Re: [dane] "Name Checks are not appropriate for CU=3"

Stephen Kent <kent@bbn.com> Mon, 20 January 2014 14:47 UTC

Return-Path: <kent@bbn.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B6B81A0175 for <dane@ietfa.amsl.com>; Mon, 20 Jan 2014 06:47:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.036
X-Spam-Level:
X-Spam-Status: No, score=-2.036 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Eyn-Ju37lYx for <dane@ietfa.amsl.com>; Mon, 20 Jan 2014 06:47:15 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id C990B1A015C for <dane@ietf.org>; Mon, 20 Jan 2014 06:47:15 -0800 (PST)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:54452) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1W5G8B-000NsC-Io for dane@ietf.org; Mon, 20 Jan 2014 09:47:15 -0500
Message-ID: <52DD36F5.9090608@bbn.com>
Date: Mon, 20 Jan 2014 09:47:17 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: dane@ietf.org
References: <20140116151959.4AA021ABB0@ld9781.wdf.sap.corp> <52D80CC4.9020407@bbn.com> <52D81875.6050705@nist.gov> <20140116180810.GN2317@mournblade.imrryr.org>
In-Reply-To: <20140116180810.GN2317@mournblade.imrryr.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2014 14:47:17 -0000

Viktor,

> On Thu, Jan 16, 2014 at 12:35:49PM -0500, Stephen Nightingale wrote:
>
>> Granted the cert even for Cert Use DANE-EE(3) must be well-formed in
>> order to see what's in it.
>>
>> But I believe Victor's main point is that the only field *value*
>> that matters for DANE-EE(3) is the Public Key.  Issuer, Common Name
>> and SubjectAltName are just deckchairs.
> Correct, the point is that DANE verification makes no use of these values,
> if however underlying libraries are likely to object, certificates like
> this should perhaps be avoided.  Note however, that this means that a
> certificate with an empty subject DN can never be self-signed.
yep.
> I'll strive to avoid publishing examples that are likely to fail
> interoperability tests.  For what it is worth, OpenSSL does not
> mind empty subject and issuer DNs even without a SAN extension, if
> the application layer does not object.  The DANE verification code
> I wrote on top of OpenSSL likewise does not object with usage
> DANE-EE(3).
OpenSSL is a collection of libraries which do not represent a
reference implementation of 5280 or X.509 standards.
> So my instructions to users will have to suggest something like:
>
> 	openssl req ... -subj "/CN=?"
>
> for self signed certificates that are intended solely for DANE-EE(3) use.
>
Using the question mark seems OK, better than an asterisk, which might
be interpreted by some as a widlcard.

Steve