IETF Logo Mail Archive

Re: [certid] DC should be MUST NOT

Peter Saint-Andre <stpeter@stpeter.im> Tue, 29 June 2010 22:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48D263A6859 for <certid@core3.amsl.com>; Tue, 29 Jun 2010 15:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.525
X-Spam-Level:
X-Spam-Status: No, score=-1.525 tagged_above=-999 required=5 tests=[AWL=-0.726, BAYES_00=-2.599, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_27=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gczYTCmrav-B for <certid@core3.amsl.com>; Tue, 29 Jun 2010 15:14:49 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id A151C3A67EC for <certid@ietf.org>; Tue, 29 Jun 2010 15:14:49 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 3B5AA40E4D for <certid@ietf.org>; Tue, 29 Jun 2010 16:15:00 -0600 (MDT)
Message-ID: <4C2A7062.2070207@stpeter.im>
Date: Tue, 29 Jun 2010 16:14:58 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <p062408bdc838812e2e91@[10.20.30.158]>
In-Reply-To: <p062408bdc838812e2e91@[10.20.30.158]>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030504040704080807040704"
Subject: Re: [certid] DC should be MUST NOT
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 22:14:51 -0000

On 6/11/10 6:12 PM, Paul Hoffman wrote:
>> 6.  The certificate SHOULD NOT represent the server's
>> fully-qualified DNS domain name by means of a DC-ID, i.e., a series
>> of Domain Component (DC) attributes in the certificate subject,
>> with one RDN per domain label and one DC in each RDN.  Although
>> (for example) <dc=www,dc=example,dc=com> could be used to
>> represent the DNS domain name "www.example.com", given the fact
>> that the DNS-ID can be used instead, the DC-ID is NOT RECOMMENDED.
> 
> This should be a MUST NOT. And the reason for the prohibition is not
> "DNS-ID can be used instead", but rather "this is insecure because
> you can interpret the series of RDNs incorrectly".

In version -05 we had the following text:

   Domain Components (DCs) are unordered.  Therefore the following two
   sets of DCs would be equivalent:

   dc=com, dc=example, dc=cn

   dc=cn, dc=example, dc=com

   Because com.example.cn is presumably different from cn.example.com,
   representing or verifying an application server's DNS domain name
   based on domain components would open a serious security hole.  As a
   result, certificate issuers and application clients MUST NOT use DCs.

Someone objected that in fact domain components are not unordered, only
that they can be misinterpreted (as everything else can, see ongoing
discussion of RDNs and AVAs). Therefore we pulled out the quoted text.

Corrections are welcome.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email