Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 09 December 2010 17:30 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E76F428C128 for <certid@core3.amsl.com>; Thu, 9 Dec 2010 09:30:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.208
X-Spam-Level:
X-Spam-Status: No, score=-102.208 tagged_above=-999 required=5 tests=[AWL=0.391, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2fxlbyPVMR4 for <certid@core3.amsl.com>; Thu, 9 Dec 2010 09:30:50 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id CDB7628C146 for <certid@ietf.org>; Thu, 9 Dec 2010 09:30:47 -0800 (PST)
Received: (qmail 2871 invoked by uid 0); 9 Dec 2010 17:32:07 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 9 Dec 2010 17:32:07 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=MGX+IcPb8hED5+JV1yz8qQS/pkCNKGIH0Muld2U/Su4p9YFRrRrJE/Qg6dCsC5QqTqeTsoKxfPtI4cKv7GQvKrGP1OpswDdWcYXefvlWAobsFwENbSnakuquAAXPiNUg;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PQkLf-0005hI-2s; Thu, 09 Dec 2010 10:32:07 -0700
Message-ID: <4D011294.7030200@KingsMountain.com>
Date: Thu, 09 Dec 2010 09:32:04 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, certid@ietf.org
Subject: Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 17:30:55 -0000
PeterSA replied.. > > And the wordsmithing continues... > > On 12/8/10 3:52 PM, =JeffH wrote: >> see way below... >> >> PeterSA wrote on Wed, 08 Dec 2010 07:54:52 -0700 (06:54 PST) >>> >>> On 12/8/10 7:37 AM, Ben Campbell wrote: >>>> >>>> >>>> On Dec 8, 2010, at 7:10 AM, Peter Saint-Andre <stpeter@stpeter.im> >>>> wrote: >>>> >>>>> On 12/7/10 10:45 PM, Ben Campbell wrote: >>>>>> >>>>>> On Dec 7, 2010, at 11:12 PM, Peter Saint-Andre wrote: >>>>>> >>>>>>> On 12/7/10 6:35 PM, Ben Campbell wrote: >>>>>>>> >>>>>>>> On Dec 6, 2010, at 7:00 PM, =JeffH wrote: >>>>>>>> >>>>>>>>> Peter Saint-Andre <Peter.SaintAndre@webex.com> replied.. >>>>>>>>>> >>>>>>>>>> On 12/3/10 2:24 PM, "Ben Campbell" <ben@nostrum.com> >>>>>>>>>> wrote: >>>>>>> <snippage type="major"/> >>>> Do you think server_name extension use is actually common enough to >>>> call typical? I'm not saying it's not--I don't really know one way or >>>> another. Otherwise, WFM. >> >> I don't think the TLS server_name extension (aka SNI) is in common >> enough use yet to call it "typical". There's a certain >> still-widely-deployed version of a certain desktop OS that doesn't >> support it, unfortunately. > > I had changed it to: > > if the server hosts more than one domain then the certificate it > presents might be based on a DNS domain name specified by the > client when initiating communication (e.g., using a Server Name > Indication during TLS negotiation as described in [TLS-EXT]). > > That seems suitably vague about how common SNI is. But per your message > I think this might belong in a different place. > >>> We could say "and if the server hosts more than one domain then the >>> certificate presented is typically based..." >> >> Upon re-reading what we presently have in -11 for [S1.1], I don't think >> we need to introduce in that intro paragraph the notion of >> disambiguating names in a multi-domain situation. I'd leave that para >> as-is. > > Yes, I'd already removed any mention of SNI from Section 1.1. thx. > >> in terms of the defn for "presented identifier" in [S1.5], I'd update it >> like so (I don't think mentioning SNI is reasonable in that defn proper).. >> >> presented identifier: An identifier that is presented by a server >> to a client within a PKIX certificate when the client attempts to >> establish a secure connection with the server; the certificate can >> include one or more presented identifiers of different types, and >> if the server hosts more than one domain then the certificate might >> present distinct identifiers for each domain. > > WFM. super. > >> I'm wondering if we ought to add an "implementation note" at the end of >> [S3.1] where we mention why one might have a cert with multiple >> presented identifiers or a client may employ SNI. >> >> >> Implementation Note: <snip/> >> >> of course, the FDA notes that the above will require generous >> wordsmithing before use. > > Wordsmithed as follows: > > ## > > 5.4. Multiple Identifiers > > A given application service might be addressed by multiple DNS domain > names for a variety of reasons, and a given deployment might service > multiple domains (e.g., in so-called "virtual hosting" environments). > In the default TLS handshake exchange, the client is not able to > indicate the DNS domain name with which it wants to communicate, and > the TLS server returns only one certificate for itself. Absent an > extension to TLS, a typical workaround used to facilitate mapping an > application service to multiple DNS domain names is to embed all of > the domain names into a single certificate. > > A more recent approach, formally specified in [TLS-EXT], is for the > client to use the TLS "Server Name Indication" (SNI) extension when > sending the client_hello message, stipulating the DNS domain name it > desires or expects of the service. The service can then return the > appropriate certificate in its Certificate message, and that > certificate can represent a single DNS domain name. > > To accommodate the workaround that was needed before the development > of the SNI extension, this specification allows multiple DNS-IDs, > SRV-IDs, or URI-IDs in a certificate; however, it explicitly > discourages multiple CN-IDs. Although it would be preferable to > forbid multiple CN-IDs entirely, there are several reasons at this > time why this specification states that they SHOULD NOT (instead of > MUST NOT) be included: > > o At least one significant technology community of interest > explicitly allows multiple CN-IDs [EV-CERTS]. > > o At least one significant certification authority is known to issue > certificates containing multiple CN-IDs. > > o Many service providers often deem inclusion of multiple CN-IDs > necessary in virtual hosting environments because at least one > widely-deployed operating system does not yet support the SNI > extension [TLS-EXT]. > > It is hoped that the recommendation regarding multiple CN-IDs can be > further tightened in the future. > > ### excellent smithing there, thanks. =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- [certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH