Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Peter Saint-Andre <stpeter@stpeter.im> Wed, 08 December 2010 05:11 UTC

Message-ID: <4CFF13C6.8090807@stpeter.im>
Date: Tue, 07 Dec 2010 22:12:38 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Ben Campbell <ben@nostrum.com>
References: <4CFD8731.9060208@KingsMountain.com> <49E7482C-83CF-4341-B6FA-F75E74038F8E@nostrum.com>
In-Reply-To: <49E7482C-83CF-4341-B6FA-F75E74038F8E@nostrum.com>
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080605030005080700010305"
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
Precedence: list

On 12/7/10 6:35 PM, Ben Campbell wrote:
> 
> On Dec 6, 2010, at 7:00 PM, =JeffH wrote:
> 
>> Peter Saint-Andre <Peter.SaintAndre@webex.com> replied..
>>> 
>>> On 12/3/10 2:24 PM, "Ben Campbell" <ben@nostrum.com> wrote:

<snip/>

>>>> -- 3.1, 1st paragraph:
>>>> 
>>>> It's probably worth emphasizing that the rules are often
>>>> cumulative.  I think someone thinking about these for the first
>>>> time might not grasp that until they see examples later in the
>>>> doc.
>>> 
>>> I've added the second sentence to this paragraph:
>>> 
>>> When a certification authority issues a certificate based on the 
>>> fully-qualified DNS domain name at which the application service
>>> provider will provide the relevant application, the following
>>> rules apply to the representation of application service
>>> identities.  The reader needs to be aware that some of these
>>> rules are cumulative and can interact in important ways that are
>>> illustrated later in this document.
>> 
>> LGTM.
> 
> WFM
> 
> In fact, as I was re-reading RFC 5922, it occurred to me to wonder if
> people need guidance one way or another on the idea of
> "multi-purpose" certs that might have any number of subjectAltName
> entries for different purposes. I'm talking about virtual domain
> hosting, or multi-protocol hosts. I assume in the latter case, you
> would expect a host to use different certs for different protocols.
> In the first case, is their any guidance to give. I can't remember,
> do you mention the TLS server_name extension?
> 
> (I don't mean to suggest any real action here--just thinking out loud
> about something that would have been much better to bring up well
> before IETF LC. :-)  )

Those scenarios are important, but IMHO how the server determines which
certificate to present (e.g., based on the SNI or something else, such
as the 'to' address on an XMPP stream header) is something that an
application protocol specification needs to define.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

Attachment: smime.p7s

Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
[certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH

Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Attachment: smime.p7s