IETF Logo Mail Archive

Re: [certid] Domain Components

Paul Hoffman <phoffman@imc.org> Sat, 12 June 2010 14:47 UTC

Return-Path: <phoffman@imc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C77F93A6936 for <certid@core3.amsl.com>; Sat, 12 Jun 2010 07:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.554
X-Spam-Level:
X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72iQXV+fmXjo for <certid@core3.amsl.com>; Sat, 12 Jun 2010 07:47:26 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id AAB113A68B9 for <certid@ietf.org>; Sat, 12 Jun 2010 07:47:21 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o5CElL7f028747 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 12 Jun 2010 07:47:22 -0700 (MST) (envelope-from phoffman@imc.org)
Mime-Version: 1.0
Message-Id: <p062408c7c8394e3e76ec@[10.20.30.158]>
In-Reply-To: <9A1AC060-8079-4856-979B-B4074CB37531@jpl.nasa.gov>
References: <4C12A27D.3070308@stpeter.im> <p0624086ac8386db66483@[10.20.30.158]> <9A1AC060-8079-4856-979B-B4074CB37531@jpl.nasa.gov>
Date: Sat, 12 Jun 2010 07:47:20 -0700
To: "Henry B. Hotz" <hbhotz@dslextreme.com>
From: Paul Hoffman <phoffman@imc.org>
Content-Type: text/plain; charset="us-ascii"
X-Mailman-Approved-At: Sat, 12 Jun 2010 13:35:28 -0700
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Domain Components
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2010 14:47:28 -0000

At 6:56 PM -0700 6/11/10, Henry B. Hotz wrote:
>On Jun 11, 2010, at 3:53 PM, Paul Hoffman wrote:
>
>> At 2:54 PM -0600 6/11/10, Peter Saint-Andre wrote:
>>> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020609010501090708040406"
>>>
>>> Version -05 of draft-saintandre-tls-server-id-check has some warning
>>> text about Domain Components (DCs). However, the more I delve the matter
>>> the less I think that we need to warn people away from using DCs from a
>>> security perspective. The problem with them would arise from confusion
>>> about the order of DCs based on the string representation, however that
>>> kind of confusion is possible for any RDNs and is not limited to DCs (so
>>> follow the DER order, not the string order). There might be other
>>> reasons to discourage DCs, but so far I have not heard them, so I'm
>>> inclined to remove the warnings from -06.
>>>
>>> Do speak up if you're concerned about this proposal.
>>
>> Finally decloaking after being off this topic for a while.
>>
>> I am *quite* concerned about this. The DC ordering problem is not "based on the string representation": it is because the set of DCs can be read *by the program* in two directions. For example, think about  a cert with "dc=com dc=net". Both net.com and com.net exist today. For different applications, that one cert could apply to two completely different domains.
>
>But is the problem unique to DC's?

To the best of my knowledge, yes. It is the "component" part of DC that makes them susceptible to "guess the ordering". All other relevant PKIX identifier fields are the full identifier.

v2.8.7 | Report a Bug | By Email