Re: [dane] "Name Checks are not appropriate for CU=3"

Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 14 January 2014 16:31 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EBC1AE10A for <dane@ietfa.amsl.com>; Tue, 14 Jan 2014 08:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crd3BtSGJOmN for <dane@ietfa.amsl.com>; Tue, 14 Jan 2014 08:31:31 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 26FD71AE0FD for <dane@ietf.org>; Tue, 14 Jan 2014 08:31:30 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C96E02AB21A; Tue, 14 Jan 2014 16:31:18 +0000 (UTC)
Date: Tue, 14 Jan 2014 16:31:18 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140114163118.GB2317@mournblade.imrryr.org>
References: <52D55E7E.1090702@nist.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52D55E7E.1090702@nist.gov>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 16:31:34 -0000

On Tue, Jan 14, 2014 at 10:57:50AM -0500, Stephen Nightingale wrote:

> Per the BCP, section 3.3 on Certificate Name Check conventions, the
> Note says that "except with certificate usage 3, where name checks
> are not applicable (see section 4.1) ....."
> 
> Section 4.1 is presently empty.  Is there a notion of populating the
> Type Specific DANE Guidelines in section 4?

Yes, I added the new text last week.  Wes should be reviewing it today,
so your timing is perfect.

You can grab a copy at:

	https://github.com/vdukhovni/ietf.git

> From all the above I take it to mean that if the Subject Alt Name in
> the TLS Server served certificate  differs from the domain name in
> the TLSA record (for example it offers an email address instead of a
> DNS label or wildcard), it doesn't matter because we don't check it.

Yes, and in fact there need not be any subjectAltNames, the subject
DN may be an empty sequence, and the certificate may be either
already expired, not yet valid, or both.  With usage 3 the TLSA
record binds the service end-point directly to a public key, the
certificate itself is just a public-key container.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: 
        Validity
            Not Before: Jan 14 16:25:19 2014 GMT
            Not After : Jan 13 16:25:19 2014 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:ae:38:28:5a:22:68:0b:40:6d:51:c3:14:17:4d:
                    99:51:50:21:88:0f:01:c2:a3:0d:f2:02:28:07:a4:
                    93:07:22:fd:e9:82:88:f9:6e:da:4c:43:3f:3e:24:
                    4b:9d:aa:fe:8e:6a:f7:af:48:e1:7b:e5:25:77:05:
                    ec:37:d9:54:8a
                ASN1 OID: prime256v1
    Signature Algorithm: ecdsa-with-SHA256
        30:45:02:20:3b:cf:71:f5:21:ce:69:2f:82:49:37:ee:ee:7b:
        4d:f9:6a:36:a9:f6:f4:9c:29:43:f8:51:b0:b2:dc:63:9a:c8:
        02:21:00:e2:2f:d2:61:ef:3b:56:c0:4a:a4:3e:e0:67:17:9c:
        7c:3b:41:b1:7e:f0:23:22:7d:55:80:aa:4d:85:a1:0f:05
-----BEGIN CERTIFICATE-----
MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNDAxMTQxNjI1MTlaFw0x
NDAxMTMxNjI1MTlaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuOChaImgL
QG1RwxQXTZlRUCGIDwHCow3yAigHpJMHIv3pgoj5btpMQz8+JEudqv6OavevSOF7
5SV3Bew32VSKMAoGCCqGSM49BAMCA0gAMEUCIDvPcfUhzmkvgkk37u57TflqNqn2
9JwpQ/hRsLLcY5rIAiEA4i/SYe87VsBKpD7gZxecfDtBsX7wIyJ9VYCqTYWhDwU=
-----END CERTIFICATE-----

-- 
	Viktor.