Re: [dane] "Name Checks are not appropriate for CU=3"

mrex@sap.com (Martin Rex) Sat, 18 January 2014 00:14 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99EDD1AD8EF for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 16:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4rbCAAxlqxr for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 16:14:39 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 862BA1AD8ED for <dane@ietf.org>; Fri, 17 Jan 2014 16:14:38 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s0I0EPR3010001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dane@ietf.org>; Sat, 18 Jan 2014 01:14:25 +0100 (MET)
In-Reply-To: <20140117225019.5E33E1ABB3@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Sat, 18 Jan 2014 01:14:25 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140118001425.65FBF1ABB3@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: dane@ietf.org
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2014 00:14:41 -0000

Martin Rex wrote:
> 
> Your example populated the "notbefore" and "notafter" members with
> conflicting values (i.e. notafter>notbefore).  This may needlessly
> create a problem with implementations that check notbefore/notafter
> even for trust anchors.

Ooops, typo, I meant (notbefore>notafter) is bogus:

>
> issuer= /CN=*
> notBefore=Jan 17 06:18:09 2014 GMT
> notAfter=Jan 16 06:18:09 2014 GMT
> subject= /CN=*

When I've been creating self-signed certs in the past,
then with "notBefore" set to "now minus 24hours" and
"notAfter" set to Jan 1, 2038.  The latter to reduce potential
interop problems with older 32-bit PKIX implementations that may
try to convert the date into a 32-bit time_t value on ASN.1 decode.

One of these days I will have to change the code to use
a notafter "Dec 1, 2049" (so that it still encodes as UTCTime rather
than GeneralizedTime), and maybe in 10 years it will be safe to
use a value like "Dec 1, 2999".

-Martin

PS: if anyone is wondering why the "year 3000" avoidance:
    I'm just trying to be conservative in what I send out, and I've
    encountered one platform where the vendor decided that a C89
    program which passes a (64-bit) time_t that represents a date
    after 23:59:59, December 31, 3000 to some of the C89 time-related
    functions such as gmtime() should be crashed (i.e. fatally terminated)
    rather than see the behaviour described in the C89 specification.