DNS domain name (I assume that means FQDN), the left-most label cannot be a wildcard character according to LDH rules. I suggest rewriting that as: Unless a profile of this specification allows continued support for the wildcard character '*', the domain name portion of a presented identifier SHOULD NOT contain the wildcard character (e.g., "*.example.com") or as a fragment thereof (e.g., *oo.example.com, f*o.example.com, or foo*.example.com). In Section 4.2.1: "The client might need to extract the source domain and service type from the input(s) it has received. The extracted data MUST include only information that can be securely parsed out of the inputs (e.g., extracting the fully-qualified DNS domain name from the authority component of a URI or extracting the service type from the scheme of a URI) or information for which the extraction is performed in a manner that is not subject to subversion by network attackers (e.g., pulling the data from a delegated domain that is explicitly established via client or system configuration, resolving the data via [DNSSEC], or obtaining the data from a third-party domain mapping service in which a human user has explicitly placed trust and with which the client communicates over a connection that provides both mutual authentication and integrity checking)." I read part of the above as meaning that data can only be extracted from DNS if the data has been resolved via DNSSEC. Is that the intent? Section 4.3 discusses about how to seek a match against the list of reference identifiers. I found the thread at http://www.ietf.org/mail-archive/web/certid/current/msg00318.html informative. In Section 4.4.3: "A client employing this specification's rules MAY match the reference identifier against a presented identifier whose DNS domain name portion contains the wildcard character '*' as part or all of a label (following the definition of "label" from [DNS])" According to the definition of label in RFC 1035, the wildcard character cannot be part of a label. I suggest removing the last part of that sentence. FWIW, RFC 4592 updates the wildcard definition in RFC 1034 and uses the term "asterisk label". Was the comment about the security note ( http://www.ietf.org/mail-archive/web/certid/current/msg00427.html ) in Section 4.6.4 addressed? Regards, -sm _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf