IETF Logo Mail Archive

Re: [certid] [Spam] Re: URI match

Shumon Huque <shuque@isc.upenn.edu> Thu, 01 April 2010 17:22 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C82E93A6B1E for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Level:
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcBLjq6yY5Ww for <certid@core3.amsl.com>; Thu, 1 Apr 2010 10:22:49 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id EC6413A6AF9 for <certid@ietf.org>; Thu, 1 Apr 2010 10:22:48 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 8B1FD2990; Thu, 1 Apr 2010 13:23:21 -0400 (EDT)
Date: Thu, 1 Apr 2010 13:23:21 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Scott Cantor <cantor.2@osu.edu>
Message-ID: <20100401172321.GB29240@isc.upenn.edu>
References: <201003231500.05187.ludwig.nussel@suse.de> <4BB3C8D6.5030402@stpeter.im> <022c01cad12c$747102d0$5d530870$%2@osu.edu> <002401cad17f$60048080$200d8180$@eu> <025501cad1bc$a6d6eb00$f484c100$@2@osu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <025501cad1bc$a6d6eb00$f484c100$@2@osu.edu>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] [Spam] Re: URI match
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 17:22:49 -0000

On Thu, Apr 01, 2010 at 12:59:11PM -0400, Scott Cantor wrote:
> > It seems that there is general requirement for URI matching. URIs are not
> > only used in subjectAltName, but are used in X.500 in general, i.e., for
> > RFID support. Defining uniformResourceIdentifier as just an IA5String may
> > also be a simplification.
> 
> However, matching on URI makes a lot more sense as a certificate constraint
> if you also stop at that point rather than continuing to DNS or CN-based
> matching. If you just keep going, it's not worth much.

Right. Most current software relies on being able to match any one
identity in the certificate. If there are multiple identities, then
the algorithm that should be used is to match more specific identities
first (eg. URI/SRVName before dNSName etc). I forget whether the
draft says that or not, but we discussed it.

Another way around this is to use URI/SRVName, but also have a 
dNSName that includes an "application specific server name" which
might need to be locally configured in the client. See:

  http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00935.html

In fact, for anyone not in the apps list, I'd recommend reading
the entire thread where some of these issues were discussed:

  http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00902.html

--Shumon.

v2.8.7 | Report a Bug | By Email