[certid] URI match
Ludwig Nussel <ludwig.nussel@suse.de> Tue, 23 March 2010 14:00 UTC
Return-Path: <ludwig.nussel@suse.de>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 100DF3A6C12 for <certid@core3.amsl.com>;
Tue, 23 Mar 2010 07:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.519
X-Spam-Level:
X-Spam-Status: No, score=-106.519 tagged_above=-999 required=5
tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35,
RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i3DOYDgiSEvv for
<certid@core3.amsl.com>; Tue, 23 Mar 2010 07:00:05 -0700 (PDT)
Received: from mx1.suse.de (cantor.suse.de [195.135.220.2]) by core3.amsl.com
(Postfix) with ESMTP id 09BE83A6C13 for <certid@ietf.org>;
Tue, 23 Mar 2010 06:59:56 -0700 (PDT)
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) by mx1.suse.de (Postfix) with ESMTP id 305E78E8CC for
<certid@ietf.org>; Tue, 23 Mar 2010 15:00:14 +0100 (CET)
From: Ludwig Nussel <ludwig.nussel@suse.de>
To: certid@ietf.org
Date: Tue, 23 Mar 2010 15:00:04 +0100
User-Agent: KMail/1.12.4 (Linux/2.6.31.12-0.1-default; KDE/4.3.5; x86_64; ; )
MIME-Version: 1.0
X-Length: 1243
X-UID: 418
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201003231500.05187.ludwig.nussel@suse.de>
Subject: [certid] URI match
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 14:00:06 -0000
Hi, What's the purpose of URIs in subjAltnames? Are they meant for things like "https://example.com/"? If so, does "telnet://example.com/" match "https://example.com/"? I guess not as the URI schemes are different. The exact matching rules for URIs are not defined in the I-D though. The I-D allows multiple different types in subjAltnames so I guess it's legal to have subjAltnames of type dNSName and uniformResourceIdentifier in the same certificate. So a subjAltname 'URI:telnet://example.com/, DNS:example.com' would be valid. Assume the user wants to connect to a server with that subjAltname and enters 'https://example.com/' in the browser. Should that succeed? Again I guess the URI doesn't match. However, when mapping the URI to the host part only the dNSName would match and the connection succeeds. Also, clients that don't support URIs in subjAltnames (as almost all software out there) would ignore the URI and match dNSName only. So, without defining further constraints an URI in subjAltnames is rather useless, isn't it? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
- [certid] URI match Ludwig Nussel
- Re: [certid] URI match Bruno Harbulot
- Re: [certid] URI match Peter Saint-Andre
- Re: [certid] URI match Scott Cantor
- Re: [certid] [Spam] Re: URI match Erik Andersen
- Re: [certid] [Spam] Re: URI match Scott Cantor
- Re: [certid] URI match Shumon Huque
- Re: [certid] [Spam] Re: URI match Shumon Huque
- Re: [certid] [Spam] Re: URI match Peter Saint-Andre
- Re: [certid] [Spam] Re: URI match Shumon Huque