Re: PP7: Server Identity Check

Kurt Zeilenga <Kurt.Zeilenga@Isode.com> Sat, 19 January 2008 02:42 UTC

Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JG3em-0003Ia-Pm; Fri, 18 Jan 2008 21:42:04 -0500
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1JG3em-0003IN-02 for discuss-confirm+ok@megatron.ietf.org; Fri, 18 Jan 2008 21:42:04 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JG3el-0003IF-3E for discuss@apps.ietf.org; Fri, 18 Jan 2008 21:42:03 -0500
Received: from boole.openldap.org ([2001:4f8:3:ba:2e0:18ff:fe02:efec]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JG3ek-0004tZ-NM for discuss@apps.ietf.org; Fri, 18 Jan 2008 21:42:03 -0500
Received: from [192.168.1.102] ([75.141.236.208]) (authenticated bits=0) by boole.openldap.org (8.13.8/8.13.8) with ESMTP id m0J2fsYF033712 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <discuss@apps.ietf.org>; Sat, 19 Jan 2008 02:41:59 GMT (envelope-from Kurt.Zeilenga@Isode.com)
Message-Id: <B72F0EBE-C5A4-42F1-8E68-E079381975D1@Isode.com>
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
To: Apps Discuss <discuss@apps.ietf.org>
In-Reply-To: <FF1DFC89-12CA-4FAB-8231-F70F9B521C89@osafoundation.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v915)
Subject: Re: PP7: Server Identity Check
Date: Fri, 18 Jan 2008 18:41:54 -0800
References: <476AD1C2.6010600@neustar.biz> <FF1DFC89-12CA-4FAB-8231-F70F9B521C89@osafoundation.org>
X-Mailer: Apple Mail (2.915)
X-Spam-Score: -1.4 (-)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org

>>
>> Which apparently is either being referenced in various RFCs/I-Ds,  
>> or is being ignored in other various I-Ds/RFCs, who then re-invent  
>> their own version, or don't at all.


RFC 2830 was obsoleted by RFC 4513.  While RFC 4313 (in Section 3.1.3)  
retains the basic server identity checks described in RFC 2830, it  
does expand on server identity checks a bit.  For instance, RFC 4513  
discussions not only checks based upon DNS names, but also discussions  
checks based upon IP addresses and other subjectName types.  The DNS  
name check specification also has been updated to discuss IDNA issues.

>>
>> Thus it has been suggested (by ChrisN to me, at Vancouver last  
>> month) to extract the above and make it into a BCP applicable to at  
>> least the apps area.
>>
>> So also from RFC2830, are sections..
>>
>> ..or any of the other RFC2830 (sub)sections relevant for inclusion  
>> in this postulated BCP?

I think Section 3.1.3 of RFC 4513 might serve as a better basis for  
postulating a generic "server identity check" BCP in this than Section  
3.6 of RFC 2830.

-- Kurt