[dane] draft-ietf-dane-srv-03.txt: name checks, ...
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 19 December 2013 17:30 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81B51AE12B for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:30:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5xzHDMJtpHB for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:30:32 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0271AE128 for <dane@ietf.org>; Thu, 19 Dec 2013 09:30:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9AA982AB01A; Thu, 19 Dec 2013 17:30:27 +0000 (UTC)
Date: Thu, 19 Dec 2013 17:30:27 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131219173027.GB1285@mournblade.imrryr.org>
References: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] draft-ietf-dane-srv-03.txt: name checks, ...
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2013 17:30:34 -0000
On Thu, Dec 19, 2013 at 08:07:10AM -0800, internet-drafts@ietf.org wrote: > Filename : draft-ietf-dane-srv-03.txt > Date : 2013-12-13 Section 5 (no exception for usage 3): Section 7 (MUST and SHOULD on server name are too strong): Section 10.3 (no exception for usage 3): This still conflicts with the smtp-with-dane and ops drafts with respect to name checks (server identity checks) in usage 3. In the two conflicting documents usage 3 certificates are validated exclusively by matching against DANE TLSA RRs. No name checks, key usage checks, expiration checks, ... apply with usage 3. Rather, the binding of the EE certificate to the service end-point is entirely established by the DNSSEC TLSA record (also its validity lifetime is the lifetime of the TLSA record). Correspondingly, all requirements on the content of the server certificate are relaxed with usage 3, it may, if desired, contain no identity information. For example, given the following TLSA record: _25._tcp.mail.example. IN TLSA 3 1 1 \ 4D8CC746810AB5C7D7D24EE2A78AA6D5 \ 687E5CCA54A85846DAACD71E1B172F00 the below would be a valid certificate (which is, absent DANE, anonymous and never valid): Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA256 Issuer: Validity Not Before: Dec 19 17:16:51 2013 GMT Not After : Dec 18 17:16:51 2013 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ... ASN1 OID: prime256v1 Signature Algorithm: ecdsa-with-SHA256 ... -----BEGIN CERTIFICATE----- MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xMzEyMTkxNzE2NTFaFw0x MzEyMTgxNzE2NTFaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARIR1J5ykq+ 0/4O7VBur2Sv9tgrMvql0kzZzuaMxyFWxbL9bNtkT3zcjrXHVxdhZOZLZo9Fs5AI MW+zRCwxNcbbMAoGCCqGSM49BAMCA0gAMEUCIFkPVySlkXTbg6mlEUbDGrABN+a2 V9aZR87f+1X+JKydAiEAwlccNJAVHQmkU5kVelXbx8UsVc66Q8Qt6QrT1L5Xg10= -----END CERTIFICATE----- -- Viktor.
- [dane] I-D Action: draft-ietf-dane-srv-03.txt internet-drafts
- [dane] draft-ietf-dane-srv-03.txt: name checks, .… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-03.txt Viktor Dukhovni
- Re: [dane] draft-ietf-dane-srv-03.txt: name check… Peter Saint-Andre