IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Peter Saint-Andre <stpeter@stpeter.im> Wed, 30 June 2010 22:01 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 806673A6928 for <certid@core3.amsl.com>; Wed, 30 Jun 2010 15:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.518
X-Spam-Level:
X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ok-2qVMiPQBh for <certid@core3.amsl.com>; Wed, 30 Jun 2010 15:01:17 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 719BA3A659C for <certid@ietf.org>; Wed, 30 Jun 2010 15:01:17 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 3764E40E4D for <certid@ietf.org>; Wed, 30 Jun 2010 16:01:07 -0600 (MDT)
Message-ID: <4C2BBEA1.1090506@stpeter.im>
Date: Wed, 30 Jun 2010 16:01:05 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <p062408bbc8388055fb6d@[10.20.30.158]> <20100612013249.GA4782@isc.upenn.edu> <4C2A65B5.4080209@stpeter.im> <p06240842c8503b7c94bc@[10.20.30.158]> <20100630043158.GB26880@isc.upenn.edu> <p0624081dc8510ebfea3f@[10.20.30.158]> <07D9A6FC-C154-4125-AC33-45F2CE0C0374@apple.com> <p06240820c8513a692695@[10.20.30.158]> <4C2BA09F.8020908@stpeter.im> <p06240839c8515264c586@[10.20.30.158]>
In-Reply-To: <p06240839c8515264c586@[10.20.30.158]>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060708080004060107000505"
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 22:01:18 -0000

On 6/30/10 2:00 PM, Paul Hoffman wrote:
> At 1:53 PM -0600 6/30/10, Peter Saint-Andre wrote:
>> Upon further reflection, I think there are two dimensions here:
>> 
>> 1. From the client's perspective, some names are direct (provided
>> by the user = DNS-ID, CN-ID, URI-ID) and some names are indirect
>> (resolved by the client based on the input provided by the user =
>> SRV-ID). This dimension matters for verification.
>> 
>> 2. From the service provider's persective, some names are
>> unrestricted (can be used in any application = DNS-ID and CN-ID)
>> and some names are unrestricted (can be used in only one kind of
>> application = SRV-ID and URI-ID). This dimension matters for
>> issuance.
> 
> That should be "...and some names are restricted (can be used in
> only...". 

Typing too fast here. :)

> But, yes, this is a good distinction.
> 
>> I'll work to formulate this distinction more carefully in text that
>> can be included in the spec.
> 
> That would help implementers (and hopefully CAs) a lot.

Here is a first draft...

###

2.1.  Naming Applications

   This specification assumes that an Internet application is named
   based on a DNS domain name (e.g., "example.com") -- supplemented in
   some circumstances by an application type (e.g., "the IMAP server at
   example.com").

   From the perspective of the application client or user, some names
   are direct because they are provided directly by the user (e.g., via
   runtime input or prior configuration) whereas other names are
   indirect because they are resolved by the client based on input
   provided by the user (e.g., a target name resolved from a source name
   using DNS SRV records).  This dimension matters for certificate
   verification.

   From the perspective of the application server or service provider,
   some names are unrestricted because they can be used in any kind of
   application (e.g., a certificate might be re-used for both the HTTP
   service and the IMAP service at example.com) whereas other names are
   restricted because they can be used in only one kind of application
   (e.g., a special-purpose certificate that can be used only for an
   IMAP service).  This dimension matters for certificate issuance.

   Therefore:

   o  A CN-ID identifier is direct (provided by a user) and unrestricted
      (can be used for any application).
   o  A DNS-ID identifier is direct (provided by a user) and
      unrestricted (can be used for any application).
   o  An SRV-ID identifier is indirect (resolved by a client) and
      restricted (can be used for only a single application).
   o  A URI-ID identifier is direct (provided by a user) and restricted
      (can be used for only a single application).

   We summarize this taxonomy in the following table.

   +-----------+-----------+---------------+
   |           |  Direct   |  Restricted   |
   +-----------+-----------+---------------+
   |  CN-ID    |  Yes      |  No           |
   +-----------+-----------+---------------+
   |  DNS-ID   |  Yes      |  No           |
   +-----------+-----------+---------------+
   |  SRV-ID   |  No       |  Yes          |
   +-----------+-----------+---------------+
   |  URI-ID   |  Yes      |  Yes          |
   +-----------+-----------+---------------+

   When implementing software, deploying services, and issuing
   certificates for secure PKIX-based authentication, it is important to
   keep these distinctions in mind.  In particular, best practices
   differ somewhat for application server implementations, application
   client implementations, service providers, and certification
   authorities.  Protocol specifications that reference this document
   MUST specify which identifiers are mandatory-to-implement by servers
   and clients, which identifiers are to be preferred by service
   providers, and which identifiers ought to be supported by certificate
   issuers.  Because these requirements differ across applications, it
   is impossible to categorically stipulate universal rules (e.g., that
   all software implementations, service providers, and certification
   authorities for all application protocols need to use or support DNS-
   IDs as a baseline for the purpose of interoperability); however, it
   is preferable that each application protocol will at least define a
   baseline that applies to the community of software developers,
   service providers, and CAs actively using or supporting that
   technology.


###

v2.8.7 | Report a Bug | By Email