Re: [certid] False choice for CN
Martin Rex <mrex@sap.com> Mon, 14 June 2010 14:12 UTC
Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 6E4843A6979 for <certid@core3.amsl.com>;
Mon, 14 Jun 2010 07:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.685
X-Spam-Level:
X-Spam-Status: No, score=-7.685 tagged_above=-999 required=5 tests=[AWL=-0.036,
BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLxin4jVF3ua for
<certid@core3.amsl.com>; Mon, 14 Jun 2010 07:12:41 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by
core3.amsl.com (Postfix) with ESMTP id D36CE3A6924 for <certid@ietf.org>;
Mon, 14 Jun 2010 07:12:40 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id
o5EECbrr010258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=OK); Mon, 14 Jun 2010 16:12:42 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006141412.o5EECbvx026607@fs4113.wdf.sap.corp>
To: paul.hoffman@vpnc.org (Paul Hoffman)
Date: Mon, 14 Jun 2010 16:12:37 +0200 (MEST)
In-Reply-To: <p062408bfc83882c58de3@[10.20.30.158]> from "Paul Hoffman" at Jun
11, 10 05:19:38 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] False choice for CN
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2010 14:12:42 -0000
Paul Hoffman wrote: > > > 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName > > identifier of type dNSName). > > . . . > > > Therefore, if and only if the identity set does not include > > subjectAltName extensions of type dNSName, SRVName, or > > uniformResourceIdentifier (or any application-specific subjectAltName > > extensions supported by the client), the client MAY as a fallback > > check for a fully-qualified DNS domain name in the last Common Name > > RDN in the sequence of RDNs making up the Distinguished Name within > > the certificate's subjectName (where the term "last" refers to the > > DER order, which is often not the string order presented to a user; > > the order that is applied here MUST be the DER order). > > Bzzzzzt! All of 3.4.4 is bogus, given that DNS-ID is required. Please remove it. I think this needs to stay. The document under discussion is supposed to be a BCP (Best current practice) document, and it will have to describe how clients should deal with server certificates that do no have subjectAltNames. It does so by describing the common practice that has been in use for certs that do not have subjectAltNames. -Martin
- [certid] False choice for CN Paul Hoffman
- Re: [certid] False choice for CN Martin Rex
- Re: [certid] False choice for CN Paul Hoffman
- Re: [certid] False choice for CN Henry B. Hotz
- Re: [certid] False choice for CN Peter Saint-Andre