IETF Logo Mail Archive

Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 11 May 2010 23:47 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE1053A6929 for <certid@core3.amsl.com>; Tue, 11 May 2010 16:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.258
X-Spam-Level:
X-Spam-Status: No, score=0.258 tagged_above=-999 required=5 tests=[AWL=-0.077, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUzMdC5G-V04 for <certid@core3.amsl.com>; Tue, 11 May 2010 16:47:56 -0700 (PDT)
Received: from outbound-mail-313.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 7BD5E3A6822 for <certid@ietf.org>; Tue, 11 May 2010 16:47:56 -0700 (PDT)
Received: (qmail 13161 invoked by uid 0); 11 May 2010 23:47:46 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 11 May 2010 23:47:46 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=vxukeAgtQ1jkDl/YlZA+s9fAIr3do8xe84VwgLDr/UJRH/77I5c6pSGPyMsywVHGVY8tY66LwV0hwQliYc1i/Gmv1OzaV8Kk1rVEqkg9kQky/Rn1uRql1ZVmhxaN+Q94;
Received: from c-67-161-32-29.hsd1.ca.comcast.net ([67.161.32.29] helo=[192.168.11.11]) by box514.bluehost.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OBzAv-0006u6-LX; Tue, 11 May 2010 17:47:45 -0600
Message-ID: <4BE9EC9F.9030903@KingsMountain.com>
Date: Tue, 11 May 2010 16:47:43 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>, Martin Rex <mrex@sap.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 67.161.32.29 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-03
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 23:47:57 -0000

 > Jeff Hodges wrote:
 >>
 >> > The various standards for translating a DER encoded Name into
 >> > a string call for the RDNs to be ordered, left to right, from
 >> > most specific to most general, the reverse of the order in which
 >> > they appear in the DER encoded certificate.
 >>
 >> AFAICT, there is only one clear non-implementation-specific
 >> specification for a X.500/LDAP DN string representation,
 >> and that's (now) RFC4514 (obsoletes 2253, which obsoleted 1779,
 >> which obsoleted 1485). Is there a DN string rep specified
 >> anywhere in the ISO specs (I can't find one)?
 >
 > The description above oversimplifies the process.
 >
 > In ASN.1 a distinguished name is a sequence of RDNames, which are
 > sets of attribute-value pairs.  Often these sets only contain a
 > single attribute value pair, but they _can_ contain several
 > attribute value pairs, and some CA software seems to stuff
 > serialNumber and CN into a single RDName set.

Thanks very much for this detailed heads-up.


 > The result is a little weird.  Multiple attribute-value pairs
 > in a set are glued together with a plus (+) sign instead of a
 > comma (,) and the original ordering of the set is retained!

Ah, this (i.e. "the result") would be the resultant DN string representation as 
spec'd by RFC4514 section 2.2.


 > Further complicating the issue: While DER encoding leaves the ordering
 > of the contents of an ASN.1 SEQUENCE as is, the ordering of the contents
 > of an ASN.1 SET is "canonicalized" by DER encoding (based on the
 > numeric ordering of the final binary encoding of each element).
 > So the shorter elements will always end up first in RDNames
 > containing multiple attribute-value pairs in a SET.
 >
 > i.e.
 >
 >      CN=Foo+2.5.4.5=123ABC,O=bar,C=ZZ
 >      2.5.4.5=227DEF+CN=LongName,O=bar,C=ZZ

Ok, thx, good catch.

AFAICT, this revelation means we have some re-working to do to 
-tls-server-id-check in sections 2.1 and 3.1.3 in order to denote that RDNs can 
  contain a set of AVAs.


 > Btw. the XMLdsig guys actually recommend an additional restriction
 > on top of rfc4514:
 >
 >   http://www.w3.org/TR/xmldsig-core/#dname-encrules

this item seems to be an escaping of (apparent) ASCII control chars when 
rendering a DER encoded DN as a DN string representation, yes?  And it is a 
MAY-level requirement in the XMLdsig spec.


 > One area that may create slight interop problems with some legacy software
 > is the printable attribute label used for certain attributes.
 >
 >    rfc4514
 >    SN=        2.5.4.surname(4)
 >    2.5.4.5=   2.5.4.serialNumber(5)
 >    ST=        2.5.4.stateOrProvince(8)


Ok, although I'm unsure how this might affect the -tls-server-id-check spec.

thanks again,

=JeffH

v2.8.7 | Report a Bug | By Email