Re: [certid] version -04 of CertID draft
Kaspar Brand <ietf-certid@velox.ch> Thu, 13 May 2010 08:32 UTC
Return-Path: <ietf-certid@velox.ch>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 4E5353A6B91 for <certid@core3.amsl.com>;
Thu, 13 May 2010 01:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No,
score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwcJix+b6z87 for
<certid@core3.amsl.com>; Thu, 13 May 2010 01:32:22 -0700 (PDT)
Received: from appendix.velox.ch (appendix.velox.ch [62.75.148.60]) by
core3.amsl.com (Postfix) with ESMTP id D55B23A6B9A for <certid@ietf.org>;
Thu, 13 May 2010 01:29:03 -0700 (PDT)
Received: from cortex.velox.ch (84-75-163-235.dclient.hispeed.ch
[84.75.163.235]) (authenticated bits=0) by appendix.velox.ch
(8.14.4/8.14.4/2.0) with ESMTP id o4D8SqAN025789 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <certid@ietf.org>;
Thu, 13 May 2010 10:28:52 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f;
t=1273739332; bh=iUYnGpoqC9eRcOugQ0V1IKkU5c6nLhgnS+ueJVeHK1E=;
h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=IMVnvvV7flkBmw4FUasDJn/stJviMfcmoxdlcOiujhS+aBis8i4CalfnTC735BGxD
Pxys4wcUg05Q9d9k6HbkAey6/fLGD+sOFzyeFTnb+97jz9TS73kegjK6Z3dmKwG87p
QaWcMAD7sSlQg0uuPhPEwz/fj2LpqdJtBd/2svulEVKeCSg1OSzozh492Ibd2Gl1oO
/WxkbNNdMtm2q7eTB9XETG9O7X21Dc4Wt+Ulreucs352J6SiPRzbItj+jc+ZDuSaTn
P1OYWkSveXsIvSq/Znn2wMvIN7O+g5fQ3w2XfoUXEyYa5EdIxXxv6aFo3p3hMSFq+H
wgGrumRS4YkBQ==
Message-ID: <4BEBB843.6020600@velox.ch>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58;
t=1273739331; bh=iUYnGpoqC9eRcOugQ0V1IKkU5c6nLhgnS+ueJVeHK1E=;
h=Date:From:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding;
b=hdzwE+bONprr3WqZTCSMLLt7fbeTUk3rl460mEJs6Go6SW2CJi5H6i6ZmzES+ikNH
YWB0dm7mVXCXL0DLFuUUuMz8HdnwTRZsRY6icYUZmCaT83TrN9sgfcSaJTrF1+KHHW
h0dv2fzXG99c89srN7Z9eA1iXkUanHf+tP3CbBK3CV4hOvD8kbEF5mF2vpU7UMhXz6
aWkRDi0Oq1oeCz8yUapEmkv8bOvWblHIiFeFN4+X8pHRTXphyn7Ygsq7+LxAI4X14/
orZPCBTxokP/825wx0k42YmWZFGeLdTV/jv70J5fTqNEQhx2pVqDDwRG/3IBcQ6yM2
ejdi0GD6O5AnQ==
Date: Thu, 13 May 2010 10:28:51 +0200
From: Kaspar Brand <ietf-certid@velox.ch>
User-Agent: Thunderbird/3.0
MIME-Version: 1.0
To: certid@ietf.org
References: <4BDB1F71.2050207@stpeter.im>
In-Reply-To: <4BDB1F71.2050207@stpeter.im>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] version -04 of CertID draft
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 08:32:23 -0000
A few more comments about draft -04: > 2.1. Subject Naming in PKIX Certificates > [...] > "string representation" of a DN before being rendered. Often such a > DN string representation is ordered from left-to-right, most specific > to most general. See [LDAP-AUTH] for details. I would suggest to replace this with a reference to RFC 4514 (not 4513). > 2.2. PKIX Certificate Name Rules > > The following rules apply to the representation of application server > identities in PKIX certificates issued by certification authorities. > > 1. The certification authority MUST issue the certificate based on > the DNS domain name (not an IP address) at which the server will > provide the relevant service. With the current draft, "relative" domain names (such as "www", "mail" etc.) are also permitted as DNS-IDs or CN-IDs, from what I understand. Is this a deliberate decision, or should domain names possibly be required to be fully qualified (or "absolute", in RFC-1034 speak)? If the latter, then it would probably make sense to add an entry for "DNS domain name" to section 1.3 and explicitly state that it's required to be absolute / fully qualified. > 3.3. Seeking a Match > > Once the client has constructed its order list of reference > identifiers and has received the server's presented identifiers in > the form of an PKIX certificate, the client checks its reference Nit: "a PKIX certificate" > Note: A client MUST NOT seek a match for a reference identifier of > CN-ID if the presented identifiers include an SRV-ID, URI-ID, > DNS-ID, or any application-specific subjectAltName extensions, and > MUST NOT check a Common Name in the certificate if it is other > than the last Relative Distinguished Name (RDN) in within the > sequence of RDNs making up the Distinguished Name within the > certificate's subjectName. As already mentioned elsewhere, this requirement is probably too strict. I suggest changing to something like "must only check against the last Common Name RDN in the sequence of RDNs making up the Distinguished Name within the certificate's subjectName". > 3.4.4. Checking of DNS Domain Names in Common Names > > As noted, a client MUST NOT seek a match for a reference identifier > of CN-ID if the presented identifiers include an SRV-ID, URI-ID, > DNS-ID, or any application-specific subjectAltName extensions. > > Therefore, if and only if the identity set does not include > subjectAltName extensions of type dNSName, SRVName, or > uniformResourceIdentifier (or any application-specific subjectAltName > extensions), the client MAY as a fallback check for a DNS domain name > in the value of the last Relative Distinguished Name (RDN), if it is > of type Common Name (CN), within the sequence of RDNs making up the > Distinguished Name within the certificate's subjectName. (Note: The > term "last" refers to the DER order, which is often not the string > order presented to a user; the order that is applied here MUST be the > DER order.) See above - should be adapted accordingly. > 4.3. Internationalized Doman Names -> "Domain" Kaspar
- [certid] version -04 of CertID draft Peter Saint-Andre
- Re: [certid] version -04 of CertID draft Kaspar Brand
- Re: [certid] version -04 of CertID draft ArkanoiD
- Re: [certid] version -04 of CertID draft Peter Saint-Andre