Re: [dane] "Name Checks are not appropriate for CU=3"
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 16 January 2014 18:08 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5F11A1DFA for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 10:08:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAN4IkOskwQD for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 10:08:23 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC281A16F0 for <dane@ietf.org>; Thu, 16 Jan 2014 10:08:23 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 22BBE2AB21F; Thu, 16 Jan 2014 18:08:10 +0000 (UTC)
Date: Thu, 16 Jan 2014 18:08:10 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140116180810.GN2317@mournblade.imrryr.org>
References: <20140116151959.4AA021ABB0@ld9781.wdf.sap.corp> <52D80CC4.9020407@bbn.com> <52D81875.6050705@nist.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <52D81875.6050705@nist.gov>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2014 18:08:26 -0000
On Thu, Jan 16, 2014 at 12:35:49PM -0500, Stephen Nightingale wrote: > Granted the cert even for Cert Use DANE-EE(3) must be well-formed in > order to see what's in it. > > But I believe Victor's main point is that the only field *value* > that matters for DANE-EE(3) is the Public Key. Issuer, Common Name > and SubjectAltName are just deckchairs. Correct, the point is that DANE verification makes no use of these values, if however underlying libraries are likely to object, certificates like this should perhaps be avoided. Note however, that this means that a certificate with an empty subject DN can never be self-signed. I'll strive to avoid publishing examples that are likely to fail interoperability tests. For what it is worth, OpenSSL does not mind empty subject and issuer DNs even without a SAN extension, if the application layer does not object. The DANE verification code I wrote on top of OpenSSL likewise does not object with usage DANE-EE(3). So my instructions to users will have to suggest something like: openssl req ... -subj "/CN=?" for self signed certificates that are intended solely for DANE-EE(3) use. -- Viktor.
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- [dane] "Name Checks are not appropriate for CU=3" Stephen Nightingale
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent
- Re: [dane] "Name Checks are not appropriate for C… Stephen Nightingale
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent