Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
Shumon Huque <shuque@isc.upenn.edu> Fri, 30 July 2010 03:43 UTC
Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 018C728C1BC; Thu, 29 Jul 2010 20:43:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.388
X-Spam-Level:
X-Spam-Status: No, score=-4.388 tagged_above=-999 required=5 tests=[AWL=-1.789,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM9lEt8zA1Vr;
Thu, 29 Jul 2010 20:43:52 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu
[128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 8C79B28C1B8;
Thu, 29 Jul 2010 20:43:52 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id
1DEF3242F; Thu, 29 Jul 2010 23:44:16 -0400 (EDT)
Date: Thu, 29 Jul 2010 23:44:16 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <20100730034415.GA28022@isc.upenn.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com>
<4C49B477.80700@stpeter.im>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4C49B477.80700@stpeter.im>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: IETF cert-based identity <certid@ietf.org>, ietf@ietf.org
Subject: Re: [certid] Last Call: draft-saintandre-tls-server-id-check
(Representation and Verification of Domain-Based Application Service Identity
in Certificates Used with Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2010 03:43:57 -0000
Peter,
I'm not sure if this one is already on your list or not, but I
didn't see it addressed in -08:
I don't think the characterization of SRV-ID as an "indirect"
(ie. DNS resolved) identifier is correct.
Whether a subject name is indirect or not, depends on the content
of the identifier field and how that content was obtained, rather
than on the identifier type itself.
In most cases, indirect identifiers will be found in DNS-ID or CN-ID,
as a result of DNS resolution of SRV, CNAME, or other records. If an
application is trying to authenticate such identities, then the
document needs to clearly state under what conditions it is safe to
do so (DNSSEC, or a static mapping rule in the client). The document
does touch on safe derivation rules later (currently in 4.2). But the
direct/indirect classification of identity types needs to be
corrected (or just eliminated).
I said some more here:
http://www.ietf.org/mail-archive/web/certid/current/msg00220.html
--
Shumon Huque
University of Pennsylvania.
On Fri, Jul 23, 2010 at 09:25:43AM -0600, Peter Saint-Andre wrote:
> Sorry, I haven't yet had a chance to review the feedback that's been
> provided during this Last Call. I'll do that en route to Maastricht
> today. Next week Jeff and I will discuss in person the points that have
> been raised, and then we'll post further regarding our proposed changes
> to the spec.
>
> Peter
>
> On 7/15/10 5:08 PM, The IESG wrote:
> > The IESG has received a request from an individual submitter to consider
> > the following document:
> >
> > - 'Representation and Verification of Domain-Based Application Service
> > Identity in Certificates Used with Transport Layer Security '
> > <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> > final comments on this action. Please send substantive comments to the
> > ietf@ietf.org mailing lists by 2010-08-12. Exceptionally,
> > comments may be sent to iesg@ietf.org instead. In either case, please
> > retain the beginning of the Subject line to allow automated sorting.
> >
> > The file can be obtained via
> > http://www.ietf.org/internet-drafts/draft-saintandre-tls-server-id-check-08.txt
> >
> >
> > IESG discussion can be tracked via
> > https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=18634&rfc_flag=0
> >
> > _______________________________________________
> > IETF-Announce mailing list
> > IETF-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/ietf-announce
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
--
Shumon Huque
University of Pennsylvania.
- [certid] [Fwd: Last Call: draft-saintandre-tls-se… Alexey Melnikov
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Sylvester
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Blumenthal, Uri - 0668 - MITLL
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Shumon Huque
- Re: [certid] Last Call: draft-saintandre-tls-serv… Stefan Winter
- Re: [certid] Last Call: draft-saintandre-tls-serv… Peter Saint-Andre