IETF Logo Mail Archive

Re: [dane] "Name Checks are not appropriate for CU=3"

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 16 January 2014 18:08 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5F11A1DFA for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 10:08:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAN4IkOskwQD for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 10:08:23 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC281A16F0 for <dane@ietf.org>; Thu, 16 Jan 2014 10:08:23 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 22BBE2AB21F; Thu, 16 Jan 2014 18:08:10 +0000 (UTC)
Date: Thu, 16 Jan 2014 18:08:10 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140116180810.GN2317@mournblade.imrryr.org>
References: <20140116151959.4AA021ABB0@ld9781.wdf.sap.corp> <52D80CC4.9020407@bbn.com> <52D81875.6050705@nist.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <52D81875.6050705@nist.gov>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2014 18:08:26 -0000

On Thu, Jan 16, 2014 at 12:35:49PM -0500, Stephen Nightingale wrote:

> Granted the cert even for Cert Use DANE-EE(3) must be well-formed in
> order to see what's in it.
>
> But I believe Victor's main point is that the only field *value*
> that matters for DANE-EE(3) is the Public Key.  Issuer, Common Name
> and SubjectAltName are just deckchairs.

Correct, the point is that DANE verification makes no use of these values,
if however underlying libraries are likely to object, certificates like
this should perhaps be avoided.  Note however, that this means that a
certificate with an empty subject DN can never be self-signed.

I'll strive to avoid publishing examples that are likely to fail
interoperability tests.  For what it is worth, OpenSSL does not
mind empty subject and issuer DNs even without a SAN extension, if
the application layer does not object.  The DANE verification code
I wrote on top of OpenSSL likewise does not object with usage
DANE-EE(3).

So my instructions to users will have to suggest something like:

	openssl req ... -subj "/CN=?"

for self signed certificates that are intended solely for DANE-EE(3) use.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email