Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Brian Trammell <trammell@tik.ee.ethz.ch> Mon, 23 January 2012 14:22 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 202A221F86BA; Mon, 23 Jan 2012 06:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOmEpjHQjEZN; Mon, 23 Jan 2012 06:22:43 -0800 (PST)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id F0ED921F852F; Mon, 23 Jan 2012 06:22:42 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 80332D9302; Mon, 23 Jan 2012 15:22:41 +0100 (MET)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id kk04PO0lIPj9; Mon, 23 Jan 2012 15:22:41 +0100 (MET)
Received: from [192.168.1.9] (unknown [109.130.57.164]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 1CD40D9300; Mon, 23 Jan 2012 15:22:39 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <4F1D5E5A.6090505@isode.com>
Date: Mon, 23 Jan 2012 15:22:36 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5ED8B1A1-11AF-4416-9940-63C75358FFF3@tik.ee.ethz.ch>
References: <4F11E975.9070307@isode.com> <10722E0B-059E-4800-84C0-B330F397B63A@tik.ee.ethz.ch> <4F16D95A.3000006@isode.com> <89E47BB4-C228-4700-94C4-3F4ED03F99A2@tik.ee.ethz.ch> <4F1704DE.1090208@isode.com> <4F170904.2000603@isode.com> <60243B0C-A3FF-4B51-AFF8-27C34158E02E@tik.ee.ethz.ch> <4F185391.9050005@isode.com> <4F18704B.4010309@stpeter.im> <C36BCAAE-5F03-4514-8F18-34A5476C3F8E@tik.ee.ethz.ch> <4F1D5E5A.6090505@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.1084)
Cc: gen-art@ietf.org, Kathleen Moriarty <kathleen.moriarty@emc.com>, The IESG <iesg@ietf.org>, Peter Saint-Andre <stpeter@stpeter.im>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2012 14:22:46 -0000

Hi, Alexey,

one more round (hopefully) :) ...

On Jan 23, 2012, at 2:19 PM, Alexey Melnikov wrote:

>> 
>> Okay; how about the following (including Alexey's comments from the previous review, and pointing more specifically to 6125)
>> 
>>     <t>RID systems MUST verify the identity of their peers against that stored
>>     in the certificate presented, as in section 6 of<xref target="rfc6125"/>.
>>     As RID systems are identified not by URI and RID does not use DNS SRV
>>     records, they are identified solely by their DNS Domain Names; see Section
>>     6.4 of<xref target="rfc6125"/>.
> (I think you are saying that [using RFC 6125 terminology] DNS-IDs are supported, but SRV-IDs or URI-IDs aren't.)

I can say that directly then.

> This is better, but I think you need to say a bit more. Are CN-IDs allowed? Are wildcards allowed?

Here, I'm a little unclear on the implications this has for implementation: is it reasonable to assume that all implementations that support TLS 1.1 should not require CN-IDs for backward compatibility?

> Another example of the document that describes
> http://tools.ietf.org/html/draft-melnikov-email-tls-certs-00

Thanks for the example. Here's what I've come up with for now...

    <t>RID systems MUST verify the identity of their peers against that stored
    in the certificate presented. All RID systems MUST be identified by a
    certificate containing a <xref target="RFC5280">DNS-ID identifier</xref>
    as in section 6.4 of <xref target="RFC6125"/>. Certificates identifying
    RID systems MAY additionally contain a CN-ID identifier, to allow backward
    compatibility with older PKI implementations. Wildcards MUST NOT appear in
    the DNS-ID or CN-ID of a certificate identifying a RID system. Additional
    general information on the use of PKI with RID systems is detailed in
    Section 9.3 of <xref target="I-D.ietf-mile-rfc6045-bis"/>.</t>

(The text about CN-IDs would be removed if the assumption that TLS 1.1 implies no need for CN-ID, as above)

Thanks,

Brian