Re: [certid] URI match
Peter Saint-Andre <stpeter@stpeter.im> Wed, 31 March 2010 22:12 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id DAB963A6A40 for <certid@core3.amsl.com>;
Wed, 31 Mar 2010 15:12:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.357
X-Spam-Level:
X-Spam-Status: No, score=-1.357 tagged_above=-999 required=5 tests=[AWL=0.112,
BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llstjwkIRA7o for
<certid@core3.amsl.com>; Wed, 31 Mar 2010 15:12:08 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 409FA3A6975 for <certid@ietf.org>;
Wed, 31 Mar 2010 15:12:08 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com
[64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with
ESMTPSA id 76C7240D3A for <certid@ietf.org>;
Wed, 31 Mar 2010 16:12:39 -0600 (MDT)
Message-ID: <4BB3C8D6.5030402@stpeter.im>
Date: Wed, 31 Mar 2010 16:12:38 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: certid@ietf.org
References: <201003231500.05187.ludwig.nussel@suse.de>
In-Reply-To: <201003231500.05187.ludwig.nussel@suse.de>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms090406020005060600010603"
Subject: Re: [certid] URI match
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 22:12:10 -0000
On 3/23/10 8:00 AM, Ludwig Nussel wrote:
> Hi,
>
> What's the purpose of URIs in subjAltnames? Are they meant for
> things like "https://example.com/"?
One example is the Session Initiation Protocol, where the "sips:" URI
scheme is used for matching. See for instance Section 4 of
draft-ietf-sip-domain-certs-06, which has the following text:
As an example, consider a request that is to be routed to the SIP
address "sips:alice@example.com". This address requires a secure
connection to the SIP domain "example.com" (the 'sips' scheme
mandates a secure connection). Through a series of DNS
manipulations, the domain name is mapped to a set of host addresses
and transports. The entity attempting to create the connection
selects an address appropriate for use with TLS from this set. When
the connection is established to that server, the server presents a
certificate asserting the identity "sip:example.com". Since the
domain part of the SIP AUS matches the subject of the certificate,
the server is authenticated....
SIPS borrows this pattern of server certificate matching from
HTTPS. However, RFC 2818 [7] prefers that the identity be
conveyed as a subjectAltName extension of type dNSName rather than
the common practice of conveying the identity in the CN field of
the Subject field. Similarly, this document recommends that the
SIP domain identity be conveyed as a subjectAltName extension of
type uniformResourceIdentifier (c.f. Section 6, Section 7.1).
> If so, does "telnet://example.com/" match "https://example.com/"? I
> guess not as the URI schemes are different. The exact matching rules
> for URIs are not defined in the I-D though.
The basic idea is that the client would expect to connect to a SIP
service at "example.com" (the reference identity). Therefore it would
expect to find one of the following:
1. A dNSName of "example.com"
2. An SRVName of _sip.example.com"
3. A uniformResourceIdentifier of "sip:example.com" or
"sips:example.com" (not "https://example.com" or any other scheme).
You're right that this needs to be specified more clearly in the spec.
I'll fix that in the next version.
> The I-D allows multiple different types in subjAltnames so I guess
> it's legal to have subjAltnames of type dNSName and
> uniformResourceIdentifier in the same certificate.
Yes.
> So a subjAltname
> 'URI:telnet://example.com/, DNS:example.com' would be valid. Assume
> the user wants to connect to a server with that subjAltname
The user doesn't want to connect to a particular SAN, the user wants to
connect to a service of type X at domain Y (e.g., "the SIP service at
example.com").
> and
> enters 'https://example.com/' in the browser. Should that succeed?
Yes, because any match is fine. But see below.
> Again I guess the URI doesn't match.
IMHO, users don't care much about the particular service type (at least
not in current practice). They want to connect to example.com, but they
are not too particular about the specific service type ("oh no, I really
want to connect to a SIP service but this URI says the service is a web
site instead"). Whether we want to train users to be more cautious about
the service type (or place additional rules upon user agent software) is
another matter.
> However, when mapping the URI
> to the host part only the dNSName would match and the connection
> succeeds. Also, clients that don't support URIs in subjAltnames (as
> almost all software out there) would ignore the URI and match
> dNSName only.
Correct. And I think that's fine, because as noted users care more about
the domain match than the service type match.
> So, without defining further constraints an URI in subjAltnames is
> rather useless, isn't it?
No, because we're trying to be inclusive regarding SANs at this point,
and SIP certificates (as one example) prefer uniformResourceIdentifier.
However, I will work to clean this up some more in -04.
Peter
--
Peter Saint-Andre
https://stpeter.im/
- [certid] URI match Ludwig Nussel
- Re: [certid] URI match Bruno Harbulot
- Re: [certid] URI match Peter Saint-Andre
- Re: [certid] URI match Scott Cantor
- Re: [certid] [Spam] Re: URI match Erik Andersen
- Re: [certid] [Spam] Re: URI match Scott Cantor
- Re: [certid] URI match Shumon Huque
- Re: [certid] [Spam] Re: URI match Shumon Huque
- Re: [certid] [Spam] Re: URI match Peter Saint-Andre
- Re: [certid] [Spam] Re: URI match Shumon Huque