[dane] "Name Checks are not appropriate for CU=3"

Stephen Nightingale <night@nist.gov> Tue, 14 January 2014 15:58 UTC

Return-Path: <stephen.nightingale@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 862921AE017 for <dane@ietfa.amsl.com>; Tue, 14 Jan 2014 07:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.738
X-Spam-Status: No, score=-4.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id CEOyLgQWUIrN for <dane@ietfa.amsl.com>; Tue, 14 Jan 2014 07:58:51 -0800 (PST)
Received: from wsget2.nist.gov (wsget2.nist.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 4A7021ADFCD for <dane@ietf.org>; Tue, 14 Jan 2014 07:58:51 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov ( by wsget2.nist.gov ( with Microsoft SMTP Server (TLS) id; Tue, 14 Jan 2014 10:58:06 -0500
Received: from postmark.nist.gov ( by WSXGHUB1.xchange.nist.gov ( with Microsoft SMTP Server (TLS) id 8.3.327.1; Tue, 14 Jan 2014 10:58:38 -0500
Received: from [] (31-140.antd.nist.gov []) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id s0EFwSDh019459; Tue, 14 Jan 2014 10:58:29 -0500
Message-ID: <52D55E7E.1090702@nist.gov>
Date: Tue, 14 Jan 2014 10:57:50 -0500
From: Stephen Nightingale <night@nist.gov>
Organization: NIST
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <dane@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: night@nist.gov
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 15:58:52 -0000

Per the BCP, section 3.3 on Certificate Name Check conventions, the Note 
says that "except with certificate usage 3, where name checks are not 
applicable (see section 4.1) ....."

Section 4.1 is presently empty.  Is there a notion of populating the 
Type Specific DANE Guidelines in section 4?

 From all the above I take it to mean that if the Subject Alt Name in 
the TLS Server served certificate  differs from the domain name in the 
TLSA record (for example it offers an email address instead of a DNS 
label or wildcard), it doesn't matter because we don't check it.