IETF Logo Mail Archive

Re: [certid] Please explicitly disallow unvetted info in subject names

Paul Hoffman <phoffman@imc.org> Tue, 08 June 2010 19:02 UTC

Return-Path: <phoffman@imc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFBAF3A635F for <certid@core3.amsl.com>; Tue, 8 Jun 2010 12:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.554
X-Spam-Level:
X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7FQZeQ5W8nK for <certid@core3.amsl.com>; Tue, 8 Jun 2010 12:02:02 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 924083A6781 for <certid@ietf.org>; Tue, 8 Jun 2010 12:02:01 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o58J1ufN007890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Jun 2010 12:01:58 -0700 (MST) (envelope-from phoffman@imc.org)
Mime-Version: 1.0
Message-Id: <p06240802c834428416cf@[10.20.30.158]>
In-Reply-To: <4C0E826B.3050904@bolyard.me>
References: <4C0E826B.3050904@bolyard.me>
Date: Tue, 8 Jun 2010 12:01:51 -0700
To: Nelson B Bolyard <nelson@bolyard.me>, certid@ietf.org
From: Paul Hoffman <phoffman@imc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [certid] Please explicitly disallow unvetted info in subject names
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 19:02:03 -0000

At 10:48 AM -0700 6/8/10, Nelson B Bolyard wrote:
>There are a large number of CAs that follow the practice of vetting SOME
>of the information they put into cert subject names, but not all, and in
>fact deliberately making no attempt to vet certain attributes at all.
>
>Examples known to me include:
>
>OU names: typically not vetted at all
>
>CNs other than the last (most specific) one, if it is a DNS name.
>
>Maybe it's pointless to try, but can we write into this RFC that conforming
>certs contain NO unvetted attributes in the subject name nor in any Subject
>Alt Name attributes?

Their vetting practices are supposed to be listed in their CPSs, so a CA can always say "we do exactly what we say we do" because they know that no one reads (or can read) their CPS.

Having said that, including this practice as a warning in the document seems like a good idea.

v2.8.7 | Report a Bug | By Email