Re: [certid] CN-ID and name constraints

Peter Saint-Andre <stpeter@stpeter.im> Wed, 29 September 2010 21:37 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75CF33A6C43 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 14:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.544
X-Spam-Level:
X-Spam-Status: No, score=-102.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0iOe077G17n for <certid@core3.amsl.com>; Wed, 29 Sep 2010 14:37:12 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 8B56D3A6AEA for <certid@ietf.org>; Wed, 29 Sep 2010 14:37:09 -0700 (PDT)
Received: from moveme.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 90610403DF; Wed, 29 Sep 2010 15:43:26 -0600 (MDT)
Message-ID: <4CA3B1B0.2040106@stpeter.im>
Date: Wed, 29 Sep 2010 15:37:52 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.12) Gecko/20100914 Thunderbird/3.0.8
MIME-Version: 1.0
To: Matt McCutchen <matt@mattmccutchen.net>
References: <201009250309.o8P39Sc7016343@fs4113.wdf.sap.corp> <1285450341.1940.79.camel@mattlaptop2.local>
In-Reply-To: <1285450341.1940.79.camel@mattlaptop2.local>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] CN-ID and name constraints
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 21:37:16 -0000

On 9/25/10 3:32 PM, Matt McCutchen wrote:

Cutting to the chase...

> I propose that section 4.4.4 be changed as follows:
> 
> Old: "...the client MAY as a fallback check for a string whose form
> matches that of a fully-qualified DNS domain name in the CN-ID."
> 
> New: "...the client MAY as a fallback check for a string whose form
> matches that of a fully-qualified DNS domain name in the CN-ID, provided
> that this domain name satisfies any name constraints on the
> certification path as defined by [PKIX] section 4.2.1.10."

Thank you for proposing text.

Given that the server-id-check document is downstream from RFC 5280,
it's not clear to me why we need to mention that name constraints apply.
I'm especially wondering why this spec would mention name constraints
with respect to CN-IDs but not with respect to DNS-IDs, URI-IDs, or
SRV-IDs, given that Section 4.2.1.10 of RFC 5280 states in part:

   The name constraints extension, which MUST be used only in a CA
   certificate, indicates a name space within which all subject names in
   subsequent certificates in a certification path MUST be located.
   Restrictions apply to the subject distinguished name and apply to
   subject alternative names.

RFC 4985 explicitly mentions name constraints with respect to SRVNames,
but that makes sense because it is defining a new name form for the
subjectAltName extension of type otherName, which is not mentioned in
RFC 3280 / RFC 5280, as mentioned in RFC 5280:

   The syntax and semantics for name constraints for otherName,
   ediPartyName, and registeredID are not defined by this specification,
   however, syntax and semantics for name constraints for other name
   forms may be specified in other documents.

Thus I think this is out of scope for the server-id-check document, but
I'm open to being convinced otherwise (and I'm not yet sure whether my
co-author agrees with me).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/