IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 30 June 2010 00:27 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 18EA13A68C7 for <certid@core3.amsl.com>; Tue, 29 Jun 2010 17:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.661
X-Spam-Level:
X-Spam-Status: No, score=0.661 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id du6nSMwFYhsr for <certid@core3.amsl.com>; Tue, 29 Jun 2010 17:27:18 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 824B33A68A2 for <certid@ietf.org>; Tue, 29 Jun 2010 17:27:18 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o5U0RSWR013019 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jun 2010 17:27:29 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240842c8503b7c94bc@[10.20.30.158]>
In-Reply-To: <4C2A65B5.4080209@stpeter.im>
References: <p062408bbc8388055fb6d@[10.20.30.158]> <20100612013249.GA4782@isc.upenn.edu> <4C2A65B5.4080209@stpeter.im>
Date: Tue, 29 Jun 2010 17:18:47 -0700
To: Peter Saint-Andre <stpeter@stpeter.im>, certid@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 00:27:20 -0000

At 3:29 PM -0600 6/29/10, Peter Saint-Andre wrote:
>Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030002010403050803000801"
>
>On 6/11/10 7:32 PM, Shumon Huque wrote:
>> On Fri, Jun 11, 2010 at 05:07:50PM -0700, Paul Hoffman wrote:
>>>    1.  The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
>>>        identifier of type dNSName).
>>>
>>>    2.  If the service using the certificate deploys a technology in
>>>        which a server is discovered by means of DNS SRV records
>>>        [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate
>>>        SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form
>>>        of otherName from the GeneralName structure in the subjectAltName
>>>        as specified in [SRVNAME]).
>>>
>>> If 2 is true, what is the value of the required DNS-ID?
>>
>> I don't think (1) is correct. If someone intends to deploy a
>> certificate with an application specific name form such as SRV-ID
>> or URI-ID, then they typically would not want to have a dNSName
>> in the certificate, to make sure that the cert can't be (mis)used
>> for unrelated application services at that domain name.
>>
>> Of course one might decide to include dNSName too for transition
>> or backwards compatibility reasons. But I don't think that saying
>> the certificate MUST include a dNSName is correct.
>
>Shumon, I think you are correct here, and that DNS-ID needs to be
>"SHOULD" instead of "MUST".

This is a very significant change to the document. Please give us all a chance to see all the edits in the next round before you consider the doc read for Last Call.

Personally, no MUST but a pile of orthogonal SHOULDs seems like a bad idea if you are wanting this doc to cause more interoperability.

At 4:16 PM -0600 6/29/10, Peter Saint-Andre wrote:
>I think this list is leaning toward saying that DNS-ID is a SHOULD, not
>a MUST, so the quoted text would be appropriate.

Only "appropriate" if you want no MUSTs. Some us would prefer MUSTs to mush.

--Paul Hoffman, Director
--VPN Consortium

v2.8.7 | Report a Bug | By Email